From 1038b08b844dc6ed7846dc717cf098f6b867bca5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 29 May 2024 15:00:20 +0000 Subject: [PATCH] Bump github.com/sigstore/sigstore/pkg/signature/kms/aws Bumps [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) from 1.8.3 to 1.8.4. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.3...v1.8.4) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 28 +- go.sum | 56 +- .../aws-sdk-go-v2/aws/go_module_metadata.go | 2 +- .../aws/middleware/private/metrics/metrics.go | 5 +- .../aws-sdk-go-v2/aws/signer/v4/middleware.go | 29 - .../aws/aws-sdk-go-v2/aws/signer/v4/v4.go | 55 +- .../aws/aws-sdk-go-v2/config/CHANGELOG.md | 28 + .../config/go_module_metadata.go | 2 +- .../aws-sdk-go-v2/credentials/CHANGELOG.md | 28 + .../credentials/go_module_metadata.go | 2 +- .../feature/ec2/imds/CHANGELOG.md | 12 + .../feature/ec2/imds/go_module_metadata.go | 2 +- .../internal/configsources/CHANGELOG.md | 12 + .../configsources/go_module_metadata.go | 2 +- .../internal/endpoints/v2/CHANGELOG.md | 12 + .../endpoints/v2/go_module_metadata.go | 2 +- .../internal/accept-encoding/CHANGELOG.md | 4 + .../accept-encoding/go_module_metadata.go | 2 +- .../internal/presigned-url/CHANGELOG.md | 12 + .../presigned-url/go_module_metadata.go | 2 +- .../aws-sdk-go-v2/service/kms/CHANGELOG.md | 28 + .../service/kms/api_op_CancelKeyDeletion.go | 52 +- .../kms/api_op_ConnectCustomKeyStore.go | 145 +++-- .../service/kms/api_op_CreateAlias.go | 131 ++-- .../kms/api_op_CreateCustomKeyStore.go | 291 +++++---- .../service/kms/api_op_CreateGrant.go | 271 ++++---- .../service/kms/api_op_CreateKey.go | 590 +++++++++++------- .../service/kms/api_op_Decrypt.go | 242 ++++--- .../service/kms/api_op_DeleteAlias.go | 61 +- .../kms/api_op_DeleteCustomKeyStore.go | 96 +-- .../kms/api_op_DeleteImportedKeyMaterial.go | 51 +- .../kms/api_op_DescribeCustomKeyStores.go | 99 +-- .../service/kms/api_op_DescribeKey.go | 132 ++-- .../service/kms/api_op_DisableKey.go | 47 +- .../service/kms/api_op_DisableKeyRotation.go | 90 ++- .../kms/api_op_DisconnectCustomKeyStore.go | 76 ++- .../service/kms/api_op_EnableKey.go | 39 +- .../service/kms/api_op_EnableKeyRotation.go | 140 +++-- .../service/kms/api_op_Encrypt.go | 183 ++++-- .../service/kms/api_op_GenerateDataKey.go | 269 ++++---- .../service/kms/api_op_GenerateDataKeyPair.go | 273 ++++---- ..._op_GenerateDataKeyPairWithoutPlaintext.go | 172 +++-- .../api_op_GenerateDataKeyWithoutPlaintext.go | 185 +++--- .../service/kms/api_op_GenerateMac.go | 111 ++-- .../service/kms/api_op_GenerateRandom.go | 119 ++-- .../service/kms/api_op_GetKeyPolicy.go | 34 +- .../kms/api_op_GetKeyRotationStatus.go | 120 +++- .../kms/api_op_GetParametersForImport.go | 187 ++++-- .../service/kms/api_op_GetPublicKey.go | 161 +++-- .../service/kms/api_op_ImportKeyMaterial.go | 218 ++++--- .../service/kms/api_op_ListAliases.go | 88 ++- .../service/kms/api_op_ListGrants.go | 82 ++- .../service/kms/api_op_ListKeyPolicies.go | 59 +- .../service/kms/api_op_ListKeyRotations.go | 294 +++++++++ .../service/kms/api_op_ListKeys.go | 45 +- .../service/kms/api_op_ListResourceTags.go | 89 ++- .../service/kms/api_op_ListRetirableGrants.go | 85 ++- .../service/kms/api_op_PutKeyPolicy.go | 100 ++- .../service/kms/api_op_ReEncrypt.go | 270 +++++--- .../service/kms/api_op_ReplicateKey.go | 301 +++++---- .../service/kms/api_op_RetireGrant.go | 88 ++- .../service/kms/api_op_RevokeGrant.go | 78 ++- .../service/kms/api_op_RotateKeyOnDemand.go | 216 +++++++ .../service/kms/api_op_ScheduleKeyDeletion.go | 156 +++-- .../aws-sdk-go-v2/service/kms/api_op_Sign.go | 190 +++--- .../service/kms/api_op_TagResource.go | 103 +-- .../service/kms/api_op_UntagResource.go | 76 ++- .../service/kms/api_op_UpdateAlias.go | 112 ++-- .../kms/api_op_UpdateCustomKeyStore.go | 238 ++++--- .../kms/api_op_UpdateKeyDescription.go | 51 +- .../service/kms/api_op_UpdatePrimaryRegion.go | 134 ++-- .../service/kms/api_op_Verify.go | 164 +++-- .../service/kms/api_op_VerifyMac.go | 94 +-- .../service/kms/deserializers.go | 584 +++++++++++++++++ .../aws/aws-sdk-go-v2/service/kms/doc.go | 137 ++-- .../aws-sdk-go-v2/service/kms/generated.json | 2 + .../service/kms/go_module_metadata.go | 2 +- .../aws/aws-sdk-go-v2/service/kms/options.go | 31 +- .../aws-sdk-go-v2/service/kms/serializers.go | 149 +++++ .../aws-sdk-go-v2/service/kms/types/enums.go | 129 ++-- .../aws-sdk-go-v2/service/kms/types/errors.go | 249 +++++--- .../aws-sdk-go-v2/service/kms/types/types.go | 411 +++++++----- .../aws-sdk-go-v2/service/kms/validators.go | 78 +++ .../aws-sdk-go-v2/service/sso/CHANGELOG.md | 24 + .../service/sso/api_op_GetRoleCredentials.go | 7 +- .../service/sso/api_op_ListAccountRoles.go | 7 +- .../service/sso/api_op_ListAccounts.go | 14 +- .../service/sso/api_op_Logout.go | 31 +- .../service/sso/deserializers.go | 10 + .../aws/aws-sdk-go-v2/service/sso/doc.go | 22 +- .../service/sso/go_module_metadata.go | 2 +- .../sso/internal/endpoints/endpoints.go | 16 + .../aws/aws-sdk-go-v2/service/sso/options.go | 31 +- .../aws-sdk-go-v2/service/sso/types/types.go | 20 +- .../service/ssooidc/CHANGELOG.md | 24 + .../service/ssooidc/api_op_CreateToken.go | 56 +- .../ssooidc/api_op_CreateTokenWithIAM.go | 63 +- .../service/ssooidc/api_op_RegisterClient.go | 19 + .../api_op_StartDeviceAuthorization.go | 11 +- .../service/ssooidc/deserializers.go | 101 +++ .../aws/aws-sdk-go-v2/service/ssooidc/doc.go | 40 +- .../service/ssooidc/go_module_metadata.go | 2 +- .../ssooidc/internal/endpoints/endpoints.go | 16 + .../aws-sdk-go-v2/service/ssooidc/options.go | 31 +- .../service/ssooidc/serializers.go | 56 ++ .../service/ssooidc/types/errors.go | 32 +- .../aws-sdk-go-v2/service/sts/CHANGELOG.md | 20 + .../service/sts/api_op_AssumeRole.go | 451 +++++++------ .../service/sts/api_op_AssumeRoleWithSAML.go | 367 ++++++----- .../sts/api_op_AssumeRoleWithWebIdentity.go | 381 ++++++----- .../sts/api_op_DecodeAuthorizationMessage.go | 45 +- .../service/sts/api_op_GetAccessKeyInfo.go | 49 +- .../service/sts/api_op_GetCallerIdentity.go | 26 +- .../service/sts/api_op_GetFederationToken.go | 309 +++++---- .../service/sts/api_op_GetSessionToken.go | 104 +-- .../service/sts/deserializers.go | 9 + .../aws/aws-sdk-go-v2/service/sts/doc.go | 12 +- .../service/sts/go_module_metadata.go | 2 +- .../aws/aws-sdk-go-v2/service/sts/options.go | 31 +- .../aws-sdk-go-v2/service/sts/types/errors.go | 26 +- .../aws-sdk-go-v2/service/sts/types/types.go | 50 +- vendor/github.com/aws/smithy-go/CHANGELOG.md | 4 + .../aws/smithy-go/go_module_metadata.go | 2 +- vendor/modules.txt | 30 +- 124 files changed, 8283 insertions(+), 4065 deletions(-) create mode 100644 vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListKeyRotations.go create mode 100644 vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_RotateKeyOnDemand.go diff --git a/go.mod b/go.mod index 3d7d178c50c..02c76bbfebd 100644 --- a/go.mod +++ b/go.mod @@ -52,7 +52,7 @@ require ( github.com/google/cel-go v0.20.1 github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20240108195214-a0658aa1d0cc github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20240108195214-a0658aa1d0cc - github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 + github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.4 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3 github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.3 github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.3 @@ -88,9 +88,9 @@ require ( github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 // indirect github.com/Microsoft/hcsshim v0.11.5 // indirect github.com/antlr4-go/antlr/v4 v4.13.0 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.30.0 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.32.1 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.3 // indirect github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect github.com/cloudflare/circl v1.3.7 // indirect @@ -158,19 +158,19 @@ require ( github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect - github.com/aws/aws-sdk-go-v2 v1.26.0 // indirect - github.com/aws/aws-sdk-go-v2/config v1.27.9 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.9 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 // indirect + github.com/aws/aws-sdk-go-v2 v1.27.0 // indirect + github.com/aws/aws-sdk-go-v2/config v1.27.16 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.16 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect github.com/aws/aws-sdk-go-v2/service/ecr v1.18.11 // indirect github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.16.2 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 // indirect - github.com/aws/smithy-go v1.20.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.20.9 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.28.10 // indirect + github.com/aws/smithy-go v1.20.2 // indirect github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20230510185313-f5e39e5f34c7 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect diff --git a/go.sum b/go.sum index e58220ecc33..7f3048bb07e 100644 --- a/go.sum +++ b/go.sum @@ -719,26 +719,29 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0= -github.com/aws/aws-sdk-go v1.51.6 h1:Ld36dn9r7P9IjU8WZSaswQ8Y/XUCRpewim5980DwYiU= -github.com/aws/aws-sdk-go v1.51.6/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= +github.com/aws/aws-sdk-go v1.53.10 h1:3enP5l5WtezT9Ql+XZqs56JBf5YUd/FEzTCg///OIGY= +github.com/aws/aws-sdk-go v1.53.10/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= github.com/aws/aws-sdk-go-v2 v1.18.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= -github.com/aws/aws-sdk-go-v2 v1.26.0 h1:/Ce4OCiM3EkpW7Y+xUnfAFpchU78K7/Ug01sZni9PgA= github.com/aws/aws-sdk-go-v2 v1.26.0/go.mod h1:35hUlJVYd+M++iLI3ALmVwMOyRYMmRqUXpTtRGW+K9I= +github.com/aws/aws-sdk-go-v2 v1.27.0 h1:7bZWKoXhzI+mMR/HjdMx8ZCC5+6fY0lS5tr0bbgiLlo= +github.com/aws/aws-sdk-go-v2 v1.27.0/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= github.com/aws/aws-sdk-go-v2/config v1.18.25/go.mod h1:dZnYpD5wTW/dQF0rRNLVypB396zWCcPiBIvdvSWHEg4= -github.com/aws/aws-sdk-go-v2/config v1.27.9 h1:gRx/NwpNEFSk+yQlgmk1bmxxvQ5TyJ76CWXs9XScTqg= -github.com/aws/aws-sdk-go-v2/config v1.27.9/go.mod h1:dK1FQfpwpql83kbD873E9vz4FyAxuJtR22wzoXn3qq0= +github.com/aws/aws-sdk-go-v2/config v1.27.16 h1:knpCuH7laFVGYTNd99Ns5t+8PuRjDn4HnnZK48csipM= +github.com/aws/aws-sdk-go-v2/config v1.27.16/go.mod h1:vutqgRhDUktwSge3hrC3nkuirzkJ4E/mLj5GvI0BQas= github.com/aws/aws-sdk-go-v2/credentials v1.13.24/go.mod h1:jYPYi99wUOPIFi0rhiOvXeSEReVOzBqFNOX5bXYoG2o= -github.com/aws/aws-sdk-go-v2/credentials v1.17.9 h1:N8s0/7yW+h8qR8WaRlPQeJ6czVMNQVNtNdUqf6cItao= -github.com/aws/aws-sdk-go-v2/credentials v1.17.9/go.mod h1:446YhIdmSV0Jf/SLafGZalQo+xr2iw7/fzXGDPTU1yQ= +github.com/aws/aws-sdk-go-v2/credentials v1.17.16 h1:7d2QxY83uYl0l58ceyiSpxg9bSbStqBC6BeEeHEchwo= +github.com/aws/aws-sdk-go-v2/credentials v1.17.16/go.mod h1:Ae6li/6Yc6eMzysRL2BXlPYvnrLLBg3D11/AmOjw50k= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.3/go.mod h1:4Q0UFP0YJf0NrsEuEYHpM9fTSEVnD16Z3uyEF7J9JGM= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 h1:af5YzcLf80tv4Em4jWVD75lpnOHSBkPUZxZfGkrI3HI= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0/go.mod h1:nQ3how7DMnFMWiU1SpECohgC82fpn4cKZ875NDMmwtA= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3 h1:dQLK4TjtnlRGb0czOht2CevZ5l6RSyRWAnKeGd7VAFE= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3/go.mod h1:TL79f2P6+8Q7dTsILpiVST+AL9lkF6PPGI167Ny0Cjw= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33/go.mod h1:7i0PF1ME/2eUPFcjkVIwq+DOygHEoK92t5cDqNgYbIw= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 h1:0ScVK/4qZ8CIW0k8jOeFVsyS/sAiXpYxRBLolMkuLQM= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4/go.mod h1:84KyjNZdHC6QZW08nfHI6yZgPd+qRgaWcYsyLUo3QY8= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7 h1:lf/8VTF2cM+N4SLzaYJERKEWAXq8MOMpZfU6wEPWsPk= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7/go.mod h1:4SjkU7QiqK2M9oozyMzfZ/23LmUY+h3oFqhdeP5OMiI= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27/go.mod h1:UrHnn3QV/d0pBZ6QBAEQcqFLf8FAzLmoUfPVIueOvoM= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 h1:sHmMWWX5E7guWEFQ9SVo6A3S4xpPrWnd77a6y4WM6PU= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4/go.mod h1:WjpDrhWisWOIoS9n3nk67A3Ll1vfULJ9Kq6h29HTD48= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7 h1:4OYVp0705xu8yjdyoWix0r9wPIRXnIzzOoUpQVHIJ/g= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7/go.mod h1:vd7ESTEvI76T2Na050gODNmNU7+OyKrIKroYTu4ABiI= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34/go.mod h1:Etz2dj6UHYuw+Xw830KfzCfWGMzqvUTCjUj5b76GVDc= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= @@ -746,25 +749,26 @@ github.com/aws/aws-sdk-go-v2/service/ecr v1.27.3 h1:gfgt0D8MGL3gHrJPEv4rcWptA4Nz github.com/aws/aws-sdk-go-v2/service/ecr v1.27.3/go.mod h1:O5Fvd41s5KfDG093xLM7FhGiH6EmhmEli5D5MQH3TWw= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.3 h1:gaq/4fd2/bQeJ33m4csgL7DJHrrmvGhqnrsxchNr46c= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.3/go.mod h1:vn+Rz9fAFGJtDXbBmYdTc71Q8iF/W/uK1/ec93hinD8= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 h1:EyBZibRTVAs6ECHZOw5/wlylS9OcTzwyjeQMudmREjE= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1/go.mod h1:JKpmtYhhPs7D97NL/ltqz7yCkERFW5dOlHyVl66ZYF8= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27/go.mod h1:EOwBD4J4S5qYszS5/3DpkejfuK+Z5/1uzICfPaZLtqw= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 h1:b+E7zIUHMmcB4Dckjpkapoy47W6C9QBv/zoUP+Hn8Kc= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6/go.mod h1:S2fNV0rxrP78NhPbCZeQgY8H9jdDMeGtwcfZIRxzBqU= -github.com/aws/aws-sdk-go-v2/service/kms v1.30.0 h1:yS0JkEdV6h9JOo8sy2JSpjX+i7vsKifU8SIeHrqiDhU= -github.com/aws/aws-sdk-go-v2/service/kms v1.30.0/go.mod h1:+I8VUUSVD4p5ISQtzpgSva4I8cJ4SQ4b1dcBcof7O+g= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9 h1:Wx0rlZoEJR7JwlSZcHnEa7CNjrSIyVxMFWGAaXy4fJY= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9/go.mod h1:aVMHdE0aHO3v+f/iw01fmXV/5DbfQ3Bi9nN7nd9bE9Y= +github.com/aws/aws-sdk-go-v2/service/kms v1.32.1 h1:FARrQLRQXpCFYylIUVF1dRij6YbPCmtwudq9NBk4kFc= +github.com/aws/aws-sdk-go-v2/service/kms v1.32.1/go.mod h1:8lETO9lelSG2B6KMXFh2OwPPqGV6WQM3RqLAEjP1xaU= github.com/aws/aws-sdk-go-v2/service/sso v1.12.10/go.mod h1:ouy2P4z6sJN70fR3ka3wD3Ro3KezSxU6eKGQI2+2fjI= -github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 h1:mnbuWHOcM70/OFUlZZ5rcdfA8PflGXXiefU/O+1S3+8= -github.com/aws/aws-sdk-go-v2/service/sso v1.20.3/go.mod h1:5HFu51Elk+4oRBZVxmHrSds5jFXmFj8C3w7DVF2gnrs= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.9 h1:aD7AGQhvPuAxlSUfo0CWU7s6FpkbyykMhGYMvlqTjVs= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.9/go.mod h1:c1qtZUWtygI6ZdvKppzCSXsDOq5I4luJPZ0Ud3juFCA= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.10/go.mod h1:AFvkxc8xfBe8XA+5St5XIHHrQQtkxqrRincx4hmMHOk= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 h1:uLq0BKatTmDzWa/Nu4WO0M1AaQDaPpwTKAeByEc6WFM= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3/go.mod h1:b+qdhjnxj8GSR6t5YfphOffeoQSQ1KmpoVVuBn+PWxs= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.3 h1:Pav5q3cA260Zqez42T9UhIlsd9QeypszRPwC9LdSSsQ= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.3/go.mod h1:9lmoVDVLz/yUZwLaQ676TK02fhCu4+PgRSmMaKR1ozk= github.com/aws/aws-sdk-go-v2/service/sts v1.19.0/go.mod h1:BgQOMsg8av8jset59jelyPW7NoZcZXLVpDsXunGDrk8= -github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 h1:J/PpTf/hllOjx8Xu9DMflff3FajfLxqM5+tepvVXmxg= -github.com/aws/aws-sdk-go-v2/service/sts v1.28.5/go.mod h1:0ih0Z83YDH/QeQ6Ori2yGE2XvWYv/Xm+cZc01LC6oK0= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.10 h1:69tpbPED7jKPyzMcrwSvhWcJ9bPnZsZs18NT40JwM0g= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.10/go.mod h1:0Aqn1MnEuitqfsCNyKsdKLhDUOr4txD/g19EfiUqgws= github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= -github.com/aws/smithy-go v1.20.1 h1:4SZlSlMr36UEqC7XOyRVb27XMeZubNcBNN+9IgEPIQw= github.com/aws/smithy-go v1.20.1/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= +github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q= +github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20230510185313-f5e39e5f34c7 h1:G5IT+PEpFY0CDb3oITDP9tkmLrHkVD8Ny+elUmBqVYI= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20230510185313-f5e39e5f34c7/go.mod h1:VVALgT1UESBh91dY0GprHnT1Z7mKd96VDk8qVy+bmu0= github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= @@ -1696,8 +1700,8 @@ github.com/shurcooL/graphql v0.0.0-20181231061246-d48a9a75455f/go.mod h1:AuYgA5K github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sigstore/sigstore v1.8.4 h1:g4ICNpiENFnWxjmBzBDWUn62rNFeny/P77HUC8da32w= github.com/sigstore/sigstore v1.8.4/go.mod h1:1jIKtkTFEeISen7en+ZPWdDHazqhxco/+v9CNjc7oNg= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 h1:LTfPadUAo+PDRUbbdqbeSl2OuoFQwUFTnJ4stu+nwWw= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3/go.mod h1:QV/Lxlxm0POyhfyBtIbTWxNeF18clMlkkyL9mu45y18= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.4 h1:okxaVlaTrQowE1FA4UQ3rw54f7BUjdnzERIxbZTBZuc= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.4/go.mod h1:jkcPErmnCECuSJajUaUq5pwCMOeBF19VzQo6bv4l1D0= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3 h1:xgbPRCr2npmmsuVVteJqi/ERw9+I13Wou7kq0Yk4D8g= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3/go.mod h1:G4+I83FILPX6MtnoaUdmv/bRGEVtR3JdLeJa/kXdk/0= github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.3 h1:vDl2fqPT0h3D/k6NZPlqnKFd1tz3335wm39qjvpZNJc= diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go index 847cc51a981..e648346be72 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go @@ -3,4 +3,4 @@ package aws // goModuleVersion is the tagged release for this module -const goModuleVersion = "1.26.0" +const goModuleVersion = "1.27.0" diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics/metrics.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics/metrics.go index b0133f4c88d..19d6107c461 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics/metrics.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics/metrics.go @@ -112,6 +112,8 @@ type MetricData struct { ResolveEndpointStartTime time.Time ResolveEndpointEndTime time.Time EndpointResolutionDuration time.Duration + GetIdentityStartTime time.Time + GetIdentityEndTime time.Time InThroughput float64 OutThroughput float64 RetryCount int @@ -122,6 +124,7 @@ type MetricData struct { OperationName string PartitionID string Region string + UserAgent string RequestContentLength int64 Stream StreamMetrics Attempts []AttemptMetrics @@ -144,8 +147,6 @@ type AttemptMetrics struct { ConnRequestedTime time.Time ConnObtainedTime time.Time ConcurrencyAcquireDuration time.Duration - CredentialFetchStartTime time.Time - CredentialFetchEndTime time.Time SignStartTime time.Time SignEndTime time.Time SigningDuration time.Duration diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/middleware.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/middleware.go index febeb0482db..a9db6433de9 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/middleware.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/middleware.go @@ -11,7 +11,6 @@ import ( "github.com/aws/aws-sdk-go-v2/aws" awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" - "github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics" v4Internal "github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4" internalauth "github.com/aws/aws-sdk-go-v2/internal/auth" "github.com/aws/aws-sdk-go-v2/internal/sdk" @@ -301,22 +300,7 @@ func (s *SignHTTPRequestMiddleware) HandleFinalize(ctx context.Context, in middl return out, metadata, &SigningError{Err: fmt.Errorf("computed payload hash missing from context")} } - mctx := metrics.Context(ctx) - - if mctx != nil { - if attempt, err := mctx.Data().LatestAttempt(); err == nil { - attempt.CredentialFetchStartTime = sdk.NowTime() - } - } - credentials, err := s.credentialsProvider.Retrieve(ctx) - - if mctx != nil { - if attempt, err := mctx.Data().LatestAttempt(); err == nil { - attempt.CredentialFetchEndTime = sdk.NowTime() - } - } - if err != nil { return out, metadata, &SigningError{Err: fmt.Errorf("failed to retrieve credentials: %w", err)} } @@ -337,20 +321,7 @@ func (s *SignHTTPRequestMiddleware) HandleFinalize(ctx context.Context, in middl }) } - if mctx != nil { - if attempt, err := mctx.Data().LatestAttempt(); err == nil { - attempt.SignStartTime = sdk.NowTime() - } - } - err = s.signer.SignHTTP(ctx, credentials, req.Request, payloadHash, signingName, signingRegion, sdk.NowTime(), signerOptions...) - - if mctx != nil { - if attempt, err := mctx.Data().LatestAttempt(); err == nil { - attempt.SignEndTime = sdk.NowTime() - } - } - if err != nil { return out, metadata, &SigningError{Err: fmt.Errorf("failed to sign http request, %w", err)} } diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go index bb61904e1d8..55dfd07ba87 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go @@ -1,48 +1,41 @@ -// Package v4 implements signing for AWS V4 signer +// Package v4 implements the AWS signature version 4 algorithm (commonly known +// as SigV4). // -// Provides request signing for request that need to be signed with -// AWS V4 Signatures. +// For more information about SigV4, see [Signing AWS API requests] in the IAM +// user guide. // -// # Standalone Signer +// While this implementation CAN work in an external context, it is developed +// primarily for SDK use and you may encounter fringe behaviors around header +// canonicalization. // -// Generally using the signer outside of the SDK should not require any additional +// # Pre-escaping a request URI // -// The signer does this by taking advantage of the URL.EscapedPath method. If your request URI requires +// AWS v4 signature validation requires that the canonical string's URI path +// component must be the escaped form of the HTTP request's path. +// +// The Go HTTP client will perform escaping automatically on the HTTP request. +// This may cause signature validation errors because the request differs from +// the URI path or query from which the signature was generated. // -// additional escaping you many need to use the URL.Opaque to define what the raw URI should be sent -// to the service as. +// Because of this, we recommend that you explicitly escape the request when +// using this signer outside of the SDK to prevent possible signature mismatch. +// This can be done by setting URL.Opaque on the request. The signer will +// prefer that value, falling back to the return of URL.EscapedPath if unset. // -// The signer will first check the URL.Opaque field, and use its value if set. -// The signer does require the URL.Opaque field to be set in the form of: +// When setting URL.Opaque you must do so in the form of: // // "///" // // // e.g. // "//example.com/some/path" // -// The leading "//" and hostname are required or the URL.Opaque escaping will -// not work correctly. -// -// If URL.Opaque is not set the signer will fallback to the URL.EscapedPath() -// method and using the returned value. -// -// AWS v4 signature validation requires that the canonical string's URI path -// element must be the URI escaped form of the HTTP request's path. -// http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html -// -// The Go HTTP client will perform escaping automatically on the request. Some -// of these escaping may cause signature validation errors because the HTTP -// request differs from the URI path or query that the signature was generated. -// https://golang.org/pkg/net/url/#URL.EscapedPath +// The leading "//" and hostname are required or the escaping will not work +// correctly. // -// Because of this, it is recommended that when using the signer outside of the -// SDK that explicitly escaping the request prior to being signed is preferable, -// and will help prevent signature validation errors. This can be done by setting -// the URL.Opaque or URL.RawPath. The SDK will use URL.Opaque first and then -// call URL.EscapedPath() if Opaque is not set. +// The TestStandaloneSign unit test provides a complete example of using the +// signer outside of the SDK and pre-escaping the URI path. // -// Test `TestStandaloneSign` provides a complete example of using the signer -// outside of the SDK and pre-escaping the URI path. +// [Signing AWS API requests]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html package v4 import ( diff --git a/vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md index d5e6071fa24..20ce6ee8712 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md +++ b/vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md @@ -1,3 +1,31 @@ +# v1.27.16 (2024-05-23) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.27.15 (2024-05-16) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.27.14 (2024-05-15) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.27.13 (2024-05-10) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.27.12 (2024-05-08) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.27.11 (2024-04-05) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.27.10 (2024-03-29) + +* **Dependency Update**: Updated to the latest SDK module versions + # v1.27.9 (2024-03-21) * **Dependency Update**: Updated to the latest SDK module versions diff --git a/vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go index 00ee2049182..60d884c4f71 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go @@ -3,4 +3,4 @@ package config // goModuleVersion is the tagged release for this module -const goModuleVersion = "1.27.9" +const goModuleVersion = "1.27.16" diff --git a/vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md index 399f0896975..d93b31f47a4 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md +++ b/vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md @@ -1,3 +1,31 @@ +# v1.17.16 (2024-05-23) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.17.15 (2024-05-16) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.17.14 (2024-05-15) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.17.13 (2024-05-10) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.17.12 (2024-05-08) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.17.11 (2024-04-05) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.17.10 (2024-03-29) + +* **Dependency Update**: Updated to the latest SDK module versions + # v1.17.9 (2024-03-21) * **Dependency Update**: Updated to the latest SDK module versions diff --git a/vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go index 2b4ff3895bd..91c40c6e709 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go @@ -3,4 +3,4 @@ package credentials // goModuleVersion is the tagged release for this module -const goModuleVersion = "1.17.9" +const goModuleVersion = "1.17.16" diff --git a/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md index e07fb5ca702..15f2dff92d5 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md +++ b/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md @@ -1,3 +1,15 @@ +# v1.16.3 (2024-05-16) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.16.2 (2024-05-15) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.16.1 (2024-03-29) + +* **Dependency Update**: Updated to the latest SDK module versions + # v1.16.0 (2024-03-21) * **Feature**: Add config switch `DisableDefaultTimeout` that allows you to disable the default operation timeout (5 seconds) for IMDS calls. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go index a44cd1b79fc..18c7d54f872 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go @@ -3,4 +3,4 @@ package imds // goModuleVersion is the tagged release for this module -const goModuleVersion = "1.16.0" +const goModuleVersion = "1.16.3" diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md index 86f5b137251..e5ab27663e7 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md +++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md @@ -1,3 +1,15 @@ +# v1.3.7 (2024-05-16) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.3.6 (2024-05-15) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.3.5 (2024-03-29) + +* **Dependency Update**: Updated to the latest SDK module versions + # v1.3.4 (2024-03-18) * **Dependency Update**: Updated to the latest SDK module versions diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go index d25782e9ce1..67cbc376748 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go @@ -3,4 +3,4 @@ package configsources // goModuleVersion is the tagged release for this module -const goModuleVersion = "1.3.4" +const goModuleVersion = "1.3.7" diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md index 5bb02f574f9..5ff8fef9364 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md +++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md @@ -1,3 +1,15 @@ +# v2.6.7 (2024-05-16) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v2.6.6 (2024-05-15) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v2.6.5 (2024-03-29) + +* **Dependency Update**: Updated to the latest SDK module versions + # v2.6.4 (2024-03-18) * **Dependency Update**: Updated to the latest SDK module versions diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go index bb857bcb972..cc9b78076ac 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go @@ -3,4 +3,4 @@ package endpoints // goModuleVersion is the tagged release for this module -const goModuleVersion = "2.6.4" +const goModuleVersion = "2.6.7" diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md index cac6f926eb8..9cf6cf22b40 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md @@ -1,3 +1,7 @@ +# v1.11.2 (2024-03-29) + +* No change notes available for this release. + # v1.11.1 (2024-02-21) * No change notes available for this release. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go index c5ae0f8735d..6339b54191a 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go @@ -3,4 +3,4 @@ package acceptencoding // goModuleVersion is the tagged release for this module -const goModuleVersion = "1.11.1" +const goModuleVersion = "1.11.2" diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md index ead169d5cfb..60670452103 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md @@ -1,3 +1,15 @@ +# v1.11.9 (2024-05-16) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.11.8 (2024-05-15) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.11.7 (2024-03-29) + +* **Dependency Update**: Updated to the latest SDK module versions + # v1.11.6 (2024-03-18) * **Dependency Update**: Updated to the latest SDK module versions diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go index 98bea53bdda..24fd480d379 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go @@ -3,4 +3,4 @@ package presignedurl // goModuleVersion is the tagged release for this module -const goModuleVersion = "1.11.6" +const goModuleVersion = "1.11.9" diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/CHANGELOG.md index de4149792da..481b8b29db3 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/CHANGELOG.md +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/CHANGELOG.md @@ -1,3 +1,31 @@ +# v1.32.1 (2024-05-23) + +* No change notes available for this release. + +# v1.32.0 (2024-05-22) + +* **Feature**: This release includes feature to import customer's asymmetric (RSA, ECC and SM2) and HMAC keys into KMS in China. + +# v1.31.3 (2024-05-16) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.31.2 (2024-05-15) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.31.1 (2024-05-08) + +* **Bug Fix**: GoDoc improvement + +# v1.31.0 (2024-04-12) + +* **Feature**: This feature supports the ability to specify a custom rotation period for automatic key rotations, the ability to perform on-demand key rotations, and visibility into your key material rotations. + +# v1.30.1 (2024-03-29) + +* **Dependency Update**: Updated to the latest SDK module versions + # v1.30.0 (2024-03-18) * **Feature**: Adds the ability to use the default policy name by omitting the policyName parameter in calls to PutKeyPolicy and GetKeyPolicy diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CancelKeyDeletion.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CancelKeyDeletion.go index 4cabfbcbbe6..34d958bc941 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CancelKeyDeletion.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CancelKeyDeletion.go @@ -11,19 +11,28 @@ import ( ) // Cancels the deletion of a KMS key. When this operation succeeds, the key state -// of the KMS key is Disabled . To enable the KMS key, use EnableKey . For more -// information about scheduling and canceling deletion of a KMS key, see Deleting -// KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) -// in the Key Management Service Developer Guide. The KMS key that you use for this -// operation must be in a compatible key state. For details, see Key states of KMS -// keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in -// the Key Management Service Developer Guide. Cross-account use: No. You cannot -// perform this operation on a KMS key in a different Amazon Web Services account. -// Required permissions: kms:CancelKeyDeletion (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: ScheduleKeyDeletion Eventual consistency: The -// KMS API follows an eventual consistency model. For more information, see KMS -// eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// of the KMS key is Disabled . To enable the KMS key, use EnableKey. +// +// For more information about scheduling and canceling deletion of a KMS key, see [Deleting KMS keys] +// in the Key Management Service Developer Guide. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: [kms:CancelKeyDeletion] (key policy) +// +// Related operations: ScheduleKeyDeletion +// +// Eventual consistency: The KMS API follows an eventual consistency model. For +// more information, see [KMS eventual consistency]. +// +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [kms:CancelKeyDeletion]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [Deleting KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) CancelKeyDeletion(ctx context.Context, params *CancelKeyDeletionInput, optFns ...func(*Options)) (*CancelKeyDeletionOutput, error) { if params == nil { params = &CancelKeyDeletionInput{} @@ -41,12 +50,18 @@ func (c *Client) CancelKeyDeletion(ctx context.Context, params *CancelKeyDeletio type CancelKeyDeletionInput struct { - // Identifies the KMS key whose deletion is being canceled. Specify the key ID or - // key ARN of the KMS key. For example: + // Identifies the KMS key whose deletion is being canceled. + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string @@ -56,8 +71,9 @@ type CancelKeyDeletionInput struct { type CancelKeyDeletionOutput struct { - // The Amazon Resource Name ( key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN) - // ) of the KMS key whose deletion is canceled. + // The Amazon Resource Name ([key ARN] ) of the KMS key whose deletion is canceled. + // + // [key ARN]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN KeyId *string // Metadata pertaining to the operation's result. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ConnectCustomKeyStore.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ConnectCustomKeyStore.go index 92021a497b1..12faa6b1bf0 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ConnectCustomKeyStore.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ConnectCustomKeyStore.go @@ -10,66 +10,99 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Connects or reconnects a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// to its backing key store. For an CloudHSM key store, ConnectCustomKeyStore -// connects the key store to its associated CloudHSM cluster. For an external key -// store, ConnectCustomKeyStore connects the key store to the external key store -// proxy that communicates with your external key manager. The custom key store -// must be connected before you can create KMS keys in the key store or use the KMS -// keys it contains. You can disconnect and reconnect a custom key store at any -// time. The connection process for a custom key store can take an extended amount -// of time to complete. This operation starts the connection process, but it does -// not wait for it to complete. When it succeeds, this operation quickly returns an +// Connects or reconnects a [custom key store] to its backing key store. For an CloudHSM key store, +// ConnectCustomKeyStore connects the key store to its associated CloudHSM cluster. +// For an external key store, ConnectCustomKeyStore connects the key store to the +// external key store proxy that communicates with your external key manager. +// +// The custom key store must be connected before you can create KMS keys in the +// key store or use the KMS keys it contains. You can disconnect and reconnect a +// custom key store at any time. +// +// The connection process for a custom key store can take an extended amount of +// time to complete. This operation starts the connection process, but it does not +// wait for it to complete. When it succeeds, this operation quickly returns an // HTTP 200 response and a JSON object with no properties. However, this response // does not indicate that the custom key store is connected. To get the connection -// state of the custom key store, use the DescribeCustomKeyStores operation. This -// operation is part of the custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// feature in KMS, which combines the convenience and extensive integration of KMS -// with the isolation and control of a key store that you own and manage. The -// ConnectCustomKeyStore operation might fail for various reasons. To find the -// reason, use the DescribeCustomKeyStores operation and see the -// ConnectionErrorCode in the response. For help interpreting the -// ConnectionErrorCode , see CustomKeyStoresListEntry . To fix the failure, use the -// DisconnectCustomKeyStore operation to disconnect the custom key store, correct -// the error, use the UpdateCustomKeyStore operation if necessary, and then use -// ConnectCustomKeyStore again. CloudHSM key store During the connection process -// for an CloudHSM key store, KMS finds the CloudHSM cluster that is associated -// with the custom key store, creates the connection infrastructure, connects to -// the cluster, logs into the CloudHSM client as the kmsuser CU, and rotates its -// password. To connect an CloudHSM key store, its associated CloudHSM cluster must -// have at least one active HSM. To get the number of active HSMs in a cluster, use -// the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) -// operation. To add HSMs to the cluster, use the CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) -// operation. Also, the kmsuser crypto user (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser) +// state of the custom key store, use the DescribeCustomKeyStoresoperation. +// +// This operation is part of the [custom key stores] feature in KMS, which combines the convenience +// and extensive integration of KMS with the isolation and control of a key store +// that you own and manage. +// +// The ConnectCustomKeyStore operation might fail for various reasons. To find the +// reason, use the DescribeCustomKeyStoresoperation and see the ConnectionErrorCode in the response. For +// help interpreting the ConnectionErrorCode , see CustomKeyStoresListEntry. +// +// To fix the failure, use the DisconnectCustomKeyStore operation to disconnect the custom key store, +// correct the error, use the UpdateCustomKeyStoreoperation if necessary, and then use +// ConnectCustomKeyStore again. +// +// # CloudHSM key store +// +// During the connection process for an CloudHSM key store, KMS finds the CloudHSM +// cluster that is associated with the custom key store, creates the connection +// infrastructure, connects to the cluster, logs into the CloudHSM client as the +// kmsuser CU, and rotates its password. +// +// To connect an CloudHSM key store, its associated CloudHSM cluster must have at +// least one active HSM. To get the number of active HSMs in a cluster, use the [DescribeClusters] +// operation. To add HSMs to the cluster, use the [CreateHsm]operation. Also, the [kmsuser crypto user]kmsuser // (CU) must not be logged into the cluster. This prevents KMS from using this -// account to log in. If you are having trouble connecting or disconnecting a -// CloudHSM key store, see Troubleshooting an CloudHSM key store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) -// in the Key Management Service Developer Guide. External key store When you -// connect an external key store that uses public endpoint connectivity, KMS tests -// its ability to communicate with your external key manager by sending a request -// via the external key store proxy. When you connect to an external key store that -// uses VPC endpoint service connectivity, KMS establishes the networking elements -// that it needs to communicate with your external key manager via the external key -// store proxy. This includes creating an interface endpoint to the VPC endpoint -// service and a private hosted zone for traffic between KMS and the VPC endpoint -// service. To connect an external key store, KMS must be able to connect to the -// external key store proxy, the external key store proxy must be able to -// communicate with your external key manager, and the external key manager must be -// available for cryptographic operations. If you are having trouble connecting or -// disconnecting an external key store, see Troubleshooting an external key store (https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html) -// in the Key Management Service Developer Guide. Cross-account use: No. You cannot -// perform this operation on a custom key store in a different Amazon Web Services -// account. Required permissions: kms:ConnectCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (IAM policy) Related operations -// - CreateCustomKeyStore -// - DeleteCustomKeyStore -// - DescribeCustomKeyStores -// - DisconnectCustomKeyStore -// - UpdateCustomKeyStore +// account to log in. +// +// If you are having trouble connecting or disconnecting a CloudHSM key store, see [Troubleshooting an CloudHSM key store] +// in the Key Management Service Developer Guide. +// +// # External key store +// +// When you connect an external key store that uses public endpoint connectivity, +// KMS tests its ability to communicate with your external key manager by sending a +// request via the external key store proxy. +// +// When you connect to an external key store that uses VPC endpoint service +// connectivity, KMS establishes the networking elements that it needs to +// communicate with your external key manager via the external key store proxy. +// This includes creating an interface endpoint to the VPC endpoint service and a +// private hosted zone for traffic between KMS and the VPC endpoint service. +// +// To connect an external key store, KMS must be able to connect to the external +// key store proxy, the external key store proxy must be able to communicate with +// your external key manager, and the external key manager must be available for +// cryptographic operations. +// +// If you are having trouble connecting or disconnecting an external key store, +// see [Troubleshooting an external key store]in the Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a custom key store +// in a different Amazon Web Services account. +// +// Required permissions: [kms:ConnectCustomKeyStore] (IAM policy) +// +// # Related operations +// +// # CreateCustomKeyStore +// +// # DeleteCustomKeyStore +// +// # DescribeCustomKeyStores +// +// # DisconnectCustomKeyStore +// +// # UpdateCustomKeyStore // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [DescribeClusters]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html +// [custom key stores]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html +// [kmsuser crypto user]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser +// [Troubleshooting an CloudHSM key store]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html +// [CreateHsm]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html +// [kms:ConnectCustomKeyStore]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [Troubleshooting an external key store]: https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [custom key store]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html func (c *Client) ConnectCustomKeyStore(ctx context.Context, params *ConnectCustomKeyStoreInput, optFns ...func(*Options)) (*ConnectCustomKeyStoreOutput, error) { if params == nil { params = &ConnectCustomKeyStoreInput{} @@ -88,7 +121,7 @@ func (c *Client) ConnectCustomKeyStore(ctx context.Context, params *ConnectCusto type ConnectCustomKeyStoreInput struct { // Enter the key store ID of the custom key store that you want to connect. To - // find the ID of a custom key store, use the DescribeCustomKeyStores operation. + // find the ID of a custom key store, use the DescribeCustomKeyStoresoperation. // // This member is required. CustomKeyStoreId *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateAlias.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateAlias.go index 1ef799fb995..a533b6991d0 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateAlias.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateAlias.go @@ -10,41 +10,62 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Creates a friendly name for a KMS key. Adding, deleting, or updating an alias -// can allow or deny permission to the KMS key. For details, see ABAC for KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) -// in the Key Management Service Developer Guide. You can use an alias to identify -// a KMS key in the KMS console, in the DescribeKey operation and in cryptographic -// operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) -// , such as Encrypt and GenerateDataKey . You can also change the KMS key that's -// associated with the alias ( UpdateAlias ) or delete the alias ( DeleteAlias ) at -// any time. These operations don't affect the underlying KMS key. You can -// associate the alias with any customer managed key in the same Amazon Web -// Services Region. Each alias is associated with only one KMS key at a time, but a -// KMS key can have multiple aliases. A valid KMS key is required. You can't create -// an alias without a KMS key. The alias must be unique in the account and Region, -// but you can have aliases with the same name in different Regions. For detailed -// information about aliases, see Using aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html) -// in the Key Management Service Developer Guide. This operation does not return a -// response. To get the alias that you created, use the ListAliases operation. The -// KMS key that you use for this operation must be in a compatible key state. For -// details, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. Cross-account use: No. You cannot -// perform this operation on an alias in a different Amazon Web Services account. -// Required permissions -// - kms:CreateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// on the alias (IAM policy). -// - kms:CreateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// on the KMS key (key policy). -// -// For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access) -// in the Key Management Service Developer Guide. Related operations: -// - DeleteAlias -// - ListAliases -// - UpdateAlias +// Creates a friendly name for a KMS key. +// +// Adding, deleting, or updating an alias can allow or deny permission to the KMS +// key. For details, see [ABAC for KMS]in the Key Management Service Developer Guide. +// +// You can use an alias to identify a KMS key in the KMS console, in the DescribeKey +// operation and in [cryptographic operations], such as Encrypt and GenerateDataKey. You can also change the KMS key that's +// associated with the alias (UpdateAlias ) or delete the alias (DeleteAlias ) at any time. These +// operations don't affect the underlying KMS key. +// +// You can associate the alias with any customer managed key in the same Amazon +// Web Services Region. Each alias is associated with only one KMS key at a time, +// but a KMS key can have multiple aliases. A valid KMS key is required. You can't +// create an alias without a KMS key. +// +// The alias must be unique in the account and Region, but you can have aliases +// with the same name in different Regions. For detailed information about aliases, +// see [Using aliases]in the Key Management Service Developer Guide. +// +// This operation does not return a response. To get the alias that you created, +// use the ListAliasesoperation. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on an alias in a +// different Amazon Web Services account. +// +// # Required permissions +// +// [kms:CreateAlias] +// - on the alias (IAM policy). +// +// [kms:CreateAlias] +// - on the KMS key (key policy). +// +// For details, see [Controlling access to aliases] in the Key Management Service Developer Guide. +// +// Related operations: +// +// # DeleteAlias +// +// # ListAliases +// +// # UpdateAlias // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [cryptographic operations]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations +// [Using aliases]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html +// [kms:CreateAlias]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [ABAC for KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [Controlling access to aliases]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access func (c *Client) CreateAlias(ctx context.Context, params *CreateAliasInput, optFns ...func(*Options)) (*CreateAliasOutput, error) { if params == nil { params = &CreateAliasInput{} @@ -63,27 +84,43 @@ func (c *Client) CreateAlias(ctx context.Context, params *CreateAliasInput, optF type CreateAliasInput struct { // Specifies the alias name. This value must begin with alias/ followed by a name, - // such as alias/ExampleAlias . Do not include confidential or sensitive - // information in this field. This field may be displayed in plaintext in - // CloudTrail logs and other output. The AliasName value must be string of 1-256 - // characters. It can contain only alphanumeric characters, forward slashes (/), - // underscores (_), and dashes (-). The alias name cannot begin with alias/aws/ . - // The alias/aws/ prefix is reserved for Amazon Web Services managed keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) - // . + // such as alias/ExampleAlias . + // + // Do not include confidential or sensitive information in this field. This field + // may be displayed in plaintext in CloudTrail logs and other output. + // + // The AliasName value must be string of 1-256 characters. It can contain only + // alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). + // The alias name cannot begin with alias/aws/ . The alias/aws/ prefix is reserved + // for [Amazon Web Services managed keys]. + // + // [Amazon Web Services managed keys]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk // // This member is required. AliasName *string - // Associates the alias with the specified customer managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) - // . The KMS key must be in the same Amazon Web Services Region. A valid key ID is - // required. If you supply a null or empty string value, this operation returns an - // error. For help finding the key ID and ARN, see Finding the Key ID and ARN (https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn) - // in the Key Management Service Developer Guide . Specify the key ID or key ARN of - // the KMS key. For example: + // Associates the alias with the specified [customer managed key]. The KMS key must be in the same + // Amazon Web Services Region. + // + // A valid key ID is required. If you supply a null or empty string value, this + // operation returns an error. + // + // For help finding the key ID and ARN, see [Finding the Key ID and ARN] in the Key Management Service + // Developer Guide . + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. + // + // [customer managed key]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk + // [Finding the Key ID and ARN]: https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn // // This member is required. TargetKeyId *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateCustomKeyStore.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateCustomKeyStore.go index 00679206d4c..49b072e60b0 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateCustomKeyStore.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateCustomKeyStore.go @@ -11,67 +11,90 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Creates a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// backed by a key store that you own and manage. When you use a KMS key in a -// custom key store for a cryptographic operation, the cryptographic operation is -// actually performed in your key store using your keys. KMS supports CloudHSM key -// stores (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html) -// backed by an CloudHSM cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html) -// and external key stores (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html) -// backed by an external key store proxy and external key manager outside of Amazon -// Web Services. This operation is part of the custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// feature in KMS, which combines the convenience and extensive integration of KMS -// with the isolation and control of a key store that you own and manage. Before -// you create the custom key store, the required elements must be in place and -// operational. We recommend that you use the test tools that KMS provides to +// Creates a [custom key store] backed by a key store that you own and manage. When you use a KMS +// key in a custom key store for a cryptographic operation, the cryptographic +// operation is actually performed in your key store using your keys. KMS supports [CloudHSM key stores] +// backed by an [CloudHSM cluster]and [external key stores] backed by an external key store proxy and external key +// manager outside of Amazon Web Services. +// +// This operation is part of the [custom key stores] feature in KMS, which combines the convenience +// and extensive integration of KMS with the isolation and control of a key store +// that you own and manage. +// +// Before you create the custom key store, the required elements must be in place +// and operational. We recommend that you use the test tools that KMS provides to // verify the configuration your external key store proxy. For details about the -// required elements and verification tests, see Assemble the prerequisites (for -// CloudHSM key stores) (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) -// or Assemble the prerequisites (for external key stores) (https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements) -// in the Key Management Service Developer Guide. To create a custom key store, use -// the following parameters. +// required elements and verification tests, see [Assemble the prerequisites (for CloudHSM key stores)]or [Assemble the prerequisites (for external key stores)] in the Key Management Service +// Developer Guide. +// +// To create a custom key store, use the following parameters. +// // - To create an CloudHSM key store, specify the CustomKeyStoreName , // CloudHsmClusterId , KeyStorePassword , and TrustAnchorCertificate . The // CustomKeyStoreType parameter is optional for CloudHSM key stores. If you // include it, set it to the default value, AWS_CLOUDHSM . For help with -// failures, see Troubleshooting an CloudHSM key store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) -// in the Key Management Service Developer Guide. +// failures, see [Troubleshooting an CloudHSM key store]in the Key Management Service Developer Guide. +// // - To create an external key store, specify the CustomKeyStoreName and a // CustomKeyStoreType of EXTERNAL_KEY_STORE . Also, specify values for // XksProxyConnectivity , XksProxyAuthenticationCredential , XksProxyUriEndpoint // , and XksProxyUriPath . If your XksProxyConnectivity value is // VPC_ENDPOINT_SERVICE , specify the XksProxyVpcEndpointServiceName parameter. -// For help with failures, see Troubleshooting an external key store (https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html) -// in the Key Management Service Developer Guide. +// For help with failures, see [Troubleshooting an external key store]in the Key Management Service Developer Guide. +// +// For external key stores: +// +// Some external key managers provide a simpler method for creating an external +// key store. For details, see your external key manager documentation. +// +// When creating an external key store in the KMS console, you can upload a +// JSON-based proxy configuration file with the desired values. You cannot use a +// proxy configuration with the CreateCustomKeyStore operation. However, you can +// use the values in the file to help you determine the correct values for the +// CreateCustomKeyStore parameters. +// +// When the operation completes successfully, it returns the ID of the new custom +// key store. Before you can use your new custom key store, you need to use the ConnectCustomKeyStore +// operation to connect a new CloudHSM key store to its CloudHSM cluster, or to +// connect a new external key store to the external key store proxy for your +// external key manager. Even if you are not going to use your custom key store +// immediately, you might want to connect it to verify that all settings are +// correct and then disconnect it until you are ready to use it. +// +// For help with failures, see [Troubleshooting a custom key store] in the Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a custom key store +// in a different Amazon Web Services account. +// +// Required permissions: [kms:CreateCustomKeyStore] (IAM policy). +// +// Related operations: // -// For external key stores: Some external key managers provide a simpler method -// for creating an external key store. For details, see your external key manager -// documentation. When creating an external key store in the KMS console, you can -// upload a JSON-based proxy configuration file with the desired values. You cannot -// use a proxy configuration with the CreateCustomKeyStore operation. However, you -// can use the values in the file to help you determine the correct values for the -// CreateCustomKeyStore parameters. When the operation completes successfully, it -// returns the ID of the new custom key store. Before you can use your new custom -// key store, you need to use the ConnectCustomKeyStore operation to connect a new -// CloudHSM key store to its CloudHSM cluster, or to connect a new external key -// store to the external key store proxy for your external key manager. Even if you -// are not going to use your custom key store immediately, you might want to -// connect it to verify that all settings are correct and then disconnect it until -// you are ready to use it. For help with failures, see Troubleshooting a custom -// key store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) -// in the Key Management Service Developer Guide. Cross-account use: No. You cannot -// perform this operation on a custom key store in a different Amazon Web Services -// account. Required permissions: kms:CreateCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (IAM policy). Related operations: -// - ConnectCustomKeyStore -// - DeleteCustomKeyStore -// - DescribeCustomKeyStores -// - DisconnectCustomKeyStore -// - UpdateCustomKeyStore +// # ConnectCustomKeyStore +// +// # DeleteCustomKeyStore +// +// # DescribeCustomKeyStores +// +// # DisconnectCustomKeyStore +// +// # UpdateCustomKeyStore // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [CloudHSM key stores]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html +// [CloudHSM cluster]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html +// [custom key stores]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html +// [external key stores]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html +// [Troubleshooting an CloudHSM key store]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html +// [Assemble the prerequisites (for CloudHSM key stores)]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore +// [Assemble the prerequisites (for external key stores)]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements +// [Troubleshooting a custom key store]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html +// [Troubleshooting an external key store]: https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html +// [kms:CreateCustomKeyStore]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [custom key store]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html func (c *Client) CreateCustomKeyStore(ctx context.Context, params *CreateCustomKeyStoreInput, optFns ...func(*Options)) (*CreateCustomKeyStoreOutput, error) { if params == nil { params = &CreateCustomKeyStoreInput{} @@ -91,96 +114,125 @@ type CreateCustomKeyStoreInput struct { // Specifies a friendly name for the custom key store. The name must be unique in // your Amazon Web Services account and Region. This parameter is required for all - // custom key stores. Do not include confidential or sensitive information in this - // field. This field may be displayed in plaintext in CloudTrail logs and other - // output. + // custom key stores. + // + // Do not include confidential or sensitive information in this field. This field + // may be displayed in plaintext in CloudTrail logs and other output. // // This member is required. CustomKeyStoreName *string // Identifies the CloudHSM cluster for an CloudHSM key store. This parameter is - // required for custom key stores with CustomKeyStoreType of AWS_CLOUDHSM . Enter - // the cluster ID of any active CloudHSM cluster that is not already associated - // with a custom key store. To find the cluster ID, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) - // operation. + // required for custom key stores with CustomKeyStoreType of AWS_CLOUDHSM . + // + // Enter the cluster ID of any active CloudHSM cluster that is not already + // associated with a custom key store. To find the cluster ID, use the [DescribeClusters]operation. + // + // [DescribeClusters]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html CloudHsmClusterId *string - // Specifies the type of custom key store. The default value is AWS_CLOUDHSM . For - // a custom key store backed by an CloudHSM cluster, omit the parameter or enter - // AWS_CLOUDHSM . For a custom key store backed by an external key manager outside - // of Amazon Web Services, enter EXTERNAL_KEY_STORE . You cannot change this - // property after the key store is created. + // Specifies the type of custom key store. The default value is AWS_CLOUDHSM . + // + // For a custom key store backed by an CloudHSM cluster, omit the parameter or + // enter AWS_CLOUDHSM . For a custom key store backed by an external key manager + // outside of Amazon Web Services, enter EXTERNAL_KEY_STORE . You cannot change + // this property after the key store is created. CustomKeyStoreType types.CustomKeyStoreType // Specifies the kmsuser password for an CloudHSM key store. This parameter is - // required for custom key stores with a CustomKeyStoreType of AWS_CLOUDHSM . Enter - // the password of the kmsuser crypto user (CU) account (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser) - // in the specified CloudHSM cluster. KMS logs into the cluster as this user to - // manage key material on your behalf. The password must be a string of 7 to 32 - // characters. Its value is case sensitive. This parameter tells KMS the kmsuser - // account password; it does not change the password in the CloudHSM cluster. + // required for custom key stores with a CustomKeyStoreType of AWS_CLOUDHSM . + // + // Enter the password of the [kmsuser crypto user (CU) account]kmsuser in the specified CloudHSM cluster. KMS logs + // into the cluster as this user to manage key material on your behalf. + // + // The password must be a string of 7 to 32 characters. Its value is case + // sensitive. + // + // This parameter tells KMS the kmsuser account password; it does not change the + // password in the CloudHSM cluster. + // + // [kmsuser crypto user (CU) account]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser KeyStorePassword *string // Specifies the certificate for an CloudHSM key store. This parameter is required - // for custom key stores with a CustomKeyStoreType of AWS_CLOUDHSM . Enter the - // content of the trust anchor certificate for the CloudHSM cluster. This is the - // content of the customerCA.crt file that you created when you initialized the - // cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html) - // . + // for custom key stores with a CustomKeyStoreType of AWS_CLOUDHSM . + // + // Enter the content of the trust anchor certificate for the CloudHSM cluster. + // This is the content of the customerCA.crt file that you created when you [initialized the cluster]. + // + // [initialized the cluster]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html TrustAnchorCertificate *string // Specifies an authentication credential for the external key store proxy (XKS // proxy). This parameter is required for all custom key stores with a - // CustomKeyStoreType of EXTERNAL_KEY_STORE . The XksProxyAuthenticationCredential - // has two required elements: RawSecretAccessKey , a secret key, and AccessKeyId , - // a unique identifier for the RawSecretAccessKey . For character requirements, see - // XksProxyAuthenticationCredentialType . KMS uses this authentication credential - // to sign requests to the external key store proxy on your behalf. This credential - // is unrelated to Identity and Access Management (IAM) and Amazon Web Services - // credentials. This parameter doesn't set or change the authentication credentials - // on the XKS proxy. It just tells KMS the credential that you established on your - // external key store proxy. If you rotate your proxy authentication credential, - // use the UpdateCustomKeyStore operation to provide the new credential to KMS. + // CustomKeyStoreType of EXTERNAL_KEY_STORE . + // + // The XksProxyAuthenticationCredential has two required elements: + // RawSecretAccessKey , a secret key, and AccessKeyId , a unique identifier for the + // RawSecretAccessKey . For character requirements, see XksProxyAuthenticationCredentialType. + // + // KMS uses this authentication credential to sign requests to the external key + // store proxy on your behalf. This credential is unrelated to Identity and Access + // Management (IAM) and Amazon Web Services credentials. + // + // This parameter doesn't set or change the authentication credentials on the XKS + // proxy. It just tells KMS the credential that you established on your external + // key store proxy. If you rotate your proxy authentication credential, use the UpdateCustomKeyStore + // operation to provide the new credential to KMS. XksProxyAuthenticationCredential *types.XksProxyAuthenticationCredentialType // Indicates how KMS communicates with the external key store proxy. This // parameter is required for custom key stores with a CustomKeyStoreType of - // EXTERNAL_KEY_STORE . If the external key store proxy uses a public endpoint, - // specify PUBLIC_ENDPOINT . If the external key store proxy uses a Amazon VPC - // endpoint service for communication with KMS, specify VPC_ENDPOINT_SERVICE . For - // help making this choice, see Choosing a connectivity option (https://docs.aws.amazon.com/kms/latest/developerguide/plan-xks-keystore.html#choose-xks-connectivity) - // in the Key Management Service Developer Guide. An Amazon VPC endpoint service - // keeps your communication with KMS in a private address space entirely within - // Amazon Web Services, but it requires more configuration, including establishing - // a Amazon VPC with multiple subnets, a VPC endpoint service, a network load - // balancer, and a verified private DNS name. A public endpoint is simpler to set - // up, but it might be slower and might not fulfill your security requirements. You - // might consider testing with a public endpoint, and then establishing a VPC - // endpoint service for production tasks. Note that this choice does not determine - // the location of the external key store proxy. Even if you choose a VPC endpoint - // service, the proxy can be hosted within the VPC or outside of Amazon Web - // Services such as in your corporate data center. + // EXTERNAL_KEY_STORE . + // + // If the external key store proxy uses a public endpoint, specify PUBLIC_ENDPOINT + // . If the external key store proxy uses a Amazon VPC endpoint service for + // communication with KMS, specify VPC_ENDPOINT_SERVICE . For help making this + // choice, see [Choosing a connectivity option]in the Key Management Service Developer Guide. + // + // An Amazon VPC endpoint service keeps your communication with KMS in a private + // address space entirely within Amazon Web Services, but it requires more + // configuration, including establishing a Amazon VPC with multiple subnets, a VPC + // endpoint service, a network load balancer, and a verified private DNS name. A + // public endpoint is simpler to set up, but it might be slower and might not + // fulfill your security requirements. You might consider testing with a public + // endpoint, and then establishing a VPC endpoint service for production tasks. + // Note that this choice does not determine the location of the external key store + // proxy. Even if you choose a VPC endpoint service, the proxy can be hosted within + // the VPC or outside of Amazon Web Services such as in your corporate data center. + // + // [Choosing a connectivity option]: https://docs.aws.amazon.com/kms/latest/developerguide/plan-xks-keystore.html#choose-xks-connectivity XksProxyConnectivity types.XksProxyConnectivityType // Specifies the endpoint that KMS uses to send requests to the external key store // proxy (XKS proxy). This parameter is required for custom key stores with a - // CustomKeyStoreType of EXTERNAL_KEY_STORE . The protocol must be HTTPS. KMS - // communicates on port 443. Do not specify the port in the XksProxyUriEndpoint - // value. For external key stores with XksProxyConnectivity value of - // VPC_ENDPOINT_SERVICE , specify https:// followed by the private DNS name of the - // VPC endpoint service. For external key stores with PUBLIC_ENDPOINT - // connectivity, this endpoint must be reachable before you create the custom key - // store. KMS connects to the external key store proxy while creating the custom - // key store. For external key stores with VPC_ENDPOINT_SERVICE connectivity, KMS - // connects when you call the ConnectCustomKeyStore operation. The value of this - // parameter must begin with https:// . The remainder can contain upper and lower - // case letters (A-Z and a-z), numbers (0-9), dots ( . ), and hyphens ( - ). - // Additional slashes ( / and \ ) are not permitted. Uniqueness requirements: + // CustomKeyStoreType of EXTERNAL_KEY_STORE . + // + // The protocol must be HTTPS. KMS communicates on port 443. Do not specify the + // port in the XksProxyUriEndpoint value. + // + // For external key stores with XksProxyConnectivity value of VPC_ENDPOINT_SERVICE + // , specify https:// followed by the private DNS name of the VPC endpoint service. + // + // For external key stores with PUBLIC_ENDPOINT connectivity, this endpoint must + // be reachable before you create the custom key store. KMS connects to the + // external key store proxy while creating the custom key store. For external key + // stores with VPC_ENDPOINT_SERVICE connectivity, KMS connects when you call the ConnectCustomKeyStore + // operation. + // + // The value of this parameter must begin with https:// . The remainder can contain + // upper and lower case letters (A-Z and a-z), numbers (0-9), dots ( . ), and + // hyphens ( - ). Additional slashes ( / and \ ) are not permitted. + // + // Uniqueness requirements: + // // - The combined XksProxyUriEndpoint and XksProxyUriPath values must be unique // in the Amazon Web Services account and Region. + // // - An external key store with PUBLIC_ENDPOINT connectivity cannot use the same // XksProxyUriEndpoint value as an external key store with VPC_ENDPOINT_SERVICE // connectivity in this Amazon Web Services Region. + // // - Each external key store with VPC_ENDPOINT_SERVICE connectivity must have its // own private DNS name. The XksProxyUriEndpoint value for external key stores // with VPC_ENDPOINT_SERVICE connectivity (private DNS name) must be unique in @@ -190,10 +242,14 @@ type CreateCustomKeyStoreInput struct { // Specifies the base path to the proxy APIs for this external key store. To find // this value, see the documentation for your external key store proxy. This // parameter is required for all custom key stores with a CustomKeyStoreType of - // EXTERNAL_KEY_STORE . The value must start with / and must end with /kms/xks/v1 - // where v1 represents the version of the KMS external key store proxy API. This - // path can include an optional prefix between the required elements such as - // /prefix/kms/xks/v1 . Uniqueness requirements: + // EXTERNAL_KEY_STORE . + // + // The value must start with / and must end with /kms/xks/v1 where v1 represents + // the version of the KMS external key store proxy API. This path can include an + // optional prefix between the required elements such as /prefix/kms/xks/v1 . + // + // Uniqueness requirements: + // // - The combined XksProxyUriEndpoint and XksProxyUriPath values must be unique // in the Amazon Web Services account and Region. XksProxyUriPath *string @@ -201,12 +257,17 @@ type CreateCustomKeyStoreInput struct { // Specifies the name of the Amazon VPC endpoint service for interface endpoints // that is used to communicate with your external key store proxy (XKS proxy). This // parameter is required when the value of CustomKeyStoreType is EXTERNAL_KEY_STORE - // and the value of XksProxyConnectivity is VPC_ENDPOINT_SERVICE . The Amazon VPC - // endpoint service must fulfill all requirements (https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements) - // for use with an external key store. Uniqueness requirements: + // and the value of XksProxyConnectivity is VPC_ENDPOINT_SERVICE . + // + // The Amazon VPC endpoint service must [fulfill all requirements] for use with an external key store. + // + // Uniqueness requirements: + // // - External key stores with VPC_ENDPOINT_SERVICE connectivity can share an // Amazon VPC, but each external key store must have its own VPC endpoint service // and private DNS name. + // + // [fulfill all requirements]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements XksProxyVpcEndpointServiceName *string noSmithyDocumentSerde diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateGrant.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateGrant.go index 691a17b45aa..86de7bf6b0e 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateGrant.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateGrant.go @@ -11,45 +11,65 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Adds a grant to a KMS key. A grant is a policy instrument that allows Amazon -// Web Services principals to use KMS keys in cryptographic operations. It also can -// allow them to view a KMS key ( DescribeKey ) and create and manage grants. When -// authorizing access to a KMS key, grants are considered along with key policies -// and IAM policies. Grants are often used for temporary permissions because you -// can create one, use its permissions, and delete it without changing your key -// policies or IAM policies. For detailed information about grants, including grant -// terminology, see Grants in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) -// in the Key Management Service Developer Guide . For examples of working with -// grants in several programming languages, see Programming grants (https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html) -// . The CreateGrant operation returns a GrantToken and a GrantId . +// Adds a grant to a KMS key. +// +// A grant is a policy instrument that allows Amazon Web Services principals to +// use KMS keys in cryptographic operations. It also can allow them to view a KMS +// key (DescribeKey ) and create and manage grants. When authorizing access to a KMS key, +// grants are considered along with key policies and IAM policies. Grants are often +// used for temporary permissions because you can create one, use its permissions, +// and delete it without changing your key policies or IAM policies. +// +// For detailed information about grants, including grant terminology, see [Grants in KMS] in the +// Key Management Service Developer Guide . For examples of working with grants in +// several programming languages, see [Programming grants]. +// +// The CreateGrant operation returns a GrantToken and a GrantId . +// // - When you create, retire, or revoke a grant, there might be a brief delay, // usually less than five minutes, until the grant is available throughout KMS. // This state is known as eventual consistency. Once the grant has achieved // eventual consistency, the grantee principal can use the permissions in the grant -// without identifying the grant. However, to use the permissions in the grant -// immediately, use the GrantToken that CreateGrant returns. For details, see -// Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) -// in the Key Management Service Developer Guide . -// - The CreateGrant operation also returns a GrantId . You can use the GrantId -// and a key identifier to identify the grant in the RetireGrant and RevokeGrant -// operations. To find the grant ID, use the ListGrants or ListRetirableGrants -// operations. +// without identifying the grant. +// +// However, to use the permissions in the grant immediately, use the GrantToken +// +// that CreateGrant returns. For details, see [Using a grant token]in the Key Management Service +// Developer Guide . +// +// - The CreateGrant operation also returns a GrantId . You can use the GrantId +// and a key identifier to identify the grant in the RetireGrantand RevokeGrantoperations. To find the +// grant ID, use the ListGrantsor ListRetirableGrantsoperations. // // The KMS key that you use for this operation must be in a compatible key state. -// For details, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. Cross-account use: Yes. To -// perform this operation on a KMS key in a different Amazon Web Services account, -// specify the key ARN in the value of the KeyId parameter. Required permissions: -// kms:CreateGrant (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: -// - ListGrants -// - ListRetirableGrants -// - RetireGrant -// - RevokeGrant +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: Yes. To perform this operation on a KMS key in a different +// Amazon Web Services account, specify the key ARN in the value of the KeyId +// parameter. +// +// Required permissions: [kms:CreateGrant] (key policy) +// +// Related operations: +// +// # ListGrants +// +// # ListRetirableGrants +// +// # RetireGrant +// +// # RevokeGrant // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Programming grants]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [Grants in KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html +// [kms:CreateGrant]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// +// [Using a grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token func (c *Client) CreateGrant(ctx context.Context, params *CreateGrantInput, optFns ...func(*Options)) (*CreateGrantOutput, error) { if params == nil { params = &CreateGrantInput{} @@ -67,100 +87,133 @@ func (c *Client) CreateGrant(ctx context.Context, params *CreateGrantInput, optF type CreateGrantInput struct { - // The identity that gets the permissions specified in the grant. To specify the - // grantee principal, use the Amazon Resource Name (ARN) of an Amazon Web Services - // principal. Valid principals include Amazon Web Services accounts, IAM users, IAM - // roles, federated users, and assumed role users. For help with the ARN syntax for - // a principal, see IAM ARNs (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) - // in the Identity and Access Management User Guide . + // The identity that gets the permissions specified in the grant. + // + // To specify the grantee principal, use the Amazon Resource Name (ARN) of an + // Amazon Web Services principal. Valid principals include Amazon Web Services + // accounts, IAM users, IAM roles, federated users, and assumed role users. For + // help with the ARN syntax for a principal, see [IAM ARNs]in the Identity and Access + // Management User Guide . + // + // [IAM ARNs]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns // // This member is required. GranteePrincipal *string // Identifies the KMS key for the grant. The grant gives principals permission to - // use this KMS key. Specify the key ID or key ARN of the KMS key. To specify a KMS - // key in a different Amazon Web Services account, you must use the key ARN. For - // example: + // use this KMS key. + // + // Specify the key ID or key ARN of the KMS key. To specify a KMS key in a + // different Amazon Web Services account, you must use the key ARN. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string - // A list of operations that the grant permits. This list must include only - // operations that are permitted in a grant. Also, the operation must be supported - // on the KMS key. For example, you cannot create a grant for a symmetric - // encryption KMS key that allows the Sign operation, or a grant for an asymmetric - // KMS key that allows the GenerateDataKey operation. If you try, KMS returns a - // ValidationError exception. For details, see Grant operations (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) - // in the Key Management Service Developer Guide. + // A list of operations that the grant permits. + // + // This list must include only operations that are permitted in a grant. Also, the + // operation must be supported on the KMS key. For example, you cannot create a + // grant for a symmetric encryption KMS key that allows the Signoperation, or a grant + // for an asymmetric KMS key that allows the GenerateDataKeyoperation. If you try, KMS returns a + // ValidationError exception. For details, see [Grant operations] in the Key Management Service + // Developer Guide. + // + // [Grant operations]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations // // This member is required. Operations []types.GrantOperation - // Specifies a grant constraint. Do not include confidential or sensitive - // information in this field. This field may be displayed in plaintext in - // CloudTrail logs and other output. KMS supports the EncryptionContextEquals and - // EncryptionContextSubset grant constraints, which allow the permissions in the - // grant only when the encryption context in the request matches ( - // EncryptionContextEquals ) or includes ( EncryptionContextSubset ) the encryption - // context specified in the constraint. The encryption context grant constraints - // are supported only on grant operations (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) - // that include an EncryptionContext parameter, such as cryptographic operations - // on symmetric encryption KMS keys. Grants with grant constraints can include the - // DescribeKey and RetireGrant operations, but the constraint doesn't apply to - // these operations. If a grant with a grant constraint includes the CreateGrant - // operation, the constraint requires that any grants created with the CreateGrant - // permission have an equally strict or stricter encryption context constraint. You - // cannot use an encryption context grant constraint for cryptographic operations - // with asymmetric KMS keys or HMAC KMS keys. Operations with these keys don't - // support an encryption context. Each constraint value can include up to 8 - // encryption context pairs. The encryption context value in each constraint cannot - // exceed 384 characters. For information about grant constraints, see Using grant - // constraints (https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints) - // in the Key Management Service Developer Guide. For more information about - // encryption context, see Encryption context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) - // in the Key Management Service Developer Guide . + // Specifies a grant constraint. + // + // Do not include confidential or sensitive information in this field. This field + // may be displayed in plaintext in CloudTrail logs and other output. + // + // KMS supports the EncryptionContextEquals and EncryptionContextSubset grant + // constraints, which allow the permissions in the grant only when the encryption + // context in the request matches ( EncryptionContextEquals ) or includes ( + // EncryptionContextSubset ) the encryption context specified in the constraint. + // + // The encryption context grant constraints are supported only on [grant operations] that include an + // EncryptionContext parameter, such as cryptographic operations on symmetric + // encryption KMS keys. Grants with grant constraints can include the DescribeKeyand RetireGrant + // operations, but the constraint doesn't apply to these operations. If a grant + // with a grant constraint includes the CreateGrant operation, the constraint + // requires that any grants created with the CreateGrant permission have an + // equally strict or stricter encryption context constraint. + // + // You cannot use an encryption context grant constraint for cryptographic + // operations with asymmetric KMS keys or HMAC KMS keys. Operations with these keys + // don't support an encryption context. + // + // Each constraint value can include up to 8 encryption context pairs. The + // encryption context value in each constraint cannot exceed 384 characters. For + // information about grant constraints, see [Using grant constraints]in the Key Management Service + // Developer Guide. For more information about encryption context, see [Encryption context]in the Key + // Management Service Developer Guide . + // + // [grant operations]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations + // [Using grant constraints]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints + // [Encryption context]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context Constraints *types.GrantConstraints - // Checks if your request will succeed. DryRun is an optional parameter. To learn - // more about how to use this parameter, see Testing your KMS API calls (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html) - // in the Key Management Service Developer Guide. + // Checks if your request will succeed. DryRun is an optional parameter. + // + // To learn more about how to use this parameter, see [Testing your KMS API calls] in the Key Management + // Service Developer Guide. + // + // [Testing your KMS API calls]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html DryRun *bool - // A list of grant tokens. Use a grant token when your permission to call this - // operation comes from a new grant that has not yet achieved eventual consistency. - // For more information, see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) - // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) - // in the Key Management Service Developer Guide. + // A list of grant tokens. + // + // Use a grant token when your permission to call this operation comes from a new + // grant that has not yet achieved eventual consistency. For more information, see [Grant token] + // and [Using a grant token]in the Key Management Service Developer Guide. + // + // [Grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token + // [Using a grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token GrantTokens []string // A friendly name for the grant. Use this value to prevent the unintended - // creation of duplicate grants when retrying this request. Do not include - // confidential or sensitive information in this field. This field may be displayed - // in plaintext in CloudTrail logs and other output. When this value is absent, all - // CreateGrant requests result in a new grant with a unique GrantId even if all - // the supplied parameters are identical. This can result in unintended duplicates - // when you retry the CreateGrant request. When this value is present, you can - // retry a CreateGrant request with identical parameters; if the grant already - // exists, the original GrantId is returned without creating a new grant. Note - // that the returned grant token is unique with every CreateGrant request, even - // when a duplicate GrantId is returned. All grant tokens for the same grant ID - // can be used interchangeably. + // creation of duplicate grants when retrying this request. + // + // Do not include confidential or sensitive information in this field. This field + // may be displayed in plaintext in CloudTrail logs and other output. + // + // When this value is absent, all CreateGrant requests result in a new grant with + // a unique GrantId even if all the supplied parameters are identical. This can + // result in unintended duplicates when you retry the CreateGrant request. + // + // When this value is present, you can retry a CreateGrant request with identical + // parameters; if the grant already exists, the original GrantId is returned + // without creating a new grant. Note that the returned grant token is unique with + // every CreateGrant request, even when a duplicate GrantId is returned. All grant + // tokens for the same grant ID can be used interchangeably. Name *string - // The principal that has permission to use the RetireGrant operation to retire - // the grant. To specify the principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - // of an Amazon Web Services principal. Valid principals include Amazon Web - // Services accounts, IAM users, IAM roles, federated users, and assumed role - // users. For help with the ARN syntax for a principal, see IAM ARNs (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) - // in the Identity and Access Management User Guide . The grant determines the - // retiring principal. Other principals might have permission to retire the grant - // or revoke the grant. For details, see RevokeGrant and Retiring and revoking - // grants (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete) - // in the Key Management Service Developer Guide. + // The principal that has permission to use the RetireGrant operation to retire the grant. + // + // To specify the principal, use the [Amazon Resource Name (ARN)] of an Amazon Web Services principal. Valid + // principals include Amazon Web Services accounts, IAM users, IAM roles, federated + // users, and assumed role users. For help with the ARN syntax for a principal, see + // [IAM ARNs]in the Identity and Access Management User Guide . + // + // The grant determines the retiring principal. Other principals might have + // permission to retire the grant or revoke the grant. For details, see RevokeGrantand [Retiring and revoking grants] in + // the Key Management Service Developer Guide. + // + // [IAM ARNs]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns + // [Amazon Resource Name (ARN)]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html + // [Retiring and revoking grants]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete RetiringPrincipal *string noSmithyDocumentSerde @@ -168,15 +221,19 @@ type CreateGrantInput struct { type CreateGrantOutput struct { - // The unique identifier for the grant. You can use the GrantId in a ListGrants , - // RetireGrant , or RevokeGrant operation. + // The unique identifier for the grant. + // + // You can use the GrantId in a ListGrants, RetireGrant, or RevokeGrant operation. GrantId *string - // The grant token. Use a grant token when your permission to call this operation - // comes from a new grant that has not yet achieved eventual consistency. For more - // information, see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) - // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) - // in the Key Management Service Developer Guide. + // The grant token. + // + // Use a grant token when your permission to call this operation comes from a new + // grant that has not yet achieved eventual consistency. For more information, see [Grant token] + // and [Using a grant token]in the Key Management Service Developer Guide. + // + // [Grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token + // [Using a grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token GrantToken *string // Metadata pertaining to the operation's result. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateKey.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateKey.go index 85bf140354b..8067e00d7d4 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateKey.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_CreateKey.go @@ -11,129 +11,173 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Creates a unique customer managed KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys) -// in your Amazon Web Services account and Region. You can use a KMS key in -// cryptographic operations, such as encryption and signing. Some Amazon Web -// Services services let you use KMS keys that you create and manage to protect -// your service resources. A KMS key is a logical representation of a cryptographic -// key. In addition to the key material used in cryptographic operations, a KMS key -// includes metadata, such as the key ID, key policy, creation date, description, -// and key state. For details, see Managing keys (https://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html) -// in the Key Management Service Developer Guide Use the parameters of CreateKey -// to specify the type of KMS key, the source of its key material, its key policy, -// description, tags, and other properties. KMS has replaced the term customer -// master key (CMK) with KMS key and KMS key. The concept has not changed. To -// prevent breaking changes, KMS is keeping some variations of this term. To create -// different types of KMS keys, use the following guidance: Symmetric encryption -// KMS key By default, CreateKey creates a symmetric encryption KMS key with key -// material that KMS generates. This is the basic and most widely used type of KMS -// key, and provides the best performance. To create a symmetric encryption KMS -// key, you don't need to specify any parameters. The default value for KeySpec , -// SYMMETRIC_DEFAULT , the default value for KeyUsage , ENCRYPT_DECRYPT , and the -// default value for Origin , AWS_KMS , create a symmetric encryption KMS key with -// KMS key material. If you need a key for basic encryption and decryption or you -// are creating a KMS key to protect your resources in an Amazon Web Services -// service, create a symmetric encryption KMS key. The key material in a symmetric -// encryption key never leaves KMS unencrypted. You can use a symmetric encryption -// KMS key to encrypt and decrypt data up to 4,096 bytes, but they are typically -// used to generate data keys and data keys pairs. For details, see GenerateDataKey -// and GenerateDataKeyPair . Asymmetric KMS keys To create an asymmetric KMS key, -// use the KeySpec parameter to specify the type of key material in the KMS key. -// Then, use the KeyUsage parameter to determine whether the KMS key will be used -// to encrypt and decrypt or sign and verify. You can't change these properties -// after the KMS key is created. Asymmetric KMS keys contain an RSA key pair, -// Elliptic Curve (ECC) key pair, or an SM2 key pair (China Regions only). The -// private key in an asymmetric KMS key never leaves KMS unencrypted. However, you -// can use the GetPublicKey operation to download the public key so it can be used -// outside of KMS. KMS keys with RSA or SM2 key pairs can be used to encrypt or -// decrypt data or sign and verify messages (but not both). KMS keys with ECC key -// pairs can be used only to sign and verify messages. For information about -// asymmetric KMS keys, see Asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) -// in the Key Management Service Developer Guide. HMAC KMS key To create an HMAC -// KMS key, set the KeySpec parameter to a key spec value for HMAC KMS keys. Then -// set the KeyUsage parameter to GENERATE_VERIFY_MAC . You must set the key usage -// even though GENERATE_VERIFY_MAC is the only valid key usage value for HMAC KMS -// keys. You can't change these properties after the KMS key is created. HMAC KMS -// keys are symmetric keys that never leave KMS unencrypted. You can use HMAC keys -// to generate ( GenerateMac ) and verify ( VerifyMac ) HMAC codes for messages up -// to 4096 bytes. Multi-Region primary keys Imported key material To create a -// multi-Region primary key in the local Amazon Web Services Region, use the -// MultiRegion parameter with a value of True . To create a multi-Region replica -// key, that is, a KMS key with the same key ID and key material as a primary key, -// but in a different Amazon Web Services Region, use the ReplicateKey operation. -// To change a replica key to a primary key, and its primary key to a replica key, -// use the UpdatePrimaryRegion operation. You can create multi-Region KMS keys for -// all supported KMS key types: symmetric encryption KMS keys, HMAC KMS keys, -// asymmetric encryption KMS keys, and asymmetric signing KMS keys. You can also -// create multi-Region keys with imported key material. However, you can't create -// multi-Region keys in a custom key store. This operation supports multi-Region -// keys, an KMS feature that lets you create multiple interoperable KMS keys in -// different Amazon Web Services Regions. Because these KMS keys have the same key -// ID, key material, and other metadata, you can use them interchangeably to -// encrypt data in one Amazon Web Services Region and decrypt it in a different -// Amazon Web Services Region without re-encrypting the data or making a -// cross-Region call. For more information about multi-Region keys, see -// Multi-Region keys in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) -// in the Key Management Service Developer Guide. To import your own key material -// into a KMS key, begin by creating a KMS key with no key material. To do this, -// use the Origin parameter of CreateKey with a value of EXTERNAL . Next, use -// GetParametersForImport operation to get a public key and import token. Use the -// wrapping public key to encrypt your key material. Then, use ImportKeyMaterial -// with your import token to import the key material. For step-by-step -// instructions, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) -// in the Key Management Service Developer Guide . You can import key material into -// KMS keys of all supported KMS key types: symmetric encryption KMS keys, HMAC KMS -// keys, asymmetric encryption KMS keys, and asymmetric signing KMS keys. You can -// also create multi-Region keys with imported key material. However, you can't -// import key material into a KMS key in a custom key store. To create a -// multi-Region primary key with imported key material, use the Origin parameter -// of CreateKey with a value of EXTERNAL and the MultiRegion parameter with a -// value of True . To create replicas of the multi-Region primary key, use the -// ReplicateKey operation. For instructions, see Importing key material into -// multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html) -// . For more information about multi-Region keys, see Multi-Region keys in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) -// in the Key Management Service Developer Guide. Custom key store A custom key -// store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// lets you protect your Amazon Web Services resources using keys in a backing key -// store that you own and manage. When you request a cryptographic operation with a -// KMS key in a custom key store, the operation is performed in the backing key -// store using its cryptographic keys. KMS supports CloudHSM key stores (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html) -// backed by an CloudHSM cluster and external key stores (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html) -// backed by an external key manager outside of Amazon Web Services. When you -// create a KMS key in an CloudHSM key store, KMS generates an encryption key in -// the CloudHSM cluster and associates it with the KMS key. When you create a KMS -// key in an external key store, you specify an existing encryption key in the -// external key manager. Some external key managers provide a simpler method for -// creating a KMS key in an external key store. For details, see your external key -// manager documentation. Before you create a KMS key in a custom key store, the -// ConnectionState of the key store must be CONNECTED . To connect the custom key -// store, use the ConnectCustomKeyStore operation. To find the ConnectionState , -// use the DescribeCustomKeyStores operation. To create a KMS key in a custom key -// store, use the CustomKeyStoreId . Use the default KeySpec value, -// SYMMETRIC_DEFAULT , and the default KeyUsage value, ENCRYPT_DECRYPT to create a -// symmetric encryption key. No other key type is supported in a custom key store. -// To create a KMS key in an CloudHSM key store (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html) -// , use the Origin parameter with a value of AWS_CLOUDHSM . The CloudHSM cluster -// that is associated with the custom key store must have at least two active HSMs -// in different Availability Zones in the Amazon Web Services Region. To create a -// KMS key in an external key store (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html) -// , use the Origin parameter with a value of EXTERNAL_KEY_STORE and an XksKeyId -// parameter that identifies an existing external key. Some external key managers -// provide a simpler method for creating a KMS key in an external key store. For -// details, see your external key manager documentation. Cross-account use: No. You -// cannot use this operation to create a KMS key in a different Amazon Web Services -// account. Required permissions: kms:CreateKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (IAM policy). To use the Tags parameter, kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (IAM policy). For examples and information about related permissions, see Allow -// a user to create KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key) -// in the Key Management Service Developer Guide. Related operations: -// - DescribeKey -// - ListKeys -// - ScheduleKeyDeletion +// Creates a unique customer managed [KMS key] in your Amazon Web Services account and +// Region. You can use a KMS key in cryptographic operations, such as encryption +// and signing. Some Amazon Web Services services let you use KMS keys that you +// create and manage to protect your service resources. +// +// A KMS key is a logical representation of a cryptographic key. In addition to +// the key material used in cryptographic operations, a KMS key includes metadata, +// such as the key ID, key policy, creation date, description, and key state. For +// details, see [Managing keys]in the Key Management Service Developer Guide +// +// Use the parameters of CreateKey to specify the type of KMS key, the source of +// its key material, its key policy, description, tags, and other properties. +// +// KMS has replaced the term customer master key (CMK) with KMS key and KMS key. +// The concept has not changed. To prevent breaking changes, KMS is keeping some +// variations of this term. +// +// To create different types of KMS keys, use the following guidance: +// +// Symmetric encryption KMS key By default, CreateKey creates a symmetric +// encryption KMS key with key material that KMS generates. This is the basic and +// most widely used type of KMS key, and provides the best performance. +// +// To create a symmetric encryption KMS key, you don't need to specify any +// parameters. The default value for KeySpec , SYMMETRIC_DEFAULT , the default +// value for KeyUsage , ENCRYPT_DECRYPT , and the default value for Origin , +// AWS_KMS , create a symmetric encryption KMS key with KMS key material. +// +// If you need a key for basic encryption and decryption or you are creating a KMS +// key to protect your resources in an Amazon Web Services service, create a +// symmetric encryption KMS key. The key material in a symmetric encryption key +// never leaves KMS unencrypted. You can use a symmetric encryption KMS key to +// encrypt and decrypt data up to 4,096 bytes, but they are typically used to +// generate data keys and data keys pairs. For details, see GenerateDataKeyand GenerateDataKeyPair. +// +// Asymmetric KMS keys To create an asymmetric KMS key, use the KeySpec parameter +// to specify the type of key material in the KMS key. Then, use the KeyUsage +// parameter to determine whether the KMS key will be used to encrypt and decrypt +// or sign and verify. You can't change these properties after the KMS key is +// created. +// +// Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or +// an SM2 key pair (China Regions only). The private key in an asymmetric KMS key +// never leaves KMS unencrypted. However, you can use the GetPublicKeyoperation to download +// the public key so it can be used outside of KMS. KMS keys with RSA or SM2 key +// pairs can be used to encrypt or decrypt data or sign and verify messages (but +// not both). KMS keys with ECC key pairs can be used only to sign and verify +// messages. For information about asymmetric KMS keys, see [Asymmetric KMS keys]in the Key Management +// Service Developer Guide. +// +// HMAC KMS key To create an HMAC KMS key, set the KeySpec parameter to a key spec +// value for HMAC KMS keys. Then set the KeyUsage parameter to GENERATE_VERIFY_MAC +// . You must set the key usage even though GENERATE_VERIFY_MAC is the only valid +// key usage value for HMAC KMS keys. You can't change these properties after the +// KMS key is created. +// +// HMAC KMS keys are symmetric keys that never leave KMS unencrypted. You can use +// HMAC keys to generate (GenerateMac ) and verify (VerifyMac ) HMAC codes for messages up to 4096 +// bytes. +// +// Multi-Region primary keys Imported key material To create a multi-Region +// primary key in the local Amazon Web Services Region, use the MultiRegion +// parameter with a value of True . To create a multi-Region replica key, that is, +// a KMS key with the same key ID and key material as a primary key, but in a +// different Amazon Web Services Region, use the ReplicateKeyoperation. To change a replica +// key to a primary key, and its primary key to a replica key, use the UpdatePrimaryRegionoperation. +// +// You can create multi-Region KMS keys for all supported KMS key types: symmetric +// encryption KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and +// asymmetric signing KMS keys. You can also create multi-Region keys with imported +// key material. However, you can't create multi-Region keys in a custom key store. +// +// This operation supports multi-Region keys, an KMS feature that lets you create +// multiple interoperable KMS keys in different Amazon Web Services Regions. +// Because these KMS keys have the same key ID, key material, and other metadata, +// you can use them interchangeably to encrypt data in one Amazon Web Services +// Region and decrypt it in a different Amazon Web Services Region without +// re-encrypting the data or making a cross-Region call. For more information about +// multi-Region keys, see [Multi-Region keys in KMS]in the Key Management Service Developer Guide. +// +// To import your own key material into a KMS key, begin by creating a KMS key +// with no key material. To do this, use the Origin parameter of CreateKey with a +// value of EXTERNAL . Next, use GetParametersForImport operation to get a public key and import token. +// Use the wrapping public key to encrypt your key material. Then, use ImportKeyMaterialwith your +// import token to import the key material. For step-by-step instructions, see [Importing Key Material]in +// the Key Management Service Developer Guide . +// +// You can import key material into KMS keys of all supported KMS key types: +// symmetric encryption KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, +// and asymmetric signing KMS keys. You can also create multi-Region keys with +// imported key material. However, you can't import key material into a KMS key in +// a custom key store. +// +// To create a multi-Region primary key with imported key material, use the Origin +// parameter of CreateKey with a value of EXTERNAL and the MultiRegion parameter +// with a value of True . To create replicas of the multi-Region primary key, use +// the ReplicateKeyoperation. For instructions, see [Importing key material into multi-Region keys]. For more information about multi-Region +// keys, see [Multi-Region keys in KMS]in the Key Management Service Developer Guide. +// +// Custom key store A [custom key store] lets you protect your Amazon Web Services resources using +// keys in a backing key store that you own and manage. When you request a +// cryptographic operation with a KMS key in a custom key store, the operation is +// performed in the backing key store using its cryptographic keys. +// +// KMS supports [CloudHSM key stores] backed by an CloudHSM cluster and [external key stores] backed by an external key +// manager outside of Amazon Web Services. When you create a KMS key in an CloudHSM +// key store, KMS generates an encryption key in the CloudHSM cluster and +// associates it with the KMS key. When you create a KMS key in an external key +// store, you specify an existing encryption key in the external key manager. +// +// Some external key managers provide a simpler method for creating a KMS key in +// an external key store. For details, see your external key manager documentation. +// +// Before you create a KMS key in a custom key store, the ConnectionState of the +// key store must be CONNECTED . To connect the custom key store, use the ConnectCustomKeyStore +// operation. To find the ConnectionState , use the DescribeCustomKeyStores operation. +// +// To create a KMS key in a custom key store, use the CustomKeyStoreId . Use the +// default KeySpec value, SYMMETRIC_DEFAULT , and the default KeyUsage value, +// ENCRYPT_DECRYPT to create a symmetric encryption key. No other key type is +// supported in a custom key store. +// +// To create a KMS key in an [CloudHSM key store], use the Origin parameter with a value of +// AWS_CLOUDHSM . The CloudHSM cluster that is associated with the custom key store +// must have at least two active HSMs in different Availability Zones in the Amazon +// Web Services Region. +// +// To create a KMS key in an [external key store], use the Origin parameter with a value of +// EXTERNAL_KEY_STORE and an XksKeyId parameter that identifies an existing +// external key. +// +// Some external key managers provide a simpler method for creating a KMS key in +// an external key store. For details, see your external key manager documentation. +// +// Cross-account use: No. You cannot use this operation to create a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: [kms:CreateKey] (IAM policy). To use the Tags parameter, [kms:TagResource] (IAM policy). +// For examples and information about related permissions, see [Allow a user to create KMS keys]in the Key +// Management Service Developer Guide. +// +// Related operations: +// +// # DescribeKey +// +// # ListKeys +// +// # ScheduleKeyDeletion // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [CloudHSM key stores]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html +// [external key store]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html +// [external key stores]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html +// [Asymmetric KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html +// [Multi-Region keys in KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html +// [Managing keys]: https://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html +// [KMS key]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys +// [Allow a user to create KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [kms:TagResource]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [CloudHSM key store]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html +// [kms:CreateKey]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [Importing key material into multi-Region keys]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html +// [Importing Key Material]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html +// [custom key store]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html func (c *Client) CreateKey(ctx context.Context, params *CreateKeyInput, optFns ...func(*Options)) (*CreateKeyOutput, error) { if params == nil { params = &CreateKeyInput{} @@ -152,31 +196,41 @@ func (c *Client) CreateKey(ctx context.Context, params *CreateKeyInput, optFns . type CreateKeyInput struct { // Skips ("bypasses") the key policy lockout safety check. The default value is - // false. Setting this value to true increases the risk that the KMS key becomes - // unmanageable. Do not set this value to true indiscriminately. For more - // information, see Default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key) - // in the Key Management Service Developer Guide. Use this parameter only when you - // intend to prevent the principal that is making the request from making a - // subsequent PutKeyPolicy (https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) - // request on the KMS key. + // false. + // + // Setting this value to true increases the risk that the KMS key becomes + // unmanageable. Do not set this value to true indiscriminately. + // + // For more information, see [Default key policy] in the Key Management Service Developer Guide. + // + // Use this parameter only when you intend to prevent the principal that is making + // the request from making a subsequent [PutKeyPolicy]request on the KMS key. + // + // [Default key policy]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key + // [PutKeyPolicy]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html BypassPolicyLockoutSafetyCheck bool - // Creates the KMS key in the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) - // . The ConnectionState of the custom key store must be CONNECTED . To find the - // CustomKeyStoreID and ConnectionState use the DescribeCustomKeyStores operation. + // Creates the KMS key in the specified [custom key store]. The ConnectionState of the custom key + // store must be CONNECTED . To find the CustomKeyStoreID and ConnectionState use + // the DescribeCustomKeyStoresoperation. + // // This parameter is valid only for symmetric encryption KMS keys in a single - // Region. You cannot create any other type of KMS key in a custom key store. When - // you create a KMS key in an CloudHSM key store, KMS generates a non-exportable - // 256-bit symmetric key in its associated CloudHSM cluster and associates it with - // the KMS key. When you create a KMS key in an external key store, you must use - // the XksKeyId parameter to specify an external key that serves as key material - // for the KMS key. + // Region. You cannot create any other type of KMS key in a custom key store. + // + // When you create a KMS key in an CloudHSM key store, KMS generates a + // non-exportable 256-bit symmetric key in its associated CloudHSM cluster and + // associates it with the KMS key. When you create a KMS key in an external key + // store, you must use the XksKeyId parameter to specify an external key that + // serves as key material for the KMS key. + // + // [custom key store]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html CustomKeyStoreId *string - // Instead, use the KeySpec parameter. The KeySpec and CustomerMasterKeySpec - // parameters work the same way. Only the names differ. We recommend that you use - // KeySpec parameter in your code. However, to avoid breaking changes, KMS supports - // both parameters. + // Instead, use the KeySpec parameter. + // + // The KeySpec and CustomerMasterKeySpec parameters work the same way. Only the + // names differ. We recommend that you use KeySpec parameter in your code. + // However, to avoid breaking changes, KMS supports both parameters. // // Deprecated: This parameter has been deprecated. Instead, use the KeySpec // parameter. @@ -184,162 +238,232 @@ type CreateKeyInput struct { // A description of the KMS key. Use a description that helps you decide whether // the KMS key is appropriate for a task. The default value is an empty string (no - // description). Do not include confidential or sensitive information in this - // field. This field may be displayed in plaintext in CloudTrail logs and other - // output. To set or change the description after the key is created, use - // UpdateKeyDescription . + // description). + // + // Do not include confidential or sensitive information in this field. This field + // may be displayed in plaintext in CloudTrail logs and other output. + // + // To set or change the description after the key is created, use UpdateKeyDescription. Description *string // Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT , // creates a KMS key with a 256-bit AES-GCM key that is used for encryption and // decryption, except in China Regions, where it creates a 128-bit symmetric key - // that uses SM4 encryption. For help choosing a key spec for your KMS key, see - // Choosing a KMS key type (https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose) - // in the Key Management Service Developer Guide . The KeySpec determines whether - // the KMS key contains a symmetric key or an asymmetric key pair. It also - // determines the algorithms that the KMS key supports. You can't change the - // KeySpec after the KMS key is created. To further restrict the algorithms that - // can be used with the KMS key, use a condition key in its key policy or IAM - // policy. For more information, see kms:EncryptionAlgorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm) - // , kms:MacAlgorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm) - // or kms:Signing Algorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm) - // in the Key Management Service Developer Guide . Amazon Web Services services - // that are integrated with KMS (http://aws.amazon.com/kms/features/#AWS_Service_Integration) - // use symmetric encryption KMS keys to protect your data. These services do not - // support asymmetric KMS keys or HMAC KMS keys. KMS supports the following key - // specs for KMS keys: + // that uses SM4 encryption. For help choosing a key spec for your KMS key, see [Choosing a KMS key type]in + // the Key Management Service Developer Guide . + // + // The KeySpec determines whether the KMS key contains a symmetric key or an + // asymmetric key pair. It also determines the algorithms that the KMS key + // supports. You can't change the KeySpec after the KMS key is created. To further + // restrict the algorithms that can be used with the KMS key, use a condition key + // in its key policy or IAM policy. For more information, see [kms:EncryptionAlgorithm], [kms:MacAlgorithm] or [kms:Signing Algorithm] in the Key + // Management Service Developer Guide . + // + // [Amazon Web Services services that are integrated with KMS]use symmetric encryption KMS keys to protect your data. These services do not + // support asymmetric KMS keys or HMAC KMS keys. + // + // KMS supports the following key specs for KMS keys: + // // - Symmetric encryption key (default) + // // - SYMMETRIC_DEFAULT + // // - HMAC keys (symmetric) + // // - HMAC_224 + // // - HMAC_256 + // // - HMAC_384 + // // - HMAC_512 + // // - Asymmetric RSA key pairs + // // - RSA_2048 + // // - RSA_3072 + // // - RSA_4096 + // // - Asymmetric NIST-recommended elliptic curve key pairs + // // - ECC_NIST_P256 (secp256r1) + // // - ECC_NIST_P384 (secp384r1) + // // - ECC_NIST_P521 (secp521r1) + // // - Other asymmetric elliptic curve key pairs + // // - ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + // // - SM2 key pairs (China Regions only) + // // - SM2 + // + // [kms:EncryptionAlgorithm]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm + // [kms:Signing Algorithm]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm + // [kms:MacAlgorithm]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm + // [Choosing a KMS key type]: https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose + // [Amazon Web Services services that are integrated with KMS]: http://aws.amazon.com/kms/features/#AWS_Service_Integration KeySpec types.KeySpec - // Determines the cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) - // for which you can use the KMS key. The default value is ENCRYPT_DECRYPT . This - // parameter is optional when you are creating a symmetric encryption KMS key; - // otherwise, it is required. You can't change the KeyUsage value after the KMS - // key is created. Select only one valid value. + // Determines the [cryptographic operations] for which you can use the KMS key. The default value is + // ENCRYPT_DECRYPT . This parameter is optional when you are creating a symmetric + // encryption KMS key; otherwise, it is required. You can't change the KeyUsage + // value after the KMS key is created. + // + // Select only one valid value. + // // - For symmetric encryption KMS keys, omit the parameter or specify // ENCRYPT_DECRYPT . + // // - For HMAC KMS keys (symmetric), specify GENERATE_VERIFY_MAC . + // // - For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or // SIGN_VERIFY . + // // - For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY . + // // - For asymmetric KMS keys with SM2 key material (China Regions only), specify // ENCRYPT_DECRYPT or SIGN_VERIFY . + // + // [cryptographic operations]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations KeyUsage types.KeyUsageType // Creates a multi-Region primary key that you can replicate into other Amazon Web - // Services Regions. You cannot change this value after you create the KMS key. For - // a multi-Region key, set this parameter to True . For a single-Region KMS key, - // omit this parameter or set it to False . The default value is False . This - // operation supports multi-Region keys, an KMS feature that lets you create + // Services Regions. You cannot change this value after you create the KMS key. + // + // For a multi-Region key, set this parameter to True . For a single-Region KMS + // key, omit this parameter or set it to False . The default value is False . + // + // This operation supports multi-Region keys, an KMS feature that lets you create // multiple interoperable KMS keys in different Amazon Web Services Regions. // Because these KMS keys have the same key ID, key material, and other metadata, // you can use them interchangeably to encrypt data in one Amazon Web Services // Region and decrypt it in a different Amazon Web Services Region without // re-encrypting the data or making a cross-Region call. For more information about - // multi-Region keys, see Multi-Region keys in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) - // in the Key Management Service Developer Guide. This value creates a primary key, - // not a replica. To create a replica key, use the ReplicateKey operation. You can - // create a symmetric or asymmetric multi-Region key, and you can create a + // multi-Region keys, see [Multi-Region keys in KMS]in the Key Management Service Developer Guide. + // + // This value creates a primary key, not a replica. To create a replica key, use + // the ReplicateKeyoperation. + // + // You can create a symmetric or asymmetric multi-Region key, and you can create a // multi-Region key with imported key material. However, you cannot create a // multi-Region key in a custom key store. + // + // [Multi-Region keys in KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html MultiRegion *bool // The source of the key material for the KMS key. You cannot change the origin // after you create the KMS key. The default is AWS_KMS , which means that KMS - // creates the key material. To create a KMS key with no key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html) - // (for imported key material), set this value to EXTERNAL . For more information - // about importing key material into KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) - // in the Key Management Service Developer Guide. The EXTERNAL origin value is - // valid only for symmetric KMS keys. To create a KMS key in an CloudHSM key store (https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html) - // and create its key material in the associated CloudHSM cluster, set this value - // to AWS_CLOUDHSM . You must also use the CustomKeyStoreId parameter to identify - // the CloudHSM key store. The KeySpec value must be SYMMETRIC_DEFAULT . To create - // a KMS key in an external key store (https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html) - // , set this value to EXTERNAL_KEY_STORE . You must also use the CustomKeyStoreId - // parameter to identify the external key store and the XksKeyId parameter to - // identify the associated external key. The KeySpec value must be + // creates the key material. + // + // To [create a KMS key with no key material] (for imported key material), set this value to EXTERNAL . For more + // information about importing key material into KMS, see [Importing Key Material]in the Key Management + // Service Developer Guide. The EXTERNAL origin value is valid only for symmetric + // KMS keys. + // + // To [create a KMS key in an CloudHSM key store] and create its key material in the associated CloudHSM cluster, set this + // value to AWS_CLOUDHSM . You must also use the CustomKeyStoreId parameter to + // identify the CloudHSM key store. The KeySpec value must be SYMMETRIC_DEFAULT . + // + // To [create a KMS key in an external key store], set this value to EXTERNAL_KEY_STORE . You must also use the + // CustomKeyStoreId parameter to identify the external key store and the XksKeyId + // parameter to identify the associated external key. The KeySpec value must be // SYMMETRIC_DEFAULT . + // + // [create a KMS key in an external key store]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html + // [create a KMS key in an CloudHSM key store]: https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html + // [Importing Key Material]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html + // [create a KMS key with no key material]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html Origin types.OriginType - // The key policy to attach to the KMS key. If you provide a key policy, it must - // meet the following criteria: + // The key policy to attach to the KMS key. + // + // If you provide a key policy, it must meet the following criteria: + // // - The key policy must allow the calling principal to make a subsequent // PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key - // becomes unmanageable. For more information, see Default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key) - // in the Key Management Service Developer Guide. (To omit this condition, set - // BypassPolicyLockoutSafetyCheck to true.) + // becomes unmanageable. For more information, see [Default key policy]in the Key Management Service + // Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck + // to true.) + // // - Each statement in the key policy must contain one or more principals. The // principals in the key policy must exist and be visible to KMS. When you create a // new Amazon Web Services principal, you might need to enforce a delay before // including the new principal in a key policy because the new principal might not - // be immediately visible to KMS. For more information, see Changes that I make - // are not always immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) - // in the Amazon Web Services Identity and Access Management User Guide. + // be immediately visible to KMS. For more information, see [Changes that I make are not always immediately visible]in the Amazon Web + // Services Identity and Access Management User Guide. + // // If you do not provide a key policy, KMS attaches a default key policy to the - // KMS key. For more information, see Default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) - // in the Key Management Service Developer Guide. The key policy size quota is 32 - // kilobytes (32768 bytes). For help writing and formatting a JSON policy document, - // see the IAM JSON Policy Reference (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) - // in the Identity and Access Management User Guide . + // KMS key. For more information, see [Default key policy]in the Key Management Service Developer + // Guide. + // + // The key policy size quota is 32 kilobytes (32768 bytes). + // + // For help writing and formatting a JSON policy document, see the [IAM JSON Policy Reference] in the + // Identity and Access Management User Guide . + // + // [IAM JSON Policy Reference]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html + // [Default key policy]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default + // [Changes that I make are not always immediately visible]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency Policy *string // Assigns one or more tags to the KMS key. Use this parameter to tag the KMS key - // when it is created. To tag an existing KMS key, use the TagResource operation. + // when it is created. To tag an existing KMS key, use the TagResourceoperation. + // // Do not include confidential or sensitive information in this field. This field - // may be displayed in plaintext in CloudTrail logs and other output. Tagging or - // untagging a KMS key can allow or deny permission to the KMS key. For details, - // see ABAC for KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) - // in the Key Management Service Developer Guide. To use this parameter, you must - // have kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) - // permission in an IAM policy. Each tag consists of a tag key and a tag value. - // Both the tag key and the tag value are required, but the tag value can be an - // empty (null) string. You cannot have more than one tag on a KMS key with the - // same tag key. If you specify an existing tag key with a different tag value, KMS - // replaces the current tag value with the specified one. When you add tags to an - // Amazon Web Services resource, Amazon Web Services generates a cost allocation - // report with usage and costs aggregated by tags. Tags can also be used to control - // access to a KMS key. For details, see Tagging Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html) - // . + // may be displayed in plaintext in CloudTrail logs and other output. + // + // Tagging or untagging a KMS key can allow or deny permission to the KMS key. For + // details, see [ABAC for KMS]in the Key Management Service Developer Guide. + // + // To use this parameter, you must have [kms:TagResource] permission in an IAM policy. + // + // Each tag consists of a tag key and a tag value. Both the tag key and the tag + // value are required, but the tag value can be an empty (null) string. You cannot + // have more than one tag on a KMS key with the same tag key. If you specify an + // existing tag key with a different tag value, KMS replaces the current tag value + // with the specified one. + // + // When you add tags to an Amazon Web Services resource, Amazon Web Services + // generates a cost allocation report with usage and costs aggregated by tags. Tags + // can also be used to control access to a KMS key. For details, see [Tagging Keys]. + // + // [kms:TagResource]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html + // [Tagging Keys]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html + // [ABAC for KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html Tags []types.Tag - // Identifies the external key (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key) - // that serves as key material for the KMS key in an external key store (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html) - // . Specify the ID that the external key store proxy (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-xks-proxy) - // uses to refer to the external key. For help, see the documentation for your - // external key store proxy. This parameter is required for a KMS key with an - // Origin value of EXTERNAL_KEY_STORE . It is not valid for KMS keys with any other - // Origin value. The external key must be an existing 256-bit AES symmetric - // encryption key hosted outside of Amazon Web Services in an external key manager - // associated with the external key store specified by the CustomKeyStoreId - // parameter. This key must be enabled and configured to perform encryption and - // decryption. Each KMS key in an external key store must use a different external - // key. For details, see Requirements for a KMS key in an external key store (https://docs.aws.amazon.com/create-xks-keys.html#xks-key-requirements) - // in the Key Management Service Developer Guide. Each KMS key in an external key - // store is associated two backing keys. One is key material that KMS generates. - // The other is the external key specified by this parameter. When you use the KMS - // key in an external key store to encrypt data, the encryption operation is - // performed first by KMS using the KMS key material, and then by the external key - // manager using the specified external key, a process known as double encryption. - // For details, see Double encryption (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-double-encryption) - // in the Key Management Service Developer Guide. + // Identifies the [external key] that serves as key material for the KMS key in an [external key store]. Specify the + // ID that the [external key store proxy]uses to refer to the external key. For help, see the documentation + // for your external key store proxy. + // + // This parameter is required for a KMS key with an Origin value of + // EXTERNAL_KEY_STORE . It is not valid for KMS keys with any other Origin value. + // + // The external key must be an existing 256-bit AES symmetric encryption key + // hosted outside of Amazon Web Services in an external key manager associated with + // the external key store specified by the CustomKeyStoreId parameter. This key + // must be enabled and configured to perform encryption and decryption. Each KMS + // key in an external key store must use a different external key. For details, see + // [Requirements for a KMS key in an external key store]in the Key Management Service Developer Guide. + // + // Each KMS key in an external key store is associated two backing keys. One is + // key material that KMS generates. The other is the external key specified by this + // parameter. When you use the KMS key in an external key store to encrypt data, + // the encryption operation is performed first by KMS using the KMS key material, + // and then by the external key manager using the specified external key, a process + // known as double encryption. For details, see [Double encryption]in the Key Management Service + // Developer Guide. + // + // [external key store]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html + // [Double encryption]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-double-encryption + // [external key]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key + // [Requirements for a KMS key in an external key store]: https://docs.aws.amazon.com/create-xks-keys.html#xks-key-requirements + // [external key store proxy]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-xks-proxy XksKeyId *string noSmithyDocumentSerde diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Decrypt.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Decrypt.go index 202bce68cf8..0eec0c26e40 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Decrypt.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Decrypt.go @@ -13,24 +13,29 @@ import ( // Decrypts ciphertext that was encrypted by a KMS key using any of the following // operations: -// - Encrypt -// - GenerateDataKey -// - GenerateDataKeyPair -// - GenerateDataKeyWithoutPlaintext -// - GenerateDataKeyPairWithoutPlaintext +// +// # Encrypt +// +// # GenerateDataKey +// +// # GenerateDataKeyPair +// +// # GenerateDataKeyWithoutPlaintext +// +// # GenerateDataKeyPairWithoutPlaintext // // You can use this operation to decrypt ciphertext that was encrypted under a // symmetric encryption KMS key or an asymmetric encryption KMS key. When the KMS // key is asymmetric, you must specify the KMS key and the encryption algorithm // that was used to encrypt the ciphertext. For information about asymmetric KMS -// keys, see Asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) -// in the Key Management Service Developer Guide. The Decrypt operation also -// decrypts ciphertext that was encrypted outside of KMS by the public key in an -// KMS asymmetric KMS key. However, it cannot decrypt symmetric ciphertext produced -// by other libraries, such as the Amazon Web Services Encryption SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/) -// or Amazon S3 client-side encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html) -// . These libraries return a ciphertext format that is incompatible with KMS. If -// the ciphertext was encrypted under a symmetric encryption KMS key, the KeyId +// keys, see [Asymmetric KMS keys]in the Key Management Service Developer Guide. +// +// The Decrypt operation also decrypts ciphertext that was encrypted outside of +// KMS by the public key in an KMS asymmetric KMS key. However, it cannot decrypt +// symmetric ciphertext produced by other libraries, such as the [Amazon Web Services Encryption SDK]or [Amazon S3 client-side encryption]. These +// libraries return a ciphertext format that is incompatible with KMS. +// +// If the ciphertext was encrypted under a symmetric encryption KMS key, the KeyId // parameter is optional. KMS can get this information from metadata that it adds // to the symmetric ciphertext blob. This feature adds durability to your // implementation by ensuring that authorized users can decrypt ciphertext decades @@ -39,40 +44,57 @@ import ( // the KeyId parameter to specify a KMS key, KMS only uses the KMS key you // specify. If the ciphertext was encrypted under a different KMS key, the Decrypt // operation fails. This practice ensures that you use the KMS key that you intend. +// // Whenever possible, use key policies to give users permission to call the Decrypt // operation on a particular KMS key, instead of using &IAM; policies. Otherwise, // you might create an &IAM; policy that gives the user Decrypt permission on all // KMS keys. This user could decrypt ciphertext that was encrypted by KMS keys in // other accounts if the key policy for the cross-account KMS key permits it. If // you must use an IAM policy for Decrypt permissions, limit the user to -// particular KMS keys or particular trusted accounts. For details, see Best -// practices for IAM policies (https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices) -// in the Key Management Service Developer Guide. Decrypt also supports Amazon Web -// Services Nitro Enclaves (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html) -// , which provide an isolated compute environment in Amazon EC2. To call Decrypt -// for a Nitro enclave, use the Amazon Web Services Nitro Enclaves SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk) -// or any Amazon Web Services SDK. Use the Recipient parameter to provide the -// attestation document for the enclave. Instead of the plaintext data, the -// response includes the plaintext data encrypted with the public key from the -// attestation document ( CiphertextForRecipient ). For information about the -// interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon -// Web Services Nitro Enclaves uses KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html) -// in the Key Management Service Developer Guide. The KMS key that you use for this -// operation must be in a compatible key state. For details, see Key states of KMS -// keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in -// the Key Management Service Developer Guide. Cross-account use: Yes. If you use -// the KeyId parameter to identify a KMS key in a different Amazon Web Services -// account, specify the key ARN or the alias ARN of the KMS key. Required -// permissions: kms:Decrypt (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: -// - Encrypt -// - GenerateDataKey -// - GenerateDataKeyPair -// - ReEncrypt +// particular KMS keys or particular trusted accounts. For details, see [Best practices for IAM policies]in the Key +// Management Service Developer Guide. +// +// Decrypt also supports [Amazon Web Services Nitro Enclaves], which provide an isolated compute environment in Amazon +// EC2. To call Decrypt for a Nitro enclave, use the [Amazon Web Services Nitro Enclaves SDK] or any Amazon Web Services +// SDK. Use the Recipient parameter to provide the attestation document for the +// enclave. Instead of the plaintext data, the response includes the plaintext data +// encrypted with the public key from the attestation document ( +// CiphertextForRecipient ). For information about the interaction between KMS and +// Amazon Web Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves uses KMS]in the Key Management Service Developer +// Guide. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: Yes. If you use the KeyId parameter to identify a KMS key in +// a different Amazon Web Services account, specify the key ARN or the alias ARN of +// the KMS key. +// +// Required permissions: [kms:Decrypt] (key policy) +// +// Related operations: +// +// # Encrypt +// +// # GenerateDataKey +// +// # GenerateDataKeyPair +// +// # ReEncrypt // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Amazon Web Services Encryption SDK]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/ +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [kms:Decrypt]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [Asymmetric KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html +// [Amazon Web Services Nitro Enclaves]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html +// [Amazon S3 client-side encryption]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html +// [Best practices for IAM policies]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices +// [How Amazon Web Services Nitro Enclaves uses KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [Amazon Web Services Nitro Enclaves SDK]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk func (c *Client) Decrypt(ctx context.Context, params *DecryptInput, optFns ...func(*Options)) (*DecryptOutput, error) { if params == nil { params = &DecryptInput{} @@ -95,74 +117,103 @@ type DecryptInput struct { // This member is required. CiphertextBlob []byte - // Checks if your request will succeed. DryRun is an optional parameter. To learn - // more about how to use this parameter, see Testing your KMS API calls (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html) - // in the Key Management Service Developer Guide. + // Checks if your request will succeed. DryRun is an optional parameter. + // + // To learn more about how to use this parameter, see [Testing your KMS API calls] in the Key Management + // Service Developer Guide. + // + // [Testing your KMS API calls]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html DryRun *bool // Specifies the encryption algorithm that will be used to decrypt the ciphertext. // Specify the same algorithm that was used to encrypt the data. If you specify a - // different algorithm, the Decrypt operation fails. This parameter is required - // only when the ciphertext was encrypted under an asymmetric KMS key. The default - // value, SYMMETRIC_DEFAULT , represents the only supported algorithm that is valid - // for symmetric encryption KMS keys. + // different algorithm, the Decrypt operation fails. + // + // This parameter is required only when the ciphertext was encrypted under an + // asymmetric KMS key. The default value, SYMMETRIC_DEFAULT , represents the only + // supported algorithm that is valid for symmetric encryption KMS keys. EncryptionAlgorithm types.EncryptionAlgorithmSpec // Specifies the encryption context to use when decrypting the data. An encryption - // context is valid only for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) - // with a symmetric encryption KMS key. The standard asymmetric encryption - // algorithms and HMAC algorithms that KMS uses do not support an encryption - // context. An encryption context is a collection of non-secret key-value pairs - // that represent additional authenticated data. When you use an encryption context - // to encrypt data, you must specify the same (an exact case-sensitive match) + // context is valid only for [cryptographic operations]with a symmetric encryption KMS key. The standard + // asymmetric encryption algorithms and HMAC algorithms that KMS uses do not + // support an encryption context. + // + // An encryption context is a collection of non-secret key-value pairs that + // represent additional authenticated data. When you use an encryption context to + // encrypt data, you must specify the same (an exact case-sensitive match) // encryption context to decrypt the data. An encryption context is supported only // on operations with symmetric encryption KMS keys. On operations with symmetric // encryption KMS keys, an encryption context is optional, but it is strongly - // recommended. For more information, see Encryption context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) - // in the Key Management Service Developer Guide. + // recommended. + // + // For more information, see [Encryption context] in the Key Management Service Developer Guide. + // + // [cryptographic operations]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations + // [Encryption context]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context EncryptionContext map[string]string - // A list of grant tokens. Use a grant token when your permission to call this - // operation comes from a new grant that has not yet achieved eventual consistency. - // For more information, see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) - // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) - // in the Key Management Service Developer Guide. + // A list of grant tokens. + // + // Use a grant token when your permission to call this operation comes from a new + // grant that has not yet achieved eventual consistency. For more information, see [Grant token] + // and [Using a grant token]in the Key Management Service Developer Guide. + // + // [Grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token + // [Using a grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token GrantTokens []string - // Specifies the KMS key that KMS uses to decrypt the ciphertext. Enter a key ID - // of the KMS key that was used to encrypt the ciphertext. If you identify a - // different KMS key, the Decrypt operation throws an IncorrectKeyException . This - // parameter is required only when the ciphertext was encrypted under an asymmetric - // KMS key. If you used a symmetric encryption KMS key, KMS can get the KMS key - // from metadata that it adds to the symmetric ciphertext blob. However, it is - // always recommended as a best practice. This practice ensures that you use the - // KMS key that you intend. To specify a KMS key, use its key ID, key ARN, alias - // name, or alias ARN. When using an alias name, prefix it with "alias/" . To - // specify a KMS key in a different Amazon Web Services account, you must use the - // key ARN or alias ARN. For example: + // Specifies the KMS key that KMS uses to decrypt the ciphertext. + // + // Enter a key ID of the KMS key that was used to encrypt the ciphertext. If you + // identify a different KMS key, the Decrypt operation throws an + // IncorrectKeyException . + // + // This parameter is required only when the ciphertext was encrypted under an + // asymmetric KMS key. If you used a symmetric encryption KMS key, KMS can get the + // KMS key from metadata that it adds to the symmetric ciphertext blob. However, it + // is always recommended as a best practice. This practice ensures that you use the + // KMS key that you intend. + // + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/" . To specify a KMS key in a + // different Amazon Web Services account, you must use the key ARN or alias ARN. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // // - Alias name: alias/ExampleAlias + // // - Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . To - // get the alias name and alias ARN, use ListAliases . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the alias name + // and alias ARN, use ListAliases. KeyId *string - // A signed attestation document (https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-concepts.html#term-attestdoc) - // from an Amazon Web Services Nitro enclave and the encryption algorithm to use - // with the enclave's public key. The only valid encryption algorithm is - // RSAES_OAEP_SHA_256 . This parameter only supports attestation documents for - // Amazon Web Services Nitro Enclaves. To include this parameter, use the Amazon - // Web Services Nitro Enclaves SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk) - // or any Amazon Web Services SDK. When you use this parameter, instead of - // returning the plaintext data, KMS encrypts the plaintext data with the public - // key in the attestation document, and returns the resulting ciphertext in the - // CiphertextForRecipient field in the response. This ciphertext can be decrypted - // only with the private key in the enclave. The Plaintext field in the response - // is null or empty. For information about the interaction between KMS and Amazon - // Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html) - // in the Key Management Service Developer Guide. + // A signed [attestation document] from an Amazon Web Services Nitro enclave and the encryption + // algorithm to use with the enclave's public key. The only valid encryption + // algorithm is RSAES_OAEP_SHA_256 . + // + // This parameter only supports attestation documents for Amazon Web Services + // Nitro Enclaves. To include this parameter, use the [Amazon Web Services Nitro Enclaves SDK]or any Amazon Web Services + // SDK. + // + // When you use this parameter, instead of returning the plaintext data, KMS + // encrypts the plaintext data with the public key in the attestation document, and + // returns the resulting ciphertext in the CiphertextForRecipient field in the + // response. This ciphertext can be decrypted only with the private key in the + // enclave. The Plaintext field in the response is null or empty. + // + // For information about the interaction between KMS and Amazon Web Services Nitro + // Enclaves, see [How Amazon Web Services Nitro Enclaves uses KMS]in the Key Management Service Developer Guide. + // + // [attestation document]: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-concepts.html#term-attestdoc + // [How Amazon Web Services Nitro Enclaves uses KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html + // [Amazon Web Services Nitro Enclaves SDK]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk Recipient *types.RecipientInfo noSmithyDocumentSerde @@ -171,24 +222,29 @@ type DecryptInput struct { type DecryptOutput struct { // The plaintext data encrypted with the public key in the attestation document. + // // This field is included in the response only when the Recipient parameter in the // request includes a valid attestation document from an Amazon Web Services Nitro // enclave. For information about the interaction between KMS and Amazon Web - // Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html) - // in the Key Management Service Developer Guide. + // Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves uses KMS]in the Key Management Service Developer Guide. + // + // [How Amazon Web Services Nitro Enclaves uses KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html CiphertextForRecipient []byte // The encryption algorithm that was used to decrypt the ciphertext. EncryptionAlgorithm types.EncryptionAlgorithmSpec - // The Amazon Resource Name ( key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN) - // ) of the KMS key that was used to decrypt the ciphertext. + // The Amazon Resource Name ([key ARN] ) of the KMS key that was used to decrypt the + // ciphertext. + // + // [key ARN]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN KeyId *string // Decrypted plaintext data. When you use the HTTP API or the Amazon Web Services - // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. If the - // response includes the CiphertextForRecipient field, the Plaintext field is null - // or empty. + // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. + // + // If the response includes the CiphertextForRecipient field, the Plaintext field + // is null or empty. Plaintext []byte // Metadata pertaining to the operation's result. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DeleteAlias.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DeleteAlias.go index 5f611dd9dcb..06b4062b05a 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DeleteAlias.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DeleteAlias.go @@ -10,31 +10,48 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Deletes the specified alias. Adding, deleting, or updating an alias can allow -// or deny permission to the KMS key. For details, see ABAC for KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) -// in the Key Management Service Developer Guide. Because an alias is not a -// property of a KMS key, you can delete and change the aliases of a KMS key -// without affecting the KMS key. Also, aliases do not appear in the response from -// the DescribeKey operation. To get the aliases of all KMS keys, use the -// ListAliases operation. Each KMS key can have multiple aliases. To change the -// alias of a KMS key, use DeleteAlias to delete the current alias and CreateAlias -// to create a new alias. To associate an existing alias with a different KMS key, -// call UpdateAlias . Cross-account use: No. You cannot perform this operation on -// an alias in a different Amazon Web Services account. Required permissions -// - kms:DeleteAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// on the alias (IAM policy). -// - kms:DeleteAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// on the KMS key (key policy). +// Deletes the specified alias. // -// For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access) -// in the Key Management Service Developer Guide. Related operations: -// - CreateAlias -// - ListAliases -// - UpdateAlias +// Adding, deleting, or updating an alias can allow or deny permission to the KMS +// key. For details, see [ABAC for KMS]in the Key Management Service Developer Guide. +// +// Because an alias is not a property of a KMS key, you can delete and change the +// aliases of a KMS key without affecting the KMS key. Also, aliases do not appear +// in the response from the DescribeKeyoperation. To get the aliases of all KMS keys, use the ListAliases +// operation. +// +// Each KMS key can have multiple aliases. To change the alias of a KMS key, use DeleteAlias +// to delete the current alias and CreateAliasto create a new alias. To associate an existing +// alias with a different KMS key, call UpdateAlias. +// +// Cross-account use: No. You cannot perform this operation on an alias in a +// different Amazon Web Services account. +// +// # Required permissions +// +// [kms:DeleteAlias] +// - on the alias (IAM policy). +// +// [kms:DeleteAlias] +// - on the KMS key (key policy). +// +// For details, see [Controlling access to aliases] in the Key Management Service Developer Guide. +// +// Related operations: +// +// # CreateAlias +// +// # ListAliases +// +// # UpdateAlias // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [ABAC for KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html +// [kms:DeleteAlias]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [Controlling access to aliases]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access func (c *Client) DeleteAlias(ctx context.Context, params *DeleteAliasInput, optFns ...func(*Options)) (*DeleteAliasOutput, error) { if params == nil { params = &DeleteAliasInput{} diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DeleteCustomKeyStore.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DeleteCustomKeyStore.go index a6711c6f1c8..14ee592460f 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DeleteCustomKeyStore.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DeleteCustomKeyStore.go @@ -10,45 +10,65 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Deletes a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// . This operation does not affect any backing elements of the custom key store. -// It does not delete the CloudHSM cluster that is associated with an CloudHSM key -// store, or affect any users or keys in the cluster. For an external key store, it -// does not affect the external key store proxy, external key manager, or any -// external keys. This operation is part of the custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// feature in KMS, which combines the convenience and extensive integration of KMS -// with the isolation and control of a key store that you own and manage. The -// custom key store that you delete cannot contain any KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys) -// . Before deleting the key store, verify that you will never need to use any of -// the KMS keys in the key store for any cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) -// . Then, use ScheduleKeyDeletion to delete the KMS keys from the key store. -// After the required waiting period expires and all KMS keys are deleted from the -// custom key store, use DisconnectCustomKeyStore to disconnect the key store from -// KMS. Then, you can delete the custom key store. For keys in an CloudHSM key -// store, the ScheduleKeyDeletion operation makes a best effort to delete the key -// material from the associated cluster. However, you might need to manually -// delete the orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key) -// from the cluster and its backups. KMS never creates, manages, or deletes -// cryptographic keys in the external key manager associated with an external key -// store. You must manage them using your external key manager tools. Instead of -// deleting the custom key store, consider using the DisconnectCustomKeyStore -// operation to disconnect the custom key store from its backing key store. While -// the key store is disconnected, you cannot create or use the KMS keys in the key -// store. But, you do not need to delete KMS keys and you can reconnect a -// disconnected custom key store at any time. If the operation succeeds, it returns -// a JSON object with no properties. Cross-account use: No. You cannot perform this -// operation on a custom key store in a different Amazon Web Services account. -// Required permissions: kms:DeleteCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (IAM policy) Related operations: -// - ConnectCustomKeyStore -// - CreateCustomKeyStore -// - DescribeCustomKeyStores -// - DisconnectCustomKeyStore -// - UpdateCustomKeyStore +// Deletes a [custom key store]. This operation does not affect any backing elements of the custom +// key store. It does not delete the CloudHSM cluster that is associated with an +// CloudHSM key store, or affect any users or keys in the cluster. For an external +// key store, it does not affect the external key store proxy, external key +// manager, or any external keys. +// +// This operation is part of the [custom key stores] feature in KMS, which combines the convenience +// and extensive integration of KMS with the isolation and control of a key store +// that you own and manage. +// +// The custom key store that you delete cannot contain any [KMS keys]. Before deleting the +// key store, verify that you will never need to use any of the KMS keys in the key +// store for any [cryptographic operations]. Then, use ScheduleKeyDeletion to delete the KMS keys from the key store. After the +// required waiting period expires and all KMS keys are deleted from the custom key +// store, use DisconnectCustomKeyStoreto disconnect the key store from KMS. Then, you can delete the +// custom key store. +// +// For keys in an CloudHSM key store, the ScheduleKeyDeletion operation makes a +// best effort to delete the key material from the associated cluster. However, you +// might need to manually [delete the orphaned key material]from the cluster and its backups. KMS never creates, +// manages, or deletes cryptographic keys in the external key manager associated +// with an external key store. You must manage them using your external key manager +// tools. +// +// Instead of deleting the custom key store, consider using the DisconnectCustomKeyStore operation to +// disconnect the custom key store from its backing key store. While the key store +// is disconnected, you cannot create or use the KMS keys in the key store. But, +// you do not need to delete KMS keys and you can reconnect a disconnected custom +// key store at any time. +// +// If the operation succeeds, it returns a JSON object with no properties. +// +// Cross-account use: No. You cannot perform this operation on a custom key store +// in a different Amazon Web Services account. +// +// Required permissions: [kms:DeleteCustomKeyStore] (IAM policy) +// +// Related operations: +// +// # ConnectCustomKeyStore +// +// # CreateCustomKeyStore +// +// # DescribeCustomKeyStores +// +// # DisconnectCustomKeyStore +// +// # UpdateCustomKeyStore // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [delete the orphaned key material]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key +// [custom key stores]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html +// [kms:DeleteCustomKeyStore]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [cryptographic operations]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations +// [KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [custom key store]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html func (c *Client) DeleteCustomKeyStore(ctx context.Context, params *DeleteCustomKeyStoreInput, optFns ...func(*Options)) (*DeleteCustomKeyStoreOutput, error) { if params == nil { params = &DeleteCustomKeyStoreInput{} @@ -67,7 +87,7 @@ func (c *Client) DeleteCustomKeyStore(ctx context.Context, params *DeleteCustomK type DeleteCustomKeyStoreInput struct { // Enter the ID of the custom key store you want to delete. To find the ID of a - // custom key store, use the DescribeCustomKeyStores operation. + // custom key store, use the DescribeCustomKeyStoresoperation. // // This member is required. CustomKeyStoreId *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DeleteImportedKeyMaterial.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DeleteImportedKeyMaterial.go index 26ac0a15152..f6e1d71c0fd 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DeleteImportedKeyMaterial.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DeleteImportedKeyMaterial.go @@ -13,22 +13,33 @@ import ( // Deletes key material that was previously imported. This operation makes the // specified KMS key temporarily unusable. To restore the usability of the KMS key, // reimport the same key material. For more information about importing key -// material into KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) -// in the Key Management Service Developer Guide. When the specified KMS key is in -// the PendingDeletion state, this operation does not change the KMS key's state. -// Otherwise, it changes the KMS key's state to PendingImport . The KMS key that -// you use for this operation must be in a compatible key state. For details, see -// Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. Cross-account use: No. You cannot -// perform this operation on a KMS key in a different Amazon Web Services account. -// Required permissions: kms:DeleteImportedKeyMaterial (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: -// - GetParametersForImport -// - ImportKeyMaterial +// material into KMS, see [Importing Key Material]in the Key Management Service Developer Guide. +// +// When the specified KMS key is in the PendingDeletion state, this operation does +// not change the KMS key's state. Otherwise, it changes the KMS key's state to +// PendingImport . +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: [kms:DeleteImportedKeyMaterial] (key policy) +// +// Related operations: +// +// # GetParametersForImport +// +// # ImportKeyMaterial // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [kms:DeleteImportedKeyMaterial]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [Importing Key Material]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) DeleteImportedKeyMaterial(ctx context.Context, params *DeleteImportedKeyMaterialInput, optFns ...func(*Options)) (*DeleteImportedKeyMaterialOutput, error) { if params == nil { params = &DeleteImportedKeyMaterialInput{} @@ -47,12 +58,18 @@ func (c *Client) DeleteImportedKeyMaterial(ctx context.Context, params *DeleteIm type DeleteImportedKeyMaterialInput struct { // Identifies the KMS key from which you are deleting imported key material. The - // Origin of the KMS key must be EXTERNAL . Specify the key ID or key ARN of the - // KMS key. For example: + // Origin of the KMS key must be EXTERNAL . + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DescribeCustomKeyStores.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DescribeCustomKeyStores.go index 3204174c2f0..1dc1b384dc8 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DescribeCustomKeyStores.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DescribeCustomKeyStores.go @@ -11,44 +11,61 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Gets information about custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// in the account and Region. This operation is part of the custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// feature in KMS, which combines the convenience and extensive integration of KMS -// with the isolation and control of a key store that you own and manage. By -// default, this operation returns information about all custom key stores in the -// account and Region. To get only information about a particular custom key store, -// use either the CustomKeyStoreName or CustomKeyStoreId parameter (but not both). +// Gets information about [custom key stores] in the account and Region. +// +// This operation is part of the [custom key stores] feature in KMS, which combines the convenience +// and extensive integration of KMS with the isolation and control of a key store +// that you own and manage. +// +// By default, this operation returns information about all custom key stores in +// the account and Region. To get only information about a particular custom key +// store, use either the CustomKeyStoreName or CustomKeyStoreId parameter (but not +// both). +// // To determine whether the custom key store is connected to its CloudHSM cluster // or external key store proxy, use the ConnectionState element in the response. // If an attempt to connect the custom key store failed, the ConnectionState value // is FAILED and the ConnectionErrorCode element in the response indicates the -// cause of the failure. For help interpreting the ConnectionErrorCode , see -// CustomKeyStoresListEntry . Custom key stores have a DISCONNECTED connection -// state if the key store has never been connected or you used the -// DisconnectCustomKeyStore operation to disconnect it. Otherwise, the connection -// state is CONNECTED. If your custom key store connection state is CONNECTED but -// you are having trouble using it, verify that the backing store is active and -// available. For an CloudHSM key store, verify that the associated CloudHSM -// cluster is active and contains the minimum number of HSMs required for the -// operation, if any. For an external key store, verify that the external key store -// proxy and its associated external key manager are reachable and enabled. For -// help repairing your CloudHSM key store, see the Troubleshooting CloudHSM key -// stores (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) -// . For help repairing your external key store, see the Troubleshooting external -// key stores (https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html) -// . Both topics are in the Key Management Service Developer Guide. Cross-account -// use: No. You cannot perform this operation on a custom key store in a different -// Amazon Web Services account. Required permissions: kms:DescribeCustomKeyStores (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (IAM policy) Related operations: -// - ConnectCustomKeyStore -// - CreateCustomKeyStore -// - DeleteCustomKeyStore -// - DisconnectCustomKeyStore -// - UpdateCustomKeyStore +// cause of the failure. For help interpreting the ConnectionErrorCode , see CustomKeyStoresListEntry. +// +// Custom key stores have a DISCONNECTED connection state if the key store has +// never been connected or you used the DisconnectCustomKeyStoreoperation to disconnect it. Otherwise, the +// connection state is CONNECTED. If your custom key store connection state is +// CONNECTED but you are having trouble using it, verify that the backing store is +// active and available. For an CloudHSM key store, verify that the associated +// CloudHSM cluster is active and contains the minimum number of HSMs required for +// the operation, if any. For an external key store, verify that the external key +// store proxy and its associated external key manager are reachable and enabled. +// +// For help repairing your CloudHSM key store, see the [Troubleshooting CloudHSM key stores]. For help repairing your +// external key store, see the [Troubleshooting external key stores]. Both topics are in the Key Management Service +// Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a custom key store +// in a different Amazon Web Services account. +// +// Required permissions: [kms:DescribeCustomKeyStores] (IAM policy) +// +// Related operations: +// +// # ConnectCustomKeyStore +// +// # CreateCustomKeyStore +// +// # DeleteCustomKeyStore +// +// # DisconnectCustomKeyStore +// +// # UpdateCustomKeyStore // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [kms:DescribeCustomKeyStores]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [custom key stores]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html +// [Troubleshooting CloudHSM key stores]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html +// [Troubleshooting external key stores]: https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) DescribeCustomKeyStores(ctx context.Context, params *DescribeCustomKeyStoresInput, optFns ...func(*Options)) (*DescribeCustomKeyStoresOutput, error) { if params == nil { params = &DescribeCustomKeyStoresInput{} @@ -67,17 +84,21 @@ func (c *Client) DescribeCustomKeyStores(ctx context.Context, params *DescribeCu type DescribeCustomKeyStoresInput struct { // Gets only information about the specified custom key store. Enter the key store - // ID. By default, this operation gets information about all custom key stores in - // the account and Region. To limit the output to a particular custom key store, + // ID. + // + // By default, this operation gets information about all custom key stores in the + // account and Region. To limit the output to a particular custom key store, // provide either the CustomKeyStoreId or CustomKeyStoreName parameter, but not // both. CustomKeyStoreId *string // Gets only information about the specified custom key store. Enter the friendly - // name of the custom key store. By default, this operation gets information about - // all custom key stores in the account and Region. To limit the output to a - // particular custom key store, provide either the CustomKeyStoreId or - // CustomKeyStoreName parameter, but not both. + // name of the custom key store. + // + // By default, this operation gets information about all custom key stores in the + // account and Region. To limit the output to a particular custom key store, + // provide either the CustomKeyStoreId or CustomKeyStoreName parameter, but not + // both. CustomKeyStoreName *string // Use this parameter to specify the maximum number of items to return. When this @@ -104,7 +125,7 @@ type DescribeCustomKeyStoresOutput struct { // A flag that indicates whether there are more items in the list. When this value // is true, the list in this response is truncated. To get more items, pass the - // value of the NextMarker element in thisresponse to the Marker parameter in a + // value of the NextMarker element in this response to the Marker parameter in a // subsequent request. Truncated bool diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DescribeKey.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DescribeKey.go index 6070fb4343a..f01c9f627b3 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DescribeKey.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DescribeKey.go @@ -11,51 +11,73 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Provides detailed information about a KMS key. You can run DescribeKey on a -// customer managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) -// or an Amazon Web Services managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) -// . This detailed information includes the key ARN, creation date (and deletion +// Provides detailed information about a KMS key. You can run DescribeKey on a [customer managed key] or +// an [Amazon Web Services managed key]. +// +// This detailed information includes the key ARN, creation date (and deletion // date, if applicable), the key state, and the origin and expiration date (if any) // of the key material. It includes fields, like KeySpec , that help you // distinguish different types of KMS keys. It also displays the key usage // (encryption, signing, or generating and verifying MACs) and the algorithms that -// the KMS key supports. For multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) -// , DescribeKey displays the primary key and all related replica keys. For KMS -// keys in CloudHSM key stores (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html) -// , it includes information about the key store, such as the key store ID and the -// CloudHSM cluster ID. For KMS keys in external key stores (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html) -// , it includes the custom key store ID and the ID of the external key. +// the KMS key supports. +// +// For [multi-Region keys], DescribeKey displays the primary key and all related replica keys. For +// KMS keys in [CloudHSM key stores], it includes information about the key store, such as the key +// store ID and the CloudHSM cluster ID. For KMS keys in [external key stores], it includes the custom +// key store ID and the ID of the external key. +// // DescribeKey does not return the following information: -// - Aliases associated with the KMS key. To get this information, use -// ListAliases . +// +// - Aliases associated with the KMS key. To get this information, use ListAliases. +// // - Whether automatic key rotation is enabled on the KMS key. To get this -// information, use GetKeyRotationStatus . Also, some key states prevent a KMS -// key from being automatically rotated. For details, see How Automatic Key -// Rotation Works (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works) -// in the Key Management Service Developer Guide. -// - Tags on the KMS key. To get this information, use ListResourceTags . -// - Key policies and grants on the KMS key. To get this information, use -// GetKeyPolicy and ListGrants . +// information, use GetKeyRotationStatus. Also, some key states prevent a KMS key from being +// automatically rotated. For details, see [How Automatic Key Rotation Works]in the Key Management Service +// Developer Guide. +// +// - Tags on the KMS key. To get this information, use ListResourceTags. +// +// - Key policies and grants on the KMS key. To get this information, use GetKeyPolicyand ListGrants. // // In general, DescribeKey is a non-mutating operation. It returns data about KMS // keys, but doesn't change them. However, Amazon Web Services services use -// DescribeKey to create Amazon Web Services managed keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) -// from a predefined Amazon Web Services alias with no key ID. Cross-account use: -// Yes. To perform this operation with a KMS key in a different Amazon Web Services -// account, specify the key ARN or alias ARN in the value of the KeyId parameter. -// Required permissions: kms:DescribeKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: -// - GetKeyPolicy -// - GetKeyRotationStatus -// - ListAliases -// - ListGrants -// - ListKeys -// - ListResourceTags -// - ListRetirableGrants +// DescribeKey to create [Amazon Web Services managed keys] from a predefined Amazon Web Services alias with no key +// ID. +// +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value of +// the KeyId parameter. +// +// Required permissions: [kms:DescribeKey] (key policy) +// +// Related operations: +// +// # GetKeyPolicy +// +// # GetKeyRotationStatus +// +// # ListAliases +// +// # ListGrants +// +// # ListKeys +// +// # ListResourceTags +// +// # ListRetirableGrants // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [CloudHSM key stores]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html +// [external key stores]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html +// [customer managed key]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk +// [kms:DescribeKey]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [How Automatic Key Rotation Works]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works +// [multi-Region keys]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html +// [Amazon Web Services managed keys]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [Amazon Web Services managed key]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk func (c *Client) DescribeKey(ctx context.Context, params *DescribeKeyInput, optFns ...func(*Options)) (*DescribeKeyOutput, error) { if params == nil { params = &DescribeKeyInput{} @@ -73,29 +95,43 @@ func (c *Client) DescribeKey(ctx context.Context, params *DescribeKeyInput, optF type DescribeKeyInput struct { - // Describes the specified KMS key. If you specify a predefined Amazon Web - // Services alias (an Amazon Web Services alias with no key ID), KMS associates the - // alias with an Amazon Web Services managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html##aws-managed-cmk) - // and returns its KeyId and Arn in the response. To specify a KMS key, use its - // key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it - // with "alias/" . To specify a KMS key in a different Amazon Web Services account, - // you must use the key ARN or alias ARN. For example: + // Describes the specified KMS key. + // + // If you specify a predefined Amazon Web Services alias (an Amazon Web Services + // alias with no key ID), KMS associates the alias with an [Amazon Web Services managed key]and returns its KeyId + // and Arn in the response. + // + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/" . To specify a KMS key in a + // different Amazon Web Services account, you must use the key ARN or alias ARN. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // // - Alias name: alias/ExampleAlias + // // - Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . To - // get the alias name and alias ARN, use ListAliases . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the alias name + // and alias ARN, use ListAliases. + // + // [Amazon Web Services managed key]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html##aws-managed-cmk // // This member is required. KeyId *string - // A list of grant tokens. Use a grant token when your permission to call this - // operation comes from a new grant that has not yet achieved eventual consistency. - // For more information, see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) - // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) - // in the Key Management Service Developer Guide. + // A list of grant tokens. + // + // Use a grant token when your permission to call this operation comes from a new + // grant that has not yet achieved eventual consistency. For more information, see [Grant token] + // and [Using a grant token]in the Key Management Service Developer Guide. + // + // [Grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token + // [Using a grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token GrantTokens []string noSmithyDocumentSerde diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DisableKey.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DisableKey.go index eeb57e55428..ad7229a7d5e 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DisableKey.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DisableKey.go @@ -11,19 +11,28 @@ import ( ) // Sets the state of a KMS key to disabled. This change temporarily prevents use -// of the KMS key for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) -// . For more information about how key state affects the use of a KMS key, see -// Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide . The KMS key that you use for -// this operation must be in a compatible key state. For details, see Key states -// of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. Cross-account use: No. You cannot -// perform this operation on a KMS key in a different Amazon Web Services account. -// Required permissions: kms:DisableKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: EnableKey Eventual consistency: The KMS API -// follows an eventual consistency model. For more information, see KMS eventual -// consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// of the KMS key for [cryptographic operations]. +// +// For more information about how key state affects the use of a KMS key, see [Key states of KMS keys] in +// the Key Management Service Developer Guide . +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: [kms:DisableKey] (key policy) +// +// Related operations: EnableKey +// +// Eventual consistency: The KMS API follows an eventual consistency model. For +// more information, see [KMS eventual consistency]. +// +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [cryptographic operations]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations +// [kms:DisableKey]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) DisableKey(ctx context.Context, params *DisableKeyInput, optFns ...func(*Options)) (*DisableKeyOutput, error) { if params == nil { params = &DisableKeyInput{} @@ -41,12 +50,18 @@ func (c *Client) DisableKey(ctx context.Context, params *DisableKeyInput, optFns type DisableKeyInput struct { - // Identifies the KMS key to disable. Specify the key ID or key ARN of the KMS - // key. For example: + // Identifies the KMS key to disable. + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DisableKeyRotation.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DisableKeyRotation.go index 6737c36a7af..3b6daa56c4f 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DisableKeyRotation.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DisableKeyRotation.go @@ -10,33 +10,53 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Disables automatic rotation of the key material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) -// of the specified symmetric encryption KMS key. Automatic key rotation is -// supported only on symmetric encryption KMS keys. You cannot enable automatic -// rotation of asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) -// , HMAC KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html) -// , KMS keys with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) -// , or KMS keys in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// . To enable or disable automatic rotation of a set of related multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate) -// , set the property on the primary key. You can enable ( EnableKeyRotation ) and -// disable automatic rotation of the key material in customer managed KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) -// . Key material rotation of Amazon Web Services managed KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) -// is not configurable. KMS always rotates the key material for every year. -// Rotation of Amazon Web Services owned KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) -// varies. In May 2022, KMS changed the rotation schedule for Amazon Web Services -// managed keys from every three years to every year. For details, see -// EnableKeyRotation . The KMS key that you use for this operation must be in a -// compatible key state. For details, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. Cross-account use: No. You cannot -// perform this operation on a KMS key in a different Amazon Web Services account. -// Required permissions: kms:DisableKeyRotation (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: -// - EnableKeyRotation -// - GetKeyRotationStatus +// Disables [automatic rotation of the key material] of the specified symmetric encryption KMS key. +// +// Automatic key rotation is supported only on symmetric encryption KMS keys. You +// cannot enable automatic rotation of [asymmetric KMS keys], [HMAC KMS keys], KMS keys with [imported key material], or KMS keys in a [custom key store]. To +// enable or disable automatic rotation of a set of related [multi-Region keys], set the property on +// the primary key. +// +// You can enable (EnableKeyRotation ) and disable automatic rotation of the key material in [customer managed KMS keys]. Key +// material rotation of [Amazon Web Services managed KMS keys]is not configurable. KMS always rotates the key material +// for every year. Rotation of [Amazon Web Services owned KMS keys]varies. +// +// In May 2022, KMS changed the rotation schedule for Amazon Web Services managed +// keys from every three years to every year. For details, see EnableKeyRotation. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: [kms:DisableKeyRotation] (key policy) +// +// Related operations: +// +// # EnableKeyRotation +// +// # GetKeyRotationStatus +// +// # ListKeyRotations +// +// # RotateKeyOnDemand // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [imported key material]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [HMAC KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html +// [Amazon Web Services managed KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk +// [automatic rotation of the key material]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html +// [asymmetric KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html +// [customer managed KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk +// [Amazon Web Services owned KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk +// [kms:DisableKeyRotation]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [multi-Region keys]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [custom key store]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html func (c *Client) DisableKeyRotation(ctx context.Context, params *DisableKeyRotationInput, optFns ...func(*Options)) (*DisableKeyRotationOutput, error) { if params == nil { params = &DisableKeyRotationInput{} @@ -55,15 +75,23 @@ func (c *Client) DisableKeyRotation(ctx context.Context, params *DisableKeyRotat type DisableKeyRotationInput struct { // Identifies a symmetric encryption KMS key. You cannot enable or disable - // automatic rotation of asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks) - // , HMAC KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html) - // , KMS keys with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) - // , or KMS keys in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) - // . Specify the key ID or key ARN of the KMS key. For example: + // automatic rotation of [asymmetric KMS keys], [HMAC KMS keys], KMS keys with [imported key material], or KMS keys in a [custom key store]. + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. + // + // [imported key material]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html + // [HMAC KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html + // [asymmetric KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks + // [custom key store]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html // // This member is required. KeyId *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DisconnectCustomKeyStore.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DisconnectCustomKeyStore.go index f9b7daae145..80f6654a5b6 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DisconnectCustomKeyStore.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_DisconnectCustomKeyStore.go @@ -10,36 +10,54 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Disconnects the custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// from its backing key store. This operation disconnects an CloudHSM key store -// from its associated CloudHSM cluster or disconnects an external key store from -// the external key store proxy that communicates with your external key manager. -// This operation is part of the custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// feature in KMS, which combines the convenience and extensive integration of KMS -// with the isolation and control of a key store that you own and manage. While a -// custom key store is disconnected, you can manage the custom key store and its -// KMS keys, but you cannot create or use its KMS keys. You can reconnect the -// custom key store at any time. While a custom key store is disconnected, all -// attempts to create KMS keys in the custom key store or to use existing KMS keys -// in cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) -// will fail. This action can prevent users from storing and accessing sensitive -// data. When you disconnect a custom key store, its ConnectionState changes to -// Disconnected . To find the connection state of a custom key store, use the -// DescribeCustomKeyStores operation. To reconnect a custom key store, use the -// ConnectCustomKeyStore operation. If the operation succeeds, it returns a JSON -// object with no properties. Cross-account use: No. You cannot perform this -// operation on a custom key store in a different Amazon Web Services account. -// Required permissions: kms:DisconnectCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (IAM policy) Related operations: -// - ConnectCustomKeyStore -// - CreateCustomKeyStore -// - DeleteCustomKeyStore -// - DescribeCustomKeyStores -// - UpdateCustomKeyStore +// Disconnects the [custom key store] from its backing key store. This operation disconnects an +// CloudHSM key store from its associated CloudHSM cluster or disconnects an +// external key store from the external key store proxy that communicates with your +// external key manager. +// +// This operation is part of the [custom key stores] feature in KMS, which combines the convenience +// and extensive integration of KMS with the isolation and control of a key store +// that you own and manage. +// +// While a custom key store is disconnected, you can manage the custom key store +// and its KMS keys, but you cannot create or use its KMS keys. You can reconnect +// the custom key store at any time. +// +// While a custom key store is disconnected, all attempts to create KMS keys in +// the custom key store or to use existing KMS keys in [cryptographic operations]will fail. This action can +// prevent users from storing and accessing sensitive data. +// +// When you disconnect a custom key store, its ConnectionState changes to +// Disconnected . To find the connection state of a custom key store, use the DescribeCustomKeyStores +// operation. To reconnect a custom key store, use the ConnectCustomKeyStoreoperation. +// +// If the operation succeeds, it returns a JSON object with no properties. +// +// Cross-account use: No. You cannot perform this operation on a custom key store +// in a different Amazon Web Services account. +// +// Required permissions: [kms:DisconnectCustomKeyStore] (IAM policy) +// +// Related operations: +// +// # ConnectCustomKeyStore +// +// # CreateCustomKeyStore +// +// # DeleteCustomKeyStore +// +// # DescribeCustomKeyStores +// +// # UpdateCustomKeyStore // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [custom key stores]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html +// [cryptographic operations]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations +// [kms:DisconnectCustomKeyStore]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [custom key store]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html func (c *Client) DisconnectCustomKeyStore(ctx context.Context, params *DisconnectCustomKeyStoreInput, optFns ...func(*Options)) (*DisconnectCustomKeyStoreOutput, error) { if params == nil { params = &DisconnectCustomKeyStoreInput{} @@ -58,7 +76,7 @@ func (c *Client) DisconnectCustomKeyStore(ctx context.Context, params *Disconnec type DisconnectCustomKeyStoreInput struct { // Enter the ID of the custom key store you want to disconnect. To find the ID of - // a custom key store, use the DescribeCustomKeyStores operation. + // a custom key store, use the DescribeCustomKeyStoresoperation. // // This member is required. CustomKeyStoreId *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_EnableKey.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_EnableKey.go index 1395c9df67b..c01d5d97152 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_EnableKey.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_EnableKey.go @@ -11,16 +11,25 @@ import ( ) // Sets the key state of a KMS key to enabled. This allows you to use the KMS key -// for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) -// . The KMS key that you use for this operation must be in a compatible key state. -// For details, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. Cross-account use: No. You cannot -// perform this operation on a KMS key in a different Amazon Web Services account. -// Required permissions: kms:EnableKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: DisableKey Eventual consistency: The KMS API -// follows an eventual consistency model. For more information, see KMS eventual -// consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// for [cryptographic operations]. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: [kms:EnableKey] (key policy) +// +// Related operations: DisableKey +// +// Eventual consistency: The KMS API follows an eventual consistency model. For +// more information, see [KMS eventual consistency]. +// +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [kms:EnableKey]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [cryptographic operations]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) EnableKey(ctx context.Context, params *EnableKeyInput, optFns ...func(*Options)) (*EnableKeyOutput, error) { if params == nil { params = &EnableKeyInput{} @@ -38,12 +47,18 @@ func (c *Client) EnableKey(ctx context.Context, params *EnableKeyInput, optFns . type EnableKeyInput struct { - // Identifies the KMS key to enable. Specify the key ID or key ARN of the KMS key. + // Identifies the KMS key to enable. + // + // Specify the key ID or key ARN of the KMS key. + // // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_EnableKeyRotation.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_EnableKeyRotation.go index 06e237c808f..d2ada715811 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_EnableKeyRotation.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_EnableKeyRotation.go @@ -10,42 +10,77 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Enables automatic rotation of the key material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) -// of the specified symmetric encryption KMS key. When you enable automatic -// rotation of a customer managed KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) -// , KMS rotates the key material of the KMS key one year (approximately 365 days) -// from the enable date and every year thereafter. You can monitor rotation of the -// key material for your KMS keys in CloudTrail and Amazon CloudWatch. To disable -// rotation of the key material in a customer managed KMS key, use the -// DisableKeyRotation operation. Automatic key rotation is supported only on -// symmetric encryption KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks) -// . You cannot enable automatic rotation of asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) -// , HMAC KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html) -// , KMS keys with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) -// , or KMS keys in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// . To enable or disable automatic rotation of a set of related multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate) -// , set the property on the primary key. You cannot enable or disable automatic -// rotation Amazon Web Services managed KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) -// . KMS always rotates the key material of Amazon Web Services managed keys every -// year. Rotation of Amazon Web Services owned KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) -// varies. In May 2022, KMS changed the rotation schedule for Amazon Web Services -// managed keys from every three years (approximately 1,095 days) to every year -// (approximately 365 days). New Amazon Web Services managed keys are automatically -// rotated one year after they are created, and approximately every year -// thereafter. Existing Amazon Web Services managed keys are automatically rotated -// one year after their most recent rotation, and every year thereafter. The KMS -// key that you use for this operation must be in a compatible key state. For -// details, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. Cross-account use: No. You cannot -// perform this operation on a KMS key in a different Amazon Web Services account. -// Required permissions: kms:EnableKeyRotation (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: -// - DisableKeyRotation -// - GetKeyRotationStatus +// Enables [automatic rotation of the key material] of the specified symmetric encryption KMS key. +// +// By default, when you enable automatic rotation of a [customer managed KMS key], KMS rotates the key +// material of the KMS key one year (approximately 365 days) from the enable date +// and every year thereafter. You can use the optional RotationPeriodInDays +// parameter to specify a custom rotation period when you enable key rotation, or +// you can use RotationPeriodInDays to modify the rotation period of a key that +// you previously enabled automatic key rotation on. +// +// You can monitor rotation of the key material for your KMS keys in CloudTrail +// and Amazon CloudWatch. To disable rotation of the key material in a customer +// managed KMS key, use the DisableKeyRotationoperation. You can use the GetKeyRotationStatus operation to identify any +// in progress rotations. You can use the ListKeyRotationsoperation to view the details of +// completed rotations. +// +// Automatic key rotation is supported only on [symmetric encryption KMS keys]. You cannot enable automatic +// rotation of [asymmetric KMS keys], [HMAC KMS keys], KMS keys with [imported key material], or KMS keys in a [custom key store]. To enable or disable +// automatic rotation of a set of related [multi-Region keys], set the property on the primary key. +// +// You cannot enable or disable automatic rotation of [Amazon Web Services managed KMS keys]. KMS always rotates the key +// material of Amazon Web Services managed keys every year. Rotation of [Amazon Web Services owned KMS keys]is managed +// by the Amazon Web Services service that owns the key. +// +// In May 2022, KMS changed the rotation schedule for Amazon Web Services managed +// keys from every three years (approximately 1,095 days) to every year +// (approximately 365 days). +// +// New Amazon Web Services managed keys are automatically rotated one year after +// they are created, and approximately every year thereafter. +// +// Existing Amazon Web Services managed keys are automatically rotated one year +// after their most recent rotation, and every year thereafter. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: [kms:EnableKeyRotation] (key policy) +// +// Related operations: +// +// # DisableKeyRotation +// +// # GetKeyRotationStatus +// +// # ListKeyRotations +// +// RotateKeyOnDemand +// +// - You can perform on-demand (RotateKeyOnDemand ) rotation of the key material in customer +// managed KMS keys, regardless of whether or not automatic key rotation is +// enabled. // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [kms:EnableKeyRotation]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [Amazon Web Services owned KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk +// [multi-Region keys]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [imported key material]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [HMAC KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html +// [Amazon Web Services managed KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk +// [customer managed KMS key]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk +// [automatic rotation of the key material]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-enable-disable +// [asymmetric KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html +// [symmetric encryption KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks +// [custom key store]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html func (c *Client) EnableKeyRotation(ctx context.Context, params *EnableKeyRotationInput, optFns ...func(*Options)) (*EnableKeyRotationOutput, error) { if params == nil { params = &EnableKeyRotationInput{} @@ -64,21 +99,42 @@ func (c *Client) EnableKeyRotation(ctx context.Context, params *EnableKeyRotatio type EnableKeyRotationInput struct { // Identifies a symmetric encryption KMS key. You cannot enable automatic rotation - // of asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) - // , HMAC KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html) - // , KMS keys with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) - // , or KMS keys in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) - // . To enable or disable automatic rotation of a set of related multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate) - // , set the property on the primary key. Specify the key ID or key ARN of the KMS - // key. For example: + // of [asymmetric KMS keys], [HMAC KMS keys], KMS keys with [imported key material], or KMS keys in a [custom key store]. To enable or disable automatic + // rotation of a set of related [multi-Region keys], set the property on the primary key. + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. + // + // [imported key material]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html + // [HMAC KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html + // [asymmetric KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html + // [multi-Region keys]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate + // [custom key store]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html // // This member is required. KeyId *string + // Use this parameter to specify a custom period of time between each rotation + // date. If no value is specified, the default value is 365 days. + // + // The rotation period defines the number of days after you enable automatic key + // rotation that KMS will rotate your key material, and the number of days between + // each automatic rotation thereafter. + // + // You can use the [kms:RotationPeriodInDays]kms:RotationPeriodInDays condition key to further constrain the + // values that principals can specify in the RotationPeriodInDays parameter. + // + // [kms:RotationPeriodInDays]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-rotation-period-in-days + RotationPeriodInDays *int32 + noSmithyDocumentSerde } diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Encrypt.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Encrypt.go index d6628feb8ec..2c2b71de556 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Encrypt.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Encrypt.go @@ -12,57 +12,86 @@ import ( ) // Encrypts plaintext of up to 4,096 bytes using a KMS key. You can use a -// symmetric or asymmetric KMS key with a KeyUsage of ENCRYPT_DECRYPT . You can use -// this operation to encrypt small amounts of arbitrary data, such as a personal -// identifier or database password, or other sensitive information. You don't need -// to use the Encrypt operation to encrypt a data key. The GenerateDataKey and -// GenerateDataKeyPair operations return a plaintext data key and an encrypted copy -// of that data key. If you use a symmetric encryption KMS key, you can use an -// encryption context to add additional security to your encryption operation. If -// you specify an EncryptionContext when encrypting data, you must specify the -// same encryption context (a case-sensitive exact match) when decrypting the data. -// Otherwise, the request to decrypt fails with an InvalidCiphertextException . For -// more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) -// in the Key Management Service Developer Guide. If you specify an asymmetric KMS -// key, you must also specify the encryption algorithm. The algorithm must be -// compatible with the KMS key spec. When you use an asymmetric KMS key to encrypt -// or reencrypt data, be sure to record the KMS key and encryption algorithm that -// you choose. You will be required to provide the same KMS key and encryption -// algorithm when you decrypt the data. If the KMS key and algorithm do not match -// the values used to encrypt the data, the decrypt operation fails. You are not -// required to supply the key ID and encryption algorithm when you decrypt with -// symmetric encryption KMS keys because KMS stores this information in the -// ciphertext blob. KMS cannot store metadata in ciphertext generated with +// symmetric or asymmetric KMS key with a KeyUsage of ENCRYPT_DECRYPT . +// +// You can use this operation to encrypt small amounts of arbitrary data, such as +// a personal identifier or database password, or other sensitive information. You +// don't need to use the Encrypt operation to encrypt a data key. The GenerateDataKey and GenerateDataKeyPair +// operations return a plaintext data key and an encrypted copy of that data key. +// +// If you use a symmetric encryption KMS key, you can use an encryption context to +// add additional security to your encryption operation. If you specify an +// EncryptionContext when encrypting data, you must specify the same encryption +// context (a case-sensitive exact match) when decrypting the data. Otherwise, the +// request to decrypt fails with an InvalidCiphertextException . For more +// information, see [Encryption Context]in the Key Management Service Developer Guide. +// +// If you specify an asymmetric KMS key, you must also specify the encryption +// algorithm. The algorithm must be compatible with the KMS key spec. +// +// When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to +// record the KMS key and encryption algorithm that you choose. You will be +// required to provide the same KMS key and encryption algorithm when you decrypt +// the data. If the KMS key and algorithm do not match the values used to encrypt +// the data, the decrypt operation fails. +// +// You are not required to supply the key ID and encryption algorithm when you +// decrypt with symmetric encryption KMS keys because KMS stores this information +// in the ciphertext blob. KMS cannot store metadata in ciphertext generated with // asymmetric keys. The standard format for asymmetric key ciphertext does not -// include configurable fields. The maximum size of the data that you can encrypt -// varies with the type of KMS key and the encryption algorithm that you choose. +// include configurable fields. +// +// The maximum size of the data that you can encrypt varies with the type of KMS +// key and the encryption algorithm that you choose. +// // - Symmetric encryption KMS keys +// // - SYMMETRIC_DEFAULT : 4096 bytes +// // - RSA_2048 +// // - RSAES_OAEP_SHA_1 : 214 bytes +// // - RSAES_OAEP_SHA_256 : 190 bytes +// // - RSA_3072 +// // - RSAES_OAEP_SHA_1 : 342 bytes +// // - RSAES_OAEP_SHA_256 : 318 bytes +// // - RSA_4096 +// // - RSAES_OAEP_SHA_1 : 470 bytes +// // - RSAES_OAEP_SHA_256 : 446 bytes +// // - SM2PKE : 1024 bytes (China Regions only) // // The KMS key that you use for this operation must be in a compatible key state. -// For details, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. Cross-account use: Yes. To -// perform this operation with a KMS key in a different Amazon Web Services -// account, specify the key ARN or alias ARN in the value of the KeyId parameter. -// Required permissions: kms:Encrypt (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: -// - Decrypt -// - GenerateDataKey -// - GenerateDataKeyPair +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value of +// the KeyId parameter. +// +// Required permissions: [kms:Encrypt] (key policy) +// +// Related operations: +// +// # Decrypt +// +// # GenerateDataKey +// +// # GenerateDataKeyPair // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [Encryption Context]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context +// [kms:Encrypt]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) Encrypt(ctx context.Context, params *EncryptInput, optFns ...func(*Options)) (*EncryptOutput, error) { if params == nil { params = &EncryptInput{} @@ -81,18 +110,26 @@ func (c *Client) Encrypt(ctx context.Context, params *EncryptInput, optFns ...fu type EncryptInput struct { // Identifies the KMS key to use in the encryption operation. The KMS key must - // have a KeyUsage of ENCRYPT_DECRYPT . To find the KeyUsage of a KMS key, use the - // DescribeKey operation. To specify a KMS key, use its key ID, key ARN, alias - // name, or alias ARN. When using an alias name, prefix it with "alias/" . To - // specify a KMS key in a different Amazon Web Services account, you must use the - // key ARN or alias ARN. For example: + // have a KeyUsage of ENCRYPT_DECRYPT . To find the KeyUsage of a KMS key, use the DescribeKey + // operation. + // + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/" . To specify a KMS key in a + // different Amazon Web Services account, you must use the key ARN or alias ARN. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // // - Alias name: alias/ExampleAlias + // // - Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . To - // get the alias name and alias ARN, use ListAliases . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the alias name + // and alias ARN, use ListAliases. // // This member is required. KeyId *string @@ -102,40 +139,54 @@ type EncryptInput struct { // This member is required. Plaintext []byte - // Checks if your request will succeed. DryRun is an optional parameter. To learn - // more about how to use this parameter, see Testing your KMS API calls (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html) - // in the Key Management Service Developer Guide. + // Checks if your request will succeed. DryRun is an optional parameter. + // + // To learn more about how to use this parameter, see [Testing your KMS API calls] in the Key Management + // Service Developer Guide. + // + // [Testing your KMS API calls]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html DryRun *bool // Specifies the encryption algorithm that KMS will use to encrypt the plaintext // message. The algorithm must be compatible with the KMS key that you specify. + // // This parameter is required only for asymmetric KMS keys. The default value, // SYMMETRIC_DEFAULT , is the algorithm used for symmetric encryption KMS keys. If - // you are using an asymmetric KMS key, we recommend RSAES_OAEP_SHA_256. The SM2PKE - // algorithm is only available in China Regions. + // you are using an asymmetric KMS key, we recommend RSAES_OAEP_SHA_256. + // + // The SM2PKE algorithm is only available in China Regions. EncryptionAlgorithm types.EncryptionAlgorithmSpec // Specifies the encryption context that will be used to encrypt the data. An - // encryption context is valid only for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) - // with a symmetric encryption KMS key. The standard asymmetric encryption - // algorithms and HMAC algorithms that KMS uses do not support an encryption - // context. Do not include confidential or sensitive information in this field. - // This field may be displayed in plaintext in CloudTrail logs and other output. An - // encryption context is a collection of non-secret key-value pairs that represent - // additional authenticated data. When you use an encryption context to encrypt - // data, you must specify the same (an exact case-sensitive match) encryption - // context to decrypt the data. An encryption context is supported only on - // operations with symmetric encryption KMS keys. On operations with symmetric + // encryption context is valid only for [cryptographic operations]with a symmetric encryption KMS key. The + // standard asymmetric encryption algorithms and HMAC algorithms that KMS uses do + // not support an encryption context. + // + // Do not include confidential or sensitive information in this field. This field + // may be displayed in plaintext in CloudTrail logs and other output. + // + // An encryption context is a collection of non-secret key-value pairs that + // represent additional authenticated data. When you use an encryption context to + // encrypt data, you must specify the same (an exact case-sensitive match) + // encryption context to decrypt the data. An encryption context is supported only + // on operations with symmetric encryption KMS keys. On operations with symmetric // encryption KMS keys, an encryption context is optional, but it is strongly - // recommended. For more information, see Encryption context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) - // in the Key Management Service Developer Guide. + // recommended. + // + // For more information, see [Encryption context] in the Key Management Service Developer Guide. + // + // [cryptographic operations]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations + // [Encryption context]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context EncryptionContext map[string]string - // A list of grant tokens. Use a grant token when your permission to call this - // operation comes from a new grant that has not yet achieved eventual consistency. - // For more information, see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) - // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) - // in the Key Management Service Developer Guide. + // A list of grant tokens. + // + // Use a grant token when your permission to call this operation comes from a new + // grant that has not yet achieved eventual consistency. For more information, see [Grant token] + // and [Using a grant token]in the Key Management Service Developer Guide. + // + // [Grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token + // [Using a grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token GrantTokens []string noSmithyDocumentSerde @@ -150,8 +201,10 @@ type EncryptOutput struct { // The encryption algorithm that was used to encrypt the plaintext. EncryptionAlgorithm types.EncryptionAlgorithmSpec - // The Amazon Resource Name ( key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN) - // ) of the KMS key that was used to encrypt the plaintext. + // The Amazon Resource Name ([key ARN] ) of the KMS key that was used to encrypt the + // plaintext. + // + // [key ARN]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN KeyId *string // Metadata pertaining to the operation's result. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKey.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKey.go index 4a46272c303..a188477010f 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKey.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKey.go @@ -16,47 +16,52 @@ import ( // symmetric encryption KMS key that you specify. The bytes in the plaintext key // are random; they are not related to the caller or the KMS key. You can use the // plaintext key to encrypt your data outside of KMS and store the encrypted data -// key with the encrypted data. To generate a data key, specify the symmetric -// encryption KMS key that will be used to encrypt the data key. You cannot use an -// asymmetric KMS key to encrypt data keys. To get the type of your KMS key, use -// the DescribeKey operation. You must also specify the length of the data key. -// Use either the KeySpec or NumberOfBytes parameters (but not both). For 128-bit -// and 256-bit data keys, use the KeySpec parameter. To generate a 128-bit SM4 -// data key (China Regions only), specify a KeySpec value of AES_128 or a -// NumberOfBytes value of 16 . The symmetric encryption key used in China Regions -// to encrypt your data key is an SM4 encryption key. To get only an encrypted copy -// of the data key, use GenerateDataKeyWithoutPlaintext . To generate an asymmetric -// data key pair, use the GenerateDataKeyPair or -// GenerateDataKeyPairWithoutPlaintext operation. To get a cryptographically secure -// random byte string, use GenerateRandom . You can use an optional encryption -// context to add additional security to the encryption operation. If you specify -// an EncryptionContext , you must specify the same encryption context (a -// case-sensitive exact match) when decrypting the encrypted data key. Otherwise, -// the request to decrypt fails with an InvalidCiphertextException . For more -// information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) -// in the Key Management Service Developer Guide. GenerateDataKey also supports -// Amazon Web Services Nitro Enclaves (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html) -// , which provide an isolated compute environment in Amazon EC2. To call -// GenerateDataKey for an Amazon Web Services Nitro enclave, use the Amazon Web -// Services Nitro Enclaves SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk) -// or any Amazon Web Services SDK. Use the Recipient parameter to provide the -// attestation document for the enclave. GenerateDataKey returns a copy of the -// data key encrypted under the specified KMS key, as usual. But instead of a -// plaintext copy of the data key, the response includes a copy of the data key -// encrypted under the public key from the attestation document ( +// key with the encrypted data. +// +// To generate a data key, specify the symmetric encryption KMS key that will be +// used to encrypt the data key. You cannot use an asymmetric KMS key to encrypt +// data keys. To get the type of your KMS key, use the DescribeKeyoperation. +// +// You must also specify the length of the data key. Use either the KeySpec or +// NumberOfBytes parameters (but not both). For 128-bit and 256-bit data keys, use +// the KeySpec parameter. +// +// To generate a 128-bit SM4 data key (China Regions only), specify a KeySpec +// value of AES_128 or a NumberOfBytes value of 16 . The symmetric encryption key +// used in China Regions to encrypt your data key is an SM4 encryption key. +// +// To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. To generate an asymmetric +// data key pair, use the GenerateDataKeyPairor GenerateDataKeyPairWithoutPlaintext operation. To get a cryptographically secure random +// byte string, use GenerateRandom. +// +// You can use an optional encryption context to add additional security to the +// encryption operation. If you specify an EncryptionContext , you must specify the +// same encryption context (a case-sensitive exact match) when decrypting the +// encrypted data key. Otherwise, the request to decrypt fails with an +// InvalidCiphertextException . For more information, see [Encryption Context] in the Key Management +// Service Developer Guide. +// +// GenerateDataKey also supports [Amazon Web Services Nitro Enclaves], which provide an isolated compute environment +// in Amazon EC2. To call GenerateDataKey for an Amazon Web Services Nitro +// enclave, use the [Amazon Web Services Nitro Enclaves SDK]or any Amazon Web Services SDK. Use the Recipient parameter to +// provide the attestation document for the enclave. GenerateDataKey returns a +// copy of the data key encrypted under the specified KMS key, as usual. But +// instead of a plaintext copy of the data key, the response includes a copy of the +// data key encrypted under the public key from the attestation document ( // CiphertextForRecipient ). For information about the interaction between KMS and -// Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves -// uses KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html) -// in the Key Management Service Developer Guide.. The KMS key that you use for -// this operation must be in a compatible key state. For details, see Key states -// of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. How to use your data key We -// recommend that you use the following pattern to encrypt data locally in your +// Amazon Web Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves uses KMS]in the Key Management Service Developer +// Guide.. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// # How to use your data key +// +// We recommend that you use the following pattern to encrypt data locally in your // application. You can write your own code or use a client-side encryption -// library, such as the Amazon Web Services Encryption SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/) -// , the Amazon DynamoDB Encryption Client (https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/) -// , or Amazon S3 client-side encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html) -// to do these tasks for you. To encrypt data outside of KMS: +// library, such as the [Amazon Web Services Encryption SDK], the [Amazon DynamoDB Encryption Client], or [Amazon S3 client-side encryption] to do these tasks for you. +// +// To encrypt data outside of KMS: // // - Use the GenerateDataKey operation to get a data key. // @@ -67,24 +72,44 @@ import ( // with the encrypted data. // // To decrypt data outside of KMS: -// - Use the Decrypt operation to decrypt the encrypted data key. The operation -// returns a plaintext copy of the data key. +// +// - Use the Decryptoperation to decrypt the encrypted data key. The operation returns +// a plaintext copy of the data key. +// // - Use the plaintext data key to decrypt data outside of KMS, then erase the // plaintext data key from memory. // // Cross-account use: Yes. To perform this operation with a KMS key in a different // Amazon Web Services account, specify the key ARN or alias ARN in the value of -// the KeyId parameter. Required permissions: kms:GenerateDataKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: -// - Decrypt -// - Encrypt -// - GenerateDataKeyPair -// - GenerateDataKeyPairWithoutPlaintext -// - GenerateDataKeyWithoutPlaintext +// the KeyId parameter. +// +// Required permissions: [kms:GenerateDataKey] (key policy) +// +// Related operations: +// +// # Decrypt +// +// # Encrypt +// +// # GenerateDataKeyPair +// +// # GenerateDataKeyPairWithoutPlaintext +// +// # GenerateDataKeyWithoutPlaintext // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Amazon Web Services Encryption SDK]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/ +// [Amazon DynamoDB Encryption Client]: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/ +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [Encryption Context]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context +// [Amazon Web Services Nitro Enclaves]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html +// [Amazon S3 client-side encryption]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html +// [kms:GenerateDataKey]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [How Amazon Web Services Nitro Enclaves uses KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [Amazon Web Services Nitro Enclaves SDK]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk func (c *Client) GenerateDataKey(ctx context.Context, params *GenerateDataKeyInput, optFns ...func(*Options)) (*GenerateDataKeyOutput, error) { if params == nil { params = &GenerateDataKeyInput{} @@ -104,75 +129,102 @@ type GenerateDataKeyInput struct { // Specifies the symmetric encryption KMS key that encrypts the data key. You // cannot specify an asymmetric KMS key or a KMS key in a custom key store. To get - // the type and origin of your KMS key, use the DescribeKey operation. To specify - // a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an - // alias name, prefix it with "alias/" . To specify a KMS key in a different Amazon - // Web Services account, you must use the key ARN or alias ARN. For example: + // the type and origin of your KMS key, use the DescribeKeyoperation. + // + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/" . To specify a KMS key in a + // different Amazon Web Services account, you must use the key ARN or alias ARN. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // // - Alias name: alias/ExampleAlias + // // - Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . To - // get the alias name and alias ARN, use ListAliases . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the alias name + // and alias ARN, use ListAliases. // // This member is required. KeyId *string - // Checks if your request will succeed. DryRun is an optional parameter. To learn - // more about how to use this parameter, see Testing your KMS API calls (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html) - // in the Key Management Service Developer Guide. + // Checks if your request will succeed. DryRun is an optional parameter. + // + // To learn more about how to use this parameter, see [Testing your KMS API calls] in the Key Management + // Service Developer Guide. + // + // [Testing your KMS API calls]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html DryRun *bool - // Specifies the encryption context that will be used when encrypting the data - // key. Do not include confidential or sensitive information in this field. This - // field may be displayed in plaintext in CloudTrail logs and other output. An - // encryption context is a collection of non-secret key-value pairs that represent - // additional authenticated data. When you use an encryption context to encrypt - // data, you must specify the same (an exact case-sensitive match) encryption - // context to decrypt the data. An encryption context is supported only on - // operations with symmetric encryption KMS keys. On operations with symmetric + // Specifies the encryption context that will be used when encrypting the data key. + // + // Do not include confidential or sensitive information in this field. This field + // may be displayed in plaintext in CloudTrail logs and other output. + // + // An encryption context is a collection of non-secret key-value pairs that + // represent additional authenticated data. When you use an encryption context to + // encrypt data, you must specify the same (an exact case-sensitive match) + // encryption context to decrypt the data. An encryption context is supported only + // on operations with symmetric encryption KMS keys. On operations with symmetric // encryption KMS keys, an encryption context is optional, but it is strongly - // recommended. For more information, see Encryption context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) - // in the Key Management Service Developer Guide. + // recommended. + // + // For more information, see [Encryption context] in the Key Management Service Developer Guide. + // + // [Encryption context]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context EncryptionContext map[string]string - // A list of grant tokens. Use a grant token when your permission to call this - // operation comes from a new grant that has not yet achieved eventual consistency. - // For more information, see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) - // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) - // in the Key Management Service Developer Guide. + // A list of grant tokens. + // + // Use a grant token when your permission to call this operation comes from a new + // grant that has not yet achieved eventual consistency. For more information, see [Grant token] + // and [Using a grant token]in the Key Management Service Developer Guide. + // + // [Grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token + // [Using a grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token GrantTokens []string // Specifies the length of the data key. Use AES_128 to generate a 128-bit - // symmetric key, or AES_256 to generate a 256-bit symmetric key. You must specify - // either the KeySpec or the NumberOfBytes parameter (but not both) in every - // GenerateDataKey request. + // symmetric key, or AES_256 to generate a 256-bit symmetric key. + // + // You must specify either the KeySpec or the NumberOfBytes parameter (but not + // both) in every GenerateDataKey request. KeySpec types.DataKeySpec // Specifies the length of the data key in bytes. For example, use the value 64 to // generate a 512-bit data key (64 bytes is 512 bits). For 128-bit (16-byte) and - // 256-bit (32-byte) data keys, use the KeySpec parameter. You must specify either - // the KeySpec or the NumberOfBytes parameter (but not both) in every - // GenerateDataKey request. + // 256-bit (32-byte) data keys, use the KeySpec parameter. + // + // You must specify either the KeySpec or the NumberOfBytes parameter (but not + // both) in every GenerateDataKey request. NumberOfBytes *int32 - // A signed attestation document (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc) - // from an Amazon Web Services Nitro enclave and the encryption algorithm to use - // with the enclave's public key. The only valid encryption algorithm is - // RSAES_OAEP_SHA_256 . This parameter only supports attestation documents for - // Amazon Web Services Nitro Enclaves. To include this parameter, use the Amazon - // Web Services Nitro Enclaves SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk) - // or any Amazon Web Services SDK. When you use this parameter, instead of - // returning the plaintext data key, KMS encrypts the plaintext data key under the - // public key in the attestation document, and returns the resulting ciphertext in - // the CiphertextForRecipient field in the response. This ciphertext can be - // decrypted only with the private key in the enclave. The CiphertextBlob field in - // the response contains a copy of the data key encrypted under the KMS key - // specified by the KeyId parameter. The Plaintext field in the response is null - // or empty. For information about the interaction between KMS and Amazon Web - // Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html) - // in the Key Management Service Developer Guide. + // A signed [attestation document] from an Amazon Web Services Nitro enclave and the encryption + // algorithm to use with the enclave's public key. The only valid encryption + // algorithm is RSAES_OAEP_SHA_256 . + // + // This parameter only supports attestation documents for Amazon Web Services + // Nitro Enclaves. To include this parameter, use the [Amazon Web Services Nitro Enclaves SDK]or any Amazon Web Services + // SDK. + // + // When you use this parameter, instead of returning the plaintext data key, KMS + // encrypts the plaintext data key under the public key in the attestation + // document, and returns the resulting ciphertext in the CiphertextForRecipient + // field in the response. This ciphertext can be decrypted only with the private + // key in the enclave. The CiphertextBlob field in the response contains a copy of + // the data key encrypted under the KMS key specified by the KeyId parameter. The + // Plaintext field in the response is null or empty. + // + // For information about the interaction between KMS and Amazon Web Services Nitro + // Enclaves, see [How Amazon Web Services Nitro Enclaves uses KMS]in the Key Management Service Developer Guide. + // + // [attestation document]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc + // [How Amazon Web Services Nitro Enclaves uses KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html + // [Amazon Web Services Nitro Enclaves SDK]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk Recipient *types.RecipientInfo noSmithyDocumentSerde @@ -186,23 +238,28 @@ type GenerateDataKeyOutput struct { // The plaintext data key encrypted with the public key from the Nitro enclave. // This ciphertext can be decrypted only by using a private key in the Nitro - // enclave. This field is included in the response only when the Recipient - // parameter in the request includes a valid attestation document from an Amazon - // Web Services Nitro enclave. For information about the interaction between KMS - // and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro - // Enclaves uses KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html) - // in the Key Management Service Developer Guide. + // enclave. + // + // This field is included in the response only when the Recipient parameter in the + // request includes a valid attestation document from an Amazon Web Services Nitro + // enclave. For information about the interaction between KMS and Amazon Web + // Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves uses KMS]in the Key Management Service Developer Guide. + // + // [How Amazon Web Services Nitro Enclaves uses KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html CiphertextForRecipient []byte - // The Amazon Resource Name ( key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN) - // ) of the KMS key that encrypted the data key. + // The Amazon Resource Name ([key ARN] ) of the KMS key that encrypted the data key. + // + // [key ARN]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN KeyId *string // The plaintext data key. When you use the HTTP API or the Amazon Web Services // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. Use this // data key to encrypt your data outside of KMS. Then, remove it from memory as - // soon as possible. If the response includes the CiphertextForRecipient field, - // the Plaintext field is null or empty. + // soon as possible. + // + // If the response includes the CiphertextForRecipient field, the Plaintext field + // is null or empty. Plaintext []byte // Metadata pertaining to the operation's result. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKeyPair.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKeyPair.go index 2156fb5f613..5076ac095b3 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKeyPair.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKeyPair.go @@ -17,67 +17,90 @@ import ( // specify. You can use the data key pair to perform asymmetric cryptography and // implement digital signatures outside of KMS. The bytes in the keys are random; // they are not related to the caller or to the KMS key that is used to encrypt the -// private key. You can use the public key that GenerateDataKeyPair returns to -// encrypt data or verify a signature outside of KMS. Then, store the encrypted -// private key with the data. When you are ready to decrypt data or sign a message, -// you can use the Decrypt operation to decrypt the encrypted private key. To -// generate a data key pair, you must specify a symmetric encryption KMS key to +// private key. +// +// You can use the public key that GenerateDataKeyPair returns to encrypt data or +// verify a signature outside of KMS. Then, store the encrypted private key with +// the data. When you are ready to decrypt data or sign a message, you can use the Decrypt +// operation to decrypt the encrypted private key. +// +// To generate a data key pair, you must specify a symmetric encryption KMS key to // encrypt the private key in a data key pair. You cannot use an asymmetric KMS key // or a KMS key in a custom key store. To get the type and origin of your KMS key, -// use the DescribeKey operation. Use the KeyPairSpec parameter to choose an RSA -// or Elliptic Curve (ECC) data key pair. In China Regions, you can also choose an -// SM2 data key pair. KMS recommends that you use ECC key pairs for signing, and -// use RSA and SM2 key pairs for either encryption or signing, but not both. -// However, KMS cannot enforce any restrictions on the use of data key pairs -// outside of KMS. If you are using the data key pair to encrypt data, or for any -// operation where you don't immediately need a private key, consider using the -// GenerateDataKeyPairWithoutPlaintext operation. +// use the DescribeKeyoperation. +// +// Use the KeyPairSpec parameter to choose an RSA or Elliptic Curve (ECC) data key +// pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends +// that you use ECC key pairs for signing, and use RSA and SM2 key pairs for either +// encryption or signing, but not both. However, KMS cannot enforce any +// restrictions on the use of data key pairs outside of KMS. +// +// If you are using the data key pair to encrypt data, or for any operation where +// you don't immediately need a private key, consider using the GenerateDataKeyPairWithoutPlaintextoperation. // GenerateDataKeyPairWithoutPlaintext returns a plaintext public key and an // encrypted private key, but omits the plaintext private key that you need only to // decrypt ciphertext or sign a message. Later, when you need to decrypt the data -// or sign a message, use the Decrypt operation to decrypt the encrypted private -// key in the data key pair. GenerateDataKeyPair returns a unique data key pair -// for each request. The bytes in the keys are random; they are not related to the -// caller or the KMS key that is used to encrypt the private key. The public key is -// a DER-encoded X.509 SubjectPublicKeyInfo, as specified in RFC 5280 (https://tools.ietf.org/html/rfc5280) -// . The private key is a DER-encoded PKCS8 PrivateKeyInfo, as specified in RFC -// 5958 (https://tools.ietf.org/html/rfc5958) . GenerateDataKeyPair also supports -// Amazon Web Services Nitro Enclaves (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html) -// , which provide an isolated compute environment in Amazon EC2. To call -// GenerateDataKeyPair for an Amazon Web Services Nitro enclave, use the Amazon -// Web Services Nitro Enclaves SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk) -// or any Amazon Web Services SDK. Use the Recipient parameter to provide the -// attestation document for the enclave. GenerateDataKeyPair returns the public -// data key and a copy of the private data key encrypted under the specified KMS -// key, as usual. But instead of a plaintext copy of the private data key ( -// PrivateKeyPlaintext ), the response includes a copy of the private data key -// encrypted under the public key from the attestation document ( -// CiphertextForRecipient ). For information about the interaction between KMS and -// Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves -// uses KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html) -// in the Key Management Service Developer Guide.. You can use an optional -// encryption context to add additional security to the encryption operation. If -// you specify an EncryptionContext , you must specify the same encryption context -// (a case-sensitive exact match) when decrypting the encrypted data key. -// Otherwise, the request to decrypt fails with an InvalidCiphertextException . For -// more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) -// in the Key Management Service Developer Guide. The KMS key that you use for this -// operation must be in a compatible key state. For details, see Key states of KMS -// keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in -// the Key Management Service Developer Guide. Cross-account use: Yes. To perform -// this operation with a KMS key in a different Amazon Web Services account, -// specify the key ARN or alias ARN in the value of the KeyId parameter. Required -// permissions: kms:GenerateDataKeyPair (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: -// - Decrypt -// - Encrypt -// - GenerateDataKey -// - GenerateDataKeyPairWithoutPlaintext -// - GenerateDataKeyWithoutPlaintext +// or sign a message, use the Decryptoperation to decrypt the encrypted private key in +// the data key pair. +// +// GenerateDataKeyPair returns a unique data key pair for each request. The bytes +// in the keys are random; they are not related to the caller or the KMS key that +// is used to encrypt the private key. The public key is a DER-encoded X.509 +// SubjectPublicKeyInfo, as specified in [RFC 5280]. The private key is a DER-encoded PKCS8 +// PrivateKeyInfo, as specified in [RFC 5958]. +// +// GenerateDataKeyPair also supports [Amazon Web Services Nitro Enclaves], which provide an isolated compute +// environment in Amazon EC2. To call GenerateDataKeyPair for an Amazon Web +// Services Nitro enclave, use the [Amazon Web Services Nitro Enclaves SDK]or any Amazon Web Services SDK. Use the +// Recipient parameter to provide the attestation document for the enclave. +// GenerateDataKeyPair returns the public data key and a copy of the private data +// key encrypted under the specified KMS key, as usual. But instead of a plaintext +// copy of the private data key ( PrivateKeyPlaintext ), the response includes a +// copy of the private data key encrypted under the public key from the attestation +// document ( CiphertextForRecipient ). For information about the interaction +// between KMS and Amazon Web Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves uses KMS]in the Key Management +// Service Developer Guide.. +// +// You can use an optional encryption context to add additional security to the +// encryption operation. If you specify an EncryptionContext , you must specify the +// same encryption context (a case-sensitive exact match) when decrypting the +// encrypted data key. Otherwise, the request to decrypt fails with an +// InvalidCiphertextException . For more information, see [Encryption Context] in the Key Management +// Service Developer Guide. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value of +// the KeyId parameter. +// +// Required permissions: [kms:GenerateDataKeyPair] (key policy) +// +// Related operations: +// +// # Decrypt +// +// # Encrypt +// +// # GenerateDataKey +// +// # GenerateDataKeyPairWithoutPlaintext +// +// # GenerateDataKeyWithoutPlaintext // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [RFC 5280]: https://tools.ietf.org/html/rfc5280 +// [Encryption Context]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context +// [Amazon Web Services Nitro Enclaves]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html +// [RFC 5958]: https://tools.ietf.org/html/rfc5958 +// [How Amazon Web Services Nitro Enclaves uses KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html +// [kms:GenerateDataKeyPair]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [Amazon Web Services Nitro Enclaves SDK]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk func (c *Client) GenerateDataKeyPair(ctx context.Context, params *GenerateDataKeyPairInput, optFns ...func(*Options)) (*GenerateDataKeyPairOutput, error) { if params == nil { params = &GenerateDataKeyPairInput{} @@ -97,73 +120,100 @@ type GenerateDataKeyPairInput struct { // Specifies the symmetric encryption KMS key that encrypts the private key in the // data key pair. You cannot specify an asymmetric KMS key or a KMS key in a custom - // key store. To get the type and origin of your KMS key, use the DescribeKey - // operation. To specify a KMS key, use its key ID, key ARN, alias name, or alias - // ARN. When using an alias name, prefix it with "alias/" . To specify a KMS key in - // a different Amazon Web Services account, you must use the key ARN or alias ARN. + // key store. To get the type and origin of your KMS key, use the DescribeKeyoperation. + // + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/" . To specify a KMS key in a + // different Amazon Web Services account, you must use the key ARN or alias ARN. + // // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // // - Alias name: alias/ExampleAlias + // // - Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . To - // get the alias name and alias ARN, use ListAliases . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the alias name + // and alias ARN, use ListAliases. // // This member is required. KeyId *string - // Determines the type of data key pair that is generated. The KMS rule that - // restricts the use of asymmetric RSA and SM2 KMS keys to encrypt and decrypt or - // to sign and verify (but not both), and the rule that permits you to use ECC KMS - // keys only to sign and verify, are not effective on data key pairs, which are - // used outside of KMS. The SM2 key spec is only available in China Regions. + // Determines the type of data key pair that is generated. + // + // The KMS rule that restricts the use of asymmetric RSA and SM2 KMS keys to + // encrypt and decrypt or to sign and verify (but not both), and the rule that + // permits you to use ECC KMS keys only to sign and verify, are not effective on + // data key pairs, which are used outside of KMS. The SM2 key spec is only + // available in China Regions. // // This member is required. KeyPairSpec types.DataKeyPairSpec - // Checks if your request will succeed. DryRun is an optional parameter. To learn - // more about how to use this parameter, see Testing your KMS API calls (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html) - // in the Key Management Service Developer Guide. + // Checks if your request will succeed. DryRun is an optional parameter. + // + // To learn more about how to use this parameter, see [Testing your KMS API calls] in the Key Management + // Service Developer Guide. + // + // [Testing your KMS API calls]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html DryRun *bool // Specifies the encryption context that will be used when encrypting the private - // key in the data key pair. Do not include confidential or sensitive information - // in this field. This field may be displayed in plaintext in CloudTrail logs and - // other output. An encryption context is a collection of non-secret key-value - // pairs that represent additional authenticated data. When you use an encryption - // context to encrypt data, you must specify the same (an exact case-sensitive - // match) encryption context to decrypt the data. An encryption context is - // supported only on operations with symmetric encryption KMS keys. On operations - // with symmetric encryption KMS keys, an encryption context is optional, but it is - // strongly recommended. For more information, see Encryption context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) - // in the Key Management Service Developer Guide. + // key in the data key pair. + // + // Do not include confidential or sensitive information in this field. This field + // may be displayed in plaintext in CloudTrail logs and other output. + // + // An encryption context is a collection of non-secret key-value pairs that + // represent additional authenticated data. When you use an encryption context to + // encrypt data, you must specify the same (an exact case-sensitive match) + // encryption context to decrypt the data. An encryption context is supported only + // on operations with symmetric encryption KMS keys. On operations with symmetric + // encryption KMS keys, an encryption context is optional, but it is strongly + // recommended. + // + // For more information, see [Encryption context] in the Key Management Service Developer Guide. + // + // [Encryption context]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context EncryptionContext map[string]string - // A list of grant tokens. Use a grant token when your permission to call this - // operation comes from a new grant that has not yet achieved eventual consistency. - // For more information, see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) - // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) - // in the Key Management Service Developer Guide. + // A list of grant tokens. + // + // Use a grant token when your permission to call this operation comes from a new + // grant that has not yet achieved eventual consistency. For more information, see [Grant token] + // and [Using a grant token]in the Key Management Service Developer Guide. + // + // [Grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token + // [Using a grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token GrantTokens []string - // A signed attestation document (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc) - // from an Amazon Web Services Nitro enclave and the encryption algorithm to use - // with the enclave's public key. The only valid encryption algorithm is - // RSAES_OAEP_SHA_256 . This parameter only supports attestation documents for - // Amazon Web Services Nitro Enclaves. To include this parameter, use the Amazon - // Web Services Nitro Enclaves SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk) - // or any Amazon Web Services SDK. When you use this parameter, instead of - // returning a plaintext copy of the private data key, KMS encrypts the plaintext - // private data key under the public key in the attestation document, and returns - // the resulting ciphertext in the CiphertextForRecipient field in the response. - // This ciphertext can be decrypted only with the private key in the enclave. The - // CiphertextBlob field in the response contains a copy of the private data key - // encrypted under the KMS key specified by the KeyId parameter. The - // PrivateKeyPlaintext field in the response is null or empty. For information - // about the interaction between KMS and Amazon Web Services Nitro Enclaves, see - // How Amazon Web Services Nitro Enclaves uses KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html) - // in the Key Management Service Developer Guide. + // A signed [attestation document] from an Amazon Web Services Nitro enclave and the encryption + // algorithm to use with the enclave's public key. The only valid encryption + // algorithm is RSAES_OAEP_SHA_256 . + // + // This parameter only supports attestation documents for Amazon Web Services + // Nitro Enclaves. To include this parameter, use the [Amazon Web Services Nitro Enclaves SDK]or any Amazon Web Services + // SDK. + // + // When you use this parameter, instead of returning a plaintext copy of the + // private data key, KMS encrypts the plaintext private data key under the public + // key in the attestation document, and returns the resulting ciphertext in the + // CiphertextForRecipient field in the response. This ciphertext can be decrypted + // only with the private key in the enclave. The CiphertextBlob field in the + // response contains a copy of the private data key encrypted under the KMS key + // specified by the KeyId parameter. The PrivateKeyPlaintext field in the response + // is null or empty. + // + // For information about the interaction between KMS and Amazon Web Services Nitro + // Enclaves, see [How Amazon Web Services Nitro Enclaves uses KMS]in the Key Management Service Developer Guide. + // + // [attestation document]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc + // [How Amazon Web Services Nitro Enclaves uses KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html + // [Amazon Web Services Nitro Enclaves SDK]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk Recipient *types.RecipientInfo noSmithyDocumentSerde @@ -173,16 +223,19 @@ type GenerateDataKeyPairOutput struct { // The plaintext private data key encrypted with the public key from the Nitro // enclave. This ciphertext can be decrypted only by using a private key in the - // Nitro enclave. This field is included in the response only when the Recipient - // parameter in the request includes a valid attestation document from an Amazon - // Web Services Nitro enclave. For information about the interaction between KMS - // and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro - // Enclaves uses KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html) - // in the Key Management Service Developer Guide. + // Nitro enclave. + // + // This field is included in the response only when the Recipient parameter in the + // request includes a valid attestation document from an Amazon Web Services Nitro + // enclave. For information about the interaction between KMS and Amazon Web + // Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves uses KMS]in the Key Management Service Developer Guide. + // + // [How Amazon Web Services Nitro Enclaves uses KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html CiphertextForRecipient []byte - // The Amazon Resource Name ( key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN) - // ) of the KMS key that encrypted the private key. + // The Amazon Resource Name ([key ARN] ) of the KMS key that encrypted the private key. + // + // [key ARN]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN KeyId *string // The type of data key pair that was generated. @@ -195,7 +248,9 @@ type GenerateDataKeyPairOutput struct { // The plaintext copy of the private key. When you use the HTTP API or the Amazon // Web Services CLI, the value is Base64-encoded. Otherwise, it is not - // Base64-encoded. If the response includes the CiphertextForRecipient field, the + // Base64-encoded. + // + // If the response includes the CiphertextForRecipient field, the // PrivateKeyPlaintext field is null or empty. PrivateKeyPlaintext []byte diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKeyPairWithoutPlaintext.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKeyPairWithoutPlaintext.go index 94393a5168b..f3bc534a0e0 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKeyPairWithoutPlaintext.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKeyPairWithoutPlaintext.go @@ -13,48 +13,68 @@ import ( // Returns a unique asymmetric data key pair for use outside of KMS. This // operation returns a plaintext public key and a copy of the private key that is -// encrypted under the symmetric encryption KMS key you specify. Unlike -// GenerateDataKeyPair , this operation does not return a plaintext private key. -// The bytes in the keys are random; they are not related to the caller or to the -// KMS key that is used to encrypt the private key. You can use the public key that -// GenerateDataKeyPairWithoutPlaintext returns to encrypt data or verify a -// signature outside of KMS. Then, store the encrypted private key with the data. -// When you are ready to decrypt data or sign a message, you can use the Decrypt -// operation to decrypt the encrypted private key. To generate a data key pair, you -// must specify a symmetric encryption KMS key to encrypt the private key in a data -// key pair. You cannot use an asymmetric KMS key or a KMS key in a custom key -// store. To get the type and origin of your KMS key, use the DescribeKey -// operation. Use the KeyPairSpec parameter to choose an RSA or Elliptic Curve -// (ECC) data key pair. In China Regions, you can also choose an SM2 data key pair. -// KMS recommends that you use ECC key pairs for signing, and use RSA and SM2 key -// pairs for either encryption or signing, but not both. However, KMS cannot -// enforce any restrictions on the use of data key pairs outside of KMS. +// encrypted under the symmetric encryption KMS key you specify. Unlike GenerateDataKeyPair, this +// operation does not return a plaintext private key. The bytes in the keys are +// random; they are not related to the caller or to the KMS key that is used to +// encrypt the private key. +// +// You can use the public key that GenerateDataKeyPairWithoutPlaintext returns to +// encrypt data or verify a signature outside of KMS. Then, store the encrypted +// private key with the data. When you are ready to decrypt data or sign a message, +// you can use the Decryptoperation to decrypt the encrypted private key. +// +// To generate a data key pair, you must specify a symmetric encryption KMS key to +// encrypt the private key in a data key pair. You cannot use an asymmetric KMS key +// or a KMS key in a custom key store. To get the type and origin of your KMS key, +// use the DescribeKeyoperation. +// +// Use the KeyPairSpec parameter to choose an RSA or Elliptic Curve (ECC) data key +// pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends +// that you use ECC key pairs for signing, and use RSA and SM2 key pairs for either +// encryption or signing, but not both. However, KMS cannot enforce any +// restrictions on the use of data key pairs outside of KMS. +// // GenerateDataKeyPairWithoutPlaintext returns a unique data key pair for each // request. The bytes in the key are not related to the caller or KMS key that is // used to encrypt the private key. The public key is a DER-encoded X.509 -// SubjectPublicKeyInfo, as specified in RFC 5280 (https://tools.ietf.org/html/rfc5280) -// . You can use an optional encryption context to add additional security to the +// SubjectPublicKeyInfo, as specified in [RFC 5280]. +// +// You can use an optional encryption context to add additional security to the // encryption operation. If you specify an EncryptionContext , you must specify the // same encryption context (a case-sensitive exact match) when decrypting the // encrypted data key. Otherwise, the request to decrypt fails with an -// InvalidCiphertextException . For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) -// in the Key Management Service Developer Guide. The KMS key that you use for this -// operation must be in a compatible key state. For details, see Key states of KMS -// keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in -// the Key Management Service Developer Guide. Cross-account use: Yes. To perform -// this operation with a KMS key in a different Amazon Web Services account, -// specify the key ARN or alias ARN in the value of the KeyId parameter. Required -// permissions: kms:GenerateDataKeyPairWithoutPlaintext (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: -// - Decrypt -// - Encrypt -// - GenerateDataKey -// - GenerateDataKeyPair -// - GenerateDataKeyWithoutPlaintext +// InvalidCiphertextException . For more information, see [Encryption Context] in the Key Management +// Service Developer Guide. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value of +// the KeyId parameter. +// +// Required permissions: [kms:GenerateDataKeyPairWithoutPlaintext] (key policy) +// +// Related operations: +// +// # Decrypt +// +// # Encrypt +// +// # GenerateDataKey +// +// # GenerateDataKeyPair +// +// # GenerateDataKeyWithoutPlaintext // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [RFC 5280]: https://tools.ietf.org/html/rfc5280 +// [Encryption Context]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context +// [kms:GenerateDataKeyPairWithoutPlaintext]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) GenerateDataKeyPairWithoutPlaintext(ctx context.Context, params *GenerateDataKeyPairWithoutPlaintextInput, optFns ...func(*Options)) (*GenerateDataKeyPairWithoutPlaintextOutput, error) { if params == nil { params = &GenerateDataKeyPairWithoutPlaintextInput{} @@ -74,54 +94,75 @@ type GenerateDataKeyPairWithoutPlaintextInput struct { // Specifies the symmetric encryption KMS key that encrypts the private key in the // data key pair. You cannot specify an asymmetric KMS key or a KMS key in a custom - // key store. To get the type and origin of your KMS key, use the DescribeKey - // operation. To specify a KMS key, use its key ID, key ARN, alias name, or alias - // ARN. When using an alias name, prefix it with "alias/" . To specify a KMS key in - // a different Amazon Web Services account, you must use the key ARN or alias ARN. + // key store. To get the type and origin of your KMS key, use the DescribeKeyoperation. + // + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/" . To specify a KMS key in a + // different Amazon Web Services account, you must use the key ARN or alias ARN. + // // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // // - Alias name: alias/ExampleAlias + // // - Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . To - // get the alias name and alias ARN, use ListAliases . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the alias name + // and alias ARN, use ListAliases. // // This member is required. KeyId *string - // Determines the type of data key pair that is generated. The KMS rule that - // restricts the use of asymmetric RSA and SM2 KMS keys to encrypt and decrypt or - // to sign and verify (but not both), and the rule that permits you to use ECC KMS - // keys only to sign and verify, are not effective on data key pairs, which are - // used outside of KMS. The SM2 key spec is only available in China Regions. + // Determines the type of data key pair that is generated. + // + // The KMS rule that restricts the use of asymmetric RSA and SM2 KMS keys to + // encrypt and decrypt or to sign and verify (but not both), and the rule that + // permits you to use ECC KMS keys only to sign and verify, are not effective on + // data key pairs, which are used outside of KMS. The SM2 key spec is only + // available in China Regions. // // This member is required. KeyPairSpec types.DataKeyPairSpec - // Checks if your request will succeed. DryRun is an optional parameter. To learn - // more about how to use this parameter, see Testing your KMS API calls (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html) - // in the Key Management Service Developer Guide. + // Checks if your request will succeed. DryRun is an optional parameter. + // + // To learn more about how to use this parameter, see [Testing your KMS API calls] in the Key Management + // Service Developer Guide. + // + // [Testing your KMS API calls]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html DryRun *bool // Specifies the encryption context that will be used when encrypting the private - // key in the data key pair. Do not include confidential or sensitive information - // in this field. This field may be displayed in plaintext in CloudTrail logs and - // other output. An encryption context is a collection of non-secret key-value - // pairs that represent additional authenticated data. When you use an encryption - // context to encrypt data, you must specify the same (an exact case-sensitive - // match) encryption context to decrypt the data. An encryption context is - // supported only on operations with symmetric encryption KMS keys. On operations - // with symmetric encryption KMS keys, an encryption context is optional, but it is - // strongly recommended. For more information, see Encryption context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) - // in the Key Management Service Developer Guide. + // key in the data key pair. + // + // Do not include confidential or sensitive information in this field. This field + // may be displayed in plaintext in CloudTrail logs and other output. + // + // An encryption context is a collection of non-secret key-value pairs that + // represent additional authenticated data. When you use an encryption context to + // encrypt data, you must specify the same (an exact case-sensitive match) + // encryption context to decrypt the data. An encryption context is supported only + // on operations with symmetric encryption KMS keys. On operations with symmetric + // encryption KMS keys, an encryption context is optional, but it is strongly + // recommended. + // + // For more information, see [Encryption context] in the Key Management Service Developer Guide. + // + // [Encryption context]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context EncryptionContext map[string]string - // A list of grant tokens. Use a grant token when your permission to call this - // operation comes from a new grant that has not yet achieved eventual consistency. - // For more information, see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) - // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) - // in the Key Management Service Developer Guide. + // A list of grant tokens. + // + // Use a grant token when your permission to call this operation comes from a new + // grant that has not yet achieved eventual consistency. For more information, see [Grant token] + // and [Using a grant token]in the Key Management Service Developer Guide. + // + // [Grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token + // [Using a grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token GrantTokens []string noSmithyDocumentSerde @@ -129,8 +170,9 @@ type GenerateDataKeyPairWithoutPlaintextInput struct { type GenerateDataKeyPairWithoutPlaintextOutput struct { - // The Amazon Resource Name ( key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN) - // ) of the KMS key that encrypted the private key. + // The Amazon Resource Name ([key ARN] ) of the KMS key that encrypted the private key. + // + // [key ARN]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN KeyId *string // The type of data key pair that was generated. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKeyWithoutPlaintext.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKeyWithoutPlaintext.go index 0a5af3cd567..3947b622641 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKeyWithoutPlaintext.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateDataKeyWithoutPlaintext.go @@ -14,52 +14,77 @@ import ( // Returns a unique symmetric data key for use outside of KMS. This operation // returns a data key that is encrypted under a symmetric encryption KMS key that // you specify. The bytes in the key are random; they are not related to the caller -// or to the KMS key. GenerateDataKeyWithoutPlaintext is identical to the -// GenerateDataKey operation except that it does not return a plaintext copy of the -// data key. This operation is useful for systems that need to encrypt data at some -// point, but not immediately. When you need to encrypt the data, you call the -// Decrypt operation on the encrypted copy of the key. It's also useful in -// distributed systems with different levels of trust. For example, you might store -// encrypted data in containers. One component of your system creates new -// containers and stores an encrypted data key with each container. Then, a -// different component puts the data into the containers. That component first -// decrypts the data key, uses the plaintext data key to encrypt data, puts the -// encrypted data into the container, and then destroys the plaintext data key. In -// this system, the component that creates the containers never sees the plaintext -// data key. To request an asymmetric data key pair, use the GenerateDataKeyPair -// or GenerateDataKeyPairWithoutPlaintext operations. To generate a data key, you -// must specify the symmetric encryption KMS key that is used to encrypt the data -// key. You cannot use an asymmetric KMS key or a key in a custom key store to -// generate a data key. To get the type of your KMS key, use the DescribeKey -// operation. You must also specify the length of the data key. Use either the -// KeySpec or NumberOfBytes parameters (but not both). For 128-bit and 256-bit -// data keys, use the KeySpec parameter. To generate an SM4 data key (China -// Regions only), specify a KeySpec value of AES_128 or NumberOfBytes value of 16 . -// The symmetric encryption key used in China Regions to encrypt your data key is -// an SM4 encryption key. If the operation succeeds, you will find the encrypted -// copy of the data key in the CiphertextBlob field. You can use an optional -// encryption context to add additional security to the encryption operation. If -// you specify an EncryptionContext , you must specify the same encryption context -// (a case-sensitive exact match) when decrypting the encrypted data key. -// Otherwise, the request to decrypt fails with an InvalidCiphertextException . For -// more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) -// in the Key Management Service Developer Guide. The KMS key that you use for this -// operation must be in a compatible key state. For details, see Key states of KMS -// keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in -// the Key Management Service Developer Guide. Cross-account use: Yes. To perform -// this operation with a KMS key in a different Amazon Web Services account, -// specify the key ARN or alias ARN in the value of the KeyId parameter. Required -// permissions: kms:GenerateDataKeyWithoutPlaintext (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: -// - Decrypt -// - Encrypt -// - GenerateDataKey -// - GenerateDataKeyPair -// - GenerateDataKeyPairWithoutPlaintext +// or to the KMS key. +// +// GenerateDataKeyWithoutPlaintext is identical to the GenerateDataKey operation except that it +// does not return a plaintext copy of the data key. +// +// This operation is useful for systems that need to encrypt data at some point, +// but not immediately. When you need to encrypt the data, you call the Decryptoperation +// on the encrypted copy of the key. +// +// It's also useful in distributed systems with different levels of trust. For +// example, you might store encrypted data in containers. One component of your +// system creates new containers and stores an encrypted data key with each +// container. Then, a different component puts the data into the containers. That +// component first decrypts the data key, uses the plaintext data key to encrypt +// data, puts the encrypted data into the container, and then destroys the +// plaintext data key. In this system, the component that creates the containers +// never sees the plaintext data key. +// +// To request an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operations. +// +// To generate a data key, you must specify the symmetric encryption KMS key that +// is used to encrypt the data key. You cannot use an asymmetric KMS key or a key +// in a custom key store to generate a data key. To get the type of your KMS key, +// use the DescribeKeyoperation. +// +// You must also specify the length of the data key. Use either the KeySpec or +// NumberOfBytes parameters (but not both). For 128-bit and 256-bit data keys, use +// the KeySpec parameter. +// +// To generate an SM4 data key (China Regions only), specify a KeySpec value of +// AES_128 or NumberOfBytes value of 16 . The symmetric encryption key used in +// China Regions to encrypt your data key is an SM4 encryption key. +// +// If the operation succeeds, you will find the encrypted copy of the data key in +// the CiphertextBlob field. +// +// You can use an optional encryption context to add additional security to the +// encryption operation. If you specify an EncryptionContext , you must specify the +// same encryption context (a case-sensitive exact match) when decrypting the +// encrypted data key. Otherwise, the request to decrypt fails with an +// InvalidCiphertextException . For more information, see [Encryption Context] in the Key Management +// Service Developer Guide. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value of +// the KeyId parameter. +// +// Required permissions: [kms:GenerateDataKeyWithoutPlaintext] (key policy) +// +// Related operations: +// +// # Decrypt +// +// # Encrypt +// +// # GenerateDataKey +// +// # GenerateDataKeyPair +// +// # GenerateDataKeyPairWithoutPlaintext // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [Encryption Context]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context +// [kms:GenerateDataKeyWithoutPlaintext]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) GenerateDataKeyWithoutPlaintext(ctx context.Context, params *GenerateDataKeyWithoutPlaintextInput, optFns ...func(*Options)) (*GenerateDataKeyWithoutPlaintextOutput, error) { if params == nil { params = &GenerateDataKeyWithoutPlaintextInput{} @@ -79,44 +104,63 @@ type GenerateDataKeyWithoutPlaintextInput struct { // Specifies the symmetric encryption KMS key that encrypts the data key. You // cannot specify an asymmetric KMS key or a KMS key in a custom key store. To get - // the type and origin of your KMS key, use the DescribeKey operation. To specify - // a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an - // alias name, prefix it with "alias/" . To specify a KMS key in a different Amazon - // Web Services account, you must use the key ARN or alias ARN. For example: + // the type and origin of your KMS key, use the DescribeKeyoperation. + // + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/" . To specify a KMS key in a + // different Amazon Web Services account, you must use the key ARN or alias ARN. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // // - Alias name: alias/ExampleAlias + // // - Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . To - // get the alias name and alias ARN, use ListAliases . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the alias name + // and alias ARN, use ListAliases. // // This member is required. KeyId *string - // Checks if your request will succeed. DryRun is an optional parameter. To learn - // more about how to use this parameter, see Testing your KMS API calls (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html) - // in the Key Management Service Developer Guide. + // Checks if your request will succeed. DryRun is an optional parameter. + // + // To learn more about how to use this parameter, see [Testing your KMS API calls] in the Key Management + // Service Developer Guide. + // + // [Testing your KMS API calls]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html DryRun *bool - // Specifies the encryption context that will be used when encrypting the data - // key. Do not include confidential or sensitive information in this field. This - // field may be displayed in plaintext in CloudTrail logs and other output. An - // encryption context is a collection of non-secret key-value pairs that represent - // additional authenticated data. When you use an encryption context to encrypt - // data, you must specify the same (an exact case-sensitive match) encryption - // context to decrypt the data. An encryption context is supported only on - // operations with symmetric encryption KMS keys. On operations with symmetric + // Specifies the encryption context that will be used when encrypting the data key. + // + // Do not include confidential or sensitive information in this field. This field + // may be displayed in plaintext in CloudTrail logs and other output. + // + // An encryption context is a collection of non-secret key-value pairs that + // represent additional authenticated data. When you use an encryption context to + // encrypt data, you must specify the same (an exact case-sensitive match) + // encryption context to decrypt the data. An encryption context is supported only + // on operations with symmetric encryption KMS keys. On operations with symmetric // encryption KMS keys, an encryption context is optional, but it is strongly - // recommended. For more information, see Encryption context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) - // in the Key Management Service Developer Guide. + // recommended. + // + // For more information, see [Encryption context] in the Key Management Service Developer Guide. + // + // [Encryption context]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context EncryptionContext map[string]string - // A list of grant tokens. Use a grant token when your permission to call this - // operation comes from a new grant that has not yet achieved eventual consistency. - // For more information, see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) - // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) - // in the Key Management Service Developer Guide. + // A list of grant tokens. + // + // Use a grant token when your permission to call this operation comes from a new + // grant that has not yet achieved eventual consistency. For more information, see [Grant token] + // and [Using a grant token]in the Key Management Service Developer Guide. + // + // [Grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token + // [Using a grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token GrantTokens []string // The length of the data key. Use AES_128 to generate a 128-bit symmetric key, or @@ -138,8 +182,9 @@ type GenerateDataKeyWithoutPlaintextOutput struct { // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. CiphertextBlob []byte - // The Amazon Resource Name ( key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN) - // ) of the KMS key that encrypted the data key. + // The Amazon Resource Name ([key ARN] ) of the KMS key that encrypted the data key. + // + // [key ARN]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN KeyId *string // Metadata pertaining to the operation's result. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateMac.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateMac.go index 5a2819bdb39..1abd90e2cfa 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateMac.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateMac.go @@ -13,29 +13,42 @@ import ( // Generates a hash-based message authentication code (HMAC) for a message using // an HMAC KMS key and a MAC algorithm that the key supports. HMAC KMS keys and the -// HMAC algorithms that KMS uses conform to industry standards defined in RFC 2104 (https://datatracker.ietf.org/doc/html/rfc2104) -// . You can use value that GenerateMac returns in the VerifyMac operation to -// demonstrate that the original message has not changed. Also, because a secret -// key is used to create the hash, you can verify that the party that generated the -// hash has the required secret key. You can also use the raw result to implement -// HMAC-based algorithms such as key derivation functions. This operation is part -// of KMS support for HMAC KMS keys. For details, see HMAC keys in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html) -// in the Key Management Service Developer Guide . Best practices recommend that -// you limit the time during which any signing mechanism, including an HMAC, is -// effective. This deters an attack where the actor uses a signed message to -// establish validity repeatedly or long after the message is superseded. HMAC tags -// do not include a timestamp, but you can include a timestamp in the token or -// message to help you detect when its time to refresh the HMAC. The KMS key that -// you use for this operation must be in a compatible key state. For details, see -// Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. Cross-account use: Yes. To -// perform this operation with a KMS key in a different Amazon Web Services -// account, specify the key ARN or alias ARN in the value of the KeyId parameter. -// Required permissions: kms:GenerateMac (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: VerifyMac Eventual consistency: The KMS API -// follows an eventual consistency model. For more information, see KMS eventual -// consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// HMAC algorithms that KMS uses conform to industry standards defined in [RFC 2104]. +// +// You can use value that GenerateMac returns in the VerifyMac operation to demonstrate +// that the original message has not changed. Also, because a secret key is used to +// create the hash, you can verify that the party that generated the hash has the +// required secret key. You can also use the raw result to implement HMAC-based +// algorithms such as key derivation functions. This operation is part of KMS +// support for HMAC KMS keys. For details, see [HMAC keys in KMS]in the Key Management Service +// Developer Guide . +// +// Best practices recommend that you limit the time during which any signing +// mechanism, including an HMAC, is effective. This deters an attack where the +// actor uses a signed message to establish validity repeatedly or long after the +// message is superseded. HMAC tags do not include a timestamp, but you can include +// a timestamp in the token or message to help you detect when its time to refresh +// the HMAC. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value of +// the KeyId parameter. +// +// Required permissions: [kms:GenerateMac] (key policy) +// +// Related operations: VerifyMac +// +// Eventual consistency: The KMS API follows an eventual consistency model. For +// more information, see [KMS eventual consistency]. +// +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [kms:GenerateMac]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [RFC 2104]: https://datatracker.ietf.org/doc/html/rfc2104 +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [HMAC keys in KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html func (c *Client) GenerateMac(ctx context.Context, params *GenerateMacInput, optFns ...func(*Options)) (*GenerateMacOutput, error) { if params == nil { params = &GenerateMacInput{} @@ -54,39 +67,50 @@ func (c *Client) GenerateMac(ctx context.Context, params *GenerateMacInput, optF type GenerateMacInput struct { // The HMAC KMS key to use in the operation. The MAC algorithm computes the HMAC - // for the message and the key as described in RFC 2104 (https://datatracker.ietf.org/doc/html/rfc2104) - // . To identify an HMAC KMS key, use the DescribeKey operation and see the KeySpec - // field in the response. + // for the message and the key as described in [RFC 2104]. + // + // To identify an HMAC KMS key, use the DescribeKey operation and see the KeySpec field in + // the response. + // + // [RFC 2104]: https://datatracker.ietf.org/doc/html/rfc2104 // // This member is required. KeyId *string - // The MAC algorithm used in the operation. The algorithm must be compatible with - // the HMAC KMS key that you specify. To find the MAC algorithms that your HMAC KMS - // key supports, use the DescribeKey operation and see the MacAlgorithms field in - // the DescribeKey response. + // The MAC algorithm used in the operation. + // + // The algorithm must be compatible with the HMAC KMS key that you specify. To + // find the MAC algorithms that your HMAC KMS key supports, use the DescribeKeyoperation and + // see the MacAlgorithms field in the DescribeKey response. // // This member is required. MacAlgorithm types.MacAlgorithmSpec - // The message to be hashed. Specify a message of up to 4,096 bytes. GenerateMac - // and VerifyMac do not provide special handling for message digests. If you + // The message to be hashed. Specify a message of up to 4,096 bytes. + // + // GenerateMac and VerifyMac do not provide special handling for message digests. If you // generate an HMAC for a hash digest of a message, you must verify the HMAC of the // same hash digest. // // This member is required. Message []byte - // Checks if your request will succeed. DryRun is an optional parameter. To learn - // more about how to use this parameter, see Testing your KMS API calls (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html) - // in the Key Management Service Developer Guide. + // Checks if your request will succeed. DryRun is an optional parameter. + // + // To learn more about how to use this parameter, see [Testing your KMS API calls] in the Key Management + // Service Developer Guide. + // + // [Testing your KMS API calls]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html DryRun *bool - // A list of grant tokens. Use a grant token when your permission to call this - // operation comes from a new grant that has not yet achieved eventual consistency. - // For more information, see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) - // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) - // in the Key Management Service Developer Guide. + // A list of grant tokens. + // + // Use a grant token when your permission to call this operation comes from a new + // grant that has not yet achieved eventual consistency. For more information, see [Grant token] + // and [Using a grant token]in the Key Management Service Developer Guide. + // + // [Grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token + // [Using a grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token GrantTokens []string noSmithyDocumentSerde @@ -98,8 +122,11 @@ type GenerateMacOutput struct { KeyId *string // The hash-based message authentication code (HMAC) that was generated for the - // specified message, HMAC KMS key, and MAC algorithm. This is the standard, raw - // HMAC defined in RFC 2104 (https://datatracker.ietf.org/doc/html/rfc2104) . + // specified message, HMAC KMS key, and MAC algorithm. + // + // This is the standard, raw HMAC defined in [RFC 2104]. + // + // [RFC 2104]: https://datatracker.ietf.org/doc/html/rfc2104 Mac []byte // The MAC algorithm that was used to generate the HMAC. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateRandom.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateRandom.go index b2a2569ee82..456c544f319 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateRandom.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GenerateRandom.go @@ -11,30 +11,40 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Returns a random byte string that is cryptographically secure. You must use the -// NumberOfBytes parameter to specify the length of the random byte string. There -// is no default value for string length. By default, the random byte string is -// generated in KMS. To generate the byte string in the CloudHSM cluster associated -// with an CloudHSM key store, use the CustomKeyStoreId parameter. GenerateRandom -// also supports Amazon Web Services Nitro Enclaves (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html) -// , which provide an isolated compute environment in Amazon EC2. To call -// GenerateRandom for a Nitro enclave, use the Amazon Web Services Nitro Enclaves -// SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk) -// or any Amazon Web Services SDK. Use the Recipient parameter to provide the -// attestation document for the enclave. Instead of plaintext bytes, the response -// includes the plaintext bytes encrypted under the public key from the attestation -// document ( CiphertextForRecipient ).For information about the interaction -// between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services -// Nitro Enclaves uses KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html) -// in the Key Management Service Developer Guide. For more information about -// entropy and random number generation, see Key Management Service Cryptographic -// Details (https://docs.aws.amazon.com/kms/latest/cryptographic-details/) . +// Returns a random byte string that is cryptographically secure. +// +// You must use the NumberOfBytes parameter to specify the length of the random +// byte string. There is no default value for string length. +// +// By default, the random byte string is generated in KMS. To generate the byte +// string in the CloudHSM cluster associated with an CloudHSM key store, use the +// CustomKeyStoreId parameter. +// +// GenerateRandom also supports [Amazon Web Services Nitro Enclaves], which provide an isolated compute environment in +// Amazon EC2. To call GenerateRandom for a Nitro enclave, use the [Amazon Web Services Nitro Enclaves SDK] or any Amazon +// Web Services SDK. Use the Recipient parameter to provide the attestation +// document for the enclave. Instead of plaintext bytes, the response includes the +// plaintext bytes encrypted under the public key from the attestation document ( +// CiphertextForRecipient ).For information about the interaction between KMS and +// Amazon Web Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves uses KMS]in the Key Management Service Developer +// Guide. +// +// For more information about entropy and random number generation, see [Key Management Service Cryptographic Details]. +// // Cross-account use: Not applicable. GenerateRandom does not use any -// account-specific resources, such as KMS keys. Required permissions: -// kms:GenerateRandom (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (IAM policy) Eventual consistency: The KMS API follows an eventual consistency -// model. For more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// account-specific resources, such as KMS keys. +// +// Required permissions: [kms:GenerateRandom] (IAM policy) +// +// Eventual consistency: The KMS API follows an eventual consistency model. For +// more information, see [KMS eventual consistency]. +// +// [kms:GenerateRandom]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [Amazon Web Services Nitro Enclaves]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html +// [Key Management Service Cryptographic Details]: https://docs.aws.amazon.com/kms/latest/cryptographic-details/ +// [How Amazon Web Services Nitro Enclaves uses KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [Amazon Web Services Nitro Enclaves SDK]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk func (c *Client) GenerateRandom(ctx context.Context, params *GenerateRandomInput, optFns ...func(*Options)) (*GenerateRandomOutput, error) { if params == nil { params = &GenerateRandomInput{} @@ -54,28 +64,36 @@ type GenerateRandomInput struct { // Generates the random byte string in the CloudHSM cluster that is associated // with the specified CloudHSM key store. To find the ID of a custom key store, use - // the DescribeCustomKeyStores operation. External key store IDs are not valid for - // this parameter. If you specify the ID of an external key store, GenerateRandom - // throws an UnsupportedOperationException . + // the DescribeCustomKeyStoresoperation. + // + // External key store IDs are not valid for this parameter. If you specify the ID + // of an external key store, GenerateRandom throws an UnsupportedOperationException + // . CustomKeyStoreId *string // The length of the random byte string. This parameter is required. NumberOfBytes *int32 - // A signed attestation document (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc) - // from an Amazon Web Services Nitro enclave and the encryption algorithm to use - // with the enclave's public key. The only valid encryption algorithm is - // RSAES_OAEP_SHA_256 . This parameter only supports attestation documents for - // Amazon Web Services Nitro Enclaves. To include this parameter, use the Amazon - // Web Services Nitro Enclaves SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk) - // or any Amazon Web Services SDK. When you use this parameter, instead of - // returning plaintext bytes, KMS encrypts the plaintext bytes under the public key - // in the attestation document, and returns the resulting ciphertext in the - // CiphertextForRecipient field in the response. This ciphertext can be decrypted - // only with the private key in the enclave. The Plaintext field in the response - // is null or empty. For information about the interaction between KMS and Amazon - // Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html) - // in the Key Management Service Developer Guide. + // A signed [attestation document] from an Amazon Web Services Nitro enclave and the encryption + // algorithm to use with the enclave's public key. The only valid encryption + // algorithm is RSAES_OAEP_SHA_256 . + // + // This parameter only supports attestation documents for Amazon Web Services + // Nitro Enclaves. To include this parameter, use the [Amazon Web Services Nitro Enclaves SDK]or any Amazon Web Services + // SDK. + // + // When you use this parameter, instead of returning plaintext bytes, KMS encrypts + // the plaintext bytes under the public key in the attestation document, and + // returns the resulting ciphertext in the CiphertextForRecipient field in the + // response. This ciphertext can be decrypted only with the private key in the + // enclave. The Plaintext field in the response is null or empty. + // + // For information about the interaction between KMS and Amazon Web Services Nitro + // Enclaves, see [How Amazon Web Services Nitro Enclaves uses KMS]in the Key Management Service Developer Guide. + // + // [attestation document]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc + // [How Amazon Web Services Nitro Enclaves uses KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html + // [Amazon Web Services Nitro Enclaves SDK]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk Recipient *types.RecipientInfo noSmithyDocumentSerde @@ -85,18 +103,21 @@ type GenerateRandomOutput struct { // The plaintext random bytes encrypted with the public key from the Nitro // enclave. This ciphertext can be decrypted only by using a private key in the - // Nitro enclave. This field is included in the response only when the Recipient - // parameter in the request includes a valid attestation document from an Amazon - // Web Services Nitro enclave. For information about the interaction between KMS - // and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro - // Enclaves uses KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html) - // in the Key Management Service Developer Guide. + // Nitro enclave. + // + // This field is included in the response only when the Recipient parameter in the + // request includes a valid attestation document from an Amazon Web Services Nitro + // enclave. For information about the interaction between KMS and Amazon Web + // Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves uses KMS]in the Key Management Service Developer Guide. + // + // [How Amazon Web Services Nitro Enclaves uses KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html CiphertextForRecipient []byte // The random byte string. When you use the HTTP API or the Amazon Web Services - // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. If the - // response includes the CiphertextForRecipient field, the Plaintext field is null - // or empty. + // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. + // + // If the response includes the CiphertextForRecipient field, the Plaintext field + // is null or empty. Plaintext []byte // Metadata pertaining to the operation's result. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetKeyPolicy.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetKeyPolicy.go index 2ef4663d36f..b4c238dcb56 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetKeyPolicy.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetKeyPolicy.go @@ -10,13 +10,21 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Gets a key policy attached to the specified KMS key. Cross-account use: No. You -// cannot perform this operation on a KMS key in a different Amazon Web Services -// account. Required permissions: kms:GetKeyPolicy (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: PutKeyPolicy (https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) +// Gets a key policy attached to the specified KMS key. +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: [kms:GetKeyPolicy] (key policy) +// +// Related operations: [PutKeyPolicy] +// // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [kms:GetKeyPolicy]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [PutKeyPolicy]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) GetKeyPolicy(ctx context.Context, params *GetKeyPolicyInput, optFns ...func(*Options)) (*GetKeyPolicyOutput, error) { if params == nil { params = &GetKeyPolicyInput{} @@ -34,19 +42,25 @@ func (c *Client) GetKeyPolicy(ctx context.Context, params *GetKeyPolicyInput, op type GetKeyPolicyInput struct { - // Gets the key policy for the specified KMS key. Specify the key ID or key ARN of - // the KMS key. For example: + // Gets the key policy for the specified KMS key. + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string // Specifies the name of the key policy. If no policy name is specified, the // default value is default . The only valid name is default . To get the names of - // key policies, use ListKeyPolicies . + // key policies, use ListKeyPolicies. PolicyName *string noSmithyDocumentSerde diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetKeyRotationStatus.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetKeyRotationStatus.go index 2214d4b0120..6fb0cd556e9 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetKeyRotationStatus.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetKeyRotationStatus.go @@ -8,32 +8,35 @@ import ( awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" "github.com/aws/smithy-go/middleware" smithyhttp "github.com/aws/smithy-go/transport/http" + "time" ) -// Gets a Boolean value that indicates whether automatic rotation of the key -// material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) -// is enabled for the specified KMS key. When you enable automatic rotation for -// customer managed KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) -// , KMS rotates the key material of the KMS key one year (approximately 365 days) -// from the enable date and every year thereafter. You can monitor rotation of the -// key material for your KMS keys in CloudTrail and Amazon CloudWatch. Automatic -// key rotation is supported only on symmetric encryption KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks) -// . You cannot enable automatic rotation of asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) -// , HMAC KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html) -// , KMS keys with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) -// , or KMS keys in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// . To enable or disable automatic rotation of a set of related multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate) -// , set the property on the primary key.. You can enable ( EnableKeyRotation ) and -// disable automatic rotation ( DisableKeyRotation ) of the key material in -// customer managed KMS keys. Key material rotation of Amazon Web Services managed -// KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) -// is not configurable. KMS always rotates the key material in Amazon Web Services -// managed KMS keys every year. The key rotation status for Amazon Web Services -// managed KMS keys is always true . In May 2022, KMS changed the rotation schedule -// for Amazon Web Services managed keys from every three years to every year. For -// details, see EnableKeyRotation . The KMS key that you use for this operation -// must be in a compatible key state. For details, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. +// Provides detailed information about the rotation status for a KMS key, +// including whether [automatic rotation of the key material]is enabled for the specified KMS key, the [rotation period], and the next +// scheduled rotation date. +// +// Automatic key rotation is supported only on [symmetric encryption KMS keys]. You cannot enable automatic +// rotation of [asymmetric KMS keys], [HMAC KMS keys], KMS keys with [imported key material], or KMS keys in a [custom key store]. To enable or disable +// automatic rotation of a set of related [multi-Region keys], set the property on the primary key.. +// +// You can enable (EnableKeyRotation ) and disable automatic rotation (DisableKeyRotation ) of the key material in +// customer managed KMS keys. Key material rotation of [Amazon Web Services managed KMS keys]is not configurable. KMS +// always rotates the key material in Amazon Web Services managed KMS keys every +// year. The key rotation status for Amazon Web Services managed KMS keys is always +// true . +// +// You can perform on-demand (RotateKeyOnDemand ) rotation of the key material in customer managed +// KMS keys, regardless of whether or not automatic key rotation is enabled. You +// can use GetKeyRotationStatus to identify the date and time that an in progress +// on-demand rotation was initiated. You can use ListKeyRotationsto view the details of completed +// rotations. +// +// In May 2022, KMS changed the rotation schedule for Amazon Web Services managed +// keys from every three years to every year. For details, see EnableKeyRotation. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// // - Disabled: The key rotation status does not change when you disable a KMS // key. However, while the KMS key is disabled, KMS does not rotate the key // material. When you re-enable the KMS key, rotation resumes. If the key material @@ -41,20 +44,42 @@ import ( // immediately, and every year thereafter. If it's been less than a year since the // key material in the re-enabled KMS key was rotated, the KMS key resumes its // prior rotation schedule. +// // - Pending deletion: While a KMS key is pending deletion, its key rotation // status is false and KMS does not rotate the key material. If you cancel the // deletion, the original key rotation status returns to true . // // Cross-account use: Yes. To perform this operation on a KMS key in a different // Amazon Web Services account, specify the key ARN in the value of the KeyId -// parameter. Required permissions: kms:GetKeyRotationStatus (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: -// - DisableKeyRotation -// - EnableKeyRotation +// parameter. +// +// Required permissions: [kms:GetKeyRotationStatus] (key policy) +// +// Related operations: +// +// # DisableKeyRotation +// +// # EnableKeyRotation +// +// # ListKeyRotations +// +// # RotateKeyOnDemand // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [imported key material]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [HMAC KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html +// [rotation period]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotation-period +// [Amazon Web Services managed KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk +// [kms:GetKeyRotationStatus]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [automatic rotation of the key material]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html +// [asymmetric KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html +// [symmetric encryption KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks +// [multi-Region keys]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [custom key store]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html func (c *Client) GetKeyRotationStatus(ctx context.Context, params *GetKeyRotationStatusInput, optFns ...func(*Options)) (*GetKeyRotationStatusOutput, error) { if params == nil { params = &GetKeyRotationStatusInput{} @@ -72,13 +97,19 @@ func (c *Client) GetKeyRotationStatus(ctx context.Context, params *GetKeyRotatio type GetKeyRotationStatusInput struct { - // Gets the rotation status for the specified KMS key. Specify the key ID or key - // ARN of the KMS key. To specify a KMS key in a different Amazon Web Services - // account, you must use the key ARN. For example: + // Gets the rotation status for the specified KMS key. + // + // Specify the key ID or key ARN of the KMS key. To specify a KMS key in a + // different Amazon Web Services account, you must use the key ARN. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string @@ -88,9 +119,30 @@ type GetKeyRotationStatusInput struct { type GetKeyRotationStatusOutput struct { + // Identifies the specified symmetric encryption KMS key. + KeyId *string + // A Boolean value that specifies whether key rotation is enabled. KeyRotationEnabled bool + // The next date that KMS will automatically rotate the key material. + NextRotationDate *time.Time + + // Identifies the date and time that an in progress on-demand rotation was + // initiated. + // + // The KMS API follows an [eventual consistency] model due to the distributed nature of the system. As a + // result, there might be a slight delay between initiating on-demand key rotation + // and the rotation's completion. Once the on-demand rotation is complete, use ListKeyRotationsto + // view the details of the on-demand rotation. + // + // [eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html + OnDemandRotationStartDate *time.Time + + // The number of days between each automatic rotation. The default value is 365 + // days. + RotationPeriodInDays *int32 + // Metadata pertaining to the operation's result. ResultMetadata middleware.Metadata diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetParametersForImport.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetParametersForImport.go index cf3220739fd..f658e45481c 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetParametersForImport.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetParametersForImport.go @@ -13,56 +13,78 @@ import ( ) // Returns the public key and an import token you need to import or reimport key -// material for a KMS key. By default, KMS keys are created with key material that -// KMS generates. This operation supports Importing key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) -// , an advanced feature that lets you generate and import the cryptographic key -// material for a KMS key. For more information about importing key material into -// KMS, see Importing key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) -// in the Key Management Service Developer Guide. Before calling -// GetParametersForImport , use the CreateKey operation with an Origin value of -// EXTERNAL to create a KMS key with no key material. You can import key material -// for a symmetric encryption KMS key, HMAC KMS key, asymmetric encryption KMS key, -// or asymmetric signing KMS key. You can also import key material into a -// multi-Region key (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) +// material for a KMS key. +// +// By default, KMS keys are created with key material that KMS generates. This +// operation supports [Importing key material], an advanced feature that lets you generate and import the +// cryptographic key material for a KMS key. For more information about importing +// key material into KMS, see [Importing key material]in the Key Management Service Developer Guide. +// +// Before calling GetParametersForImport , use the CreateKey operation with an Origin value +// of EXTERNAL to create a KMS key with no key material. You can import key +// material for a symmetric encryption KMS key, HMAC KMS key, asymmetric encryption +// KMS key, or asymmetric signing KMS key. You can also import key material into a [multi-Region key] // of any supported type. However, you can't import key material into a KMS key in -// a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// . You can also use GetParametersForImport to get a public key and import token -// to reimport the original key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material) -// into a KMS key whose key material expired or was deleted. GetParametersForImport -// returns the items that you need to import your key material. -// - The public key (or "wrapping key") of an RSA key pair that KMS generates. -// You will use this public key to encrypt ("wrap") your key material while it's in -// transit to KMS. -// - A import token that ensures that KMS can decrypt your key material and -// associate it with the correct KMS key. +// a [custom key store]. You can also use GetParametersForImport to get a public key and import +// token to [reimport the original key material]into a KMS key whose key material expired or was deleted. +// +// GetParametersForImport returns the items that you need to import your key +// material. +// +// - The public key (or "wrapping key") of an asymmetric key pair that KMS +// generates. +// +// You will use this public key to encrypt ("wrap") your key material while it's +// +// in transit to KMS. +// +// - A import token that ensures that KMS can decrypt your key material and +// associate it with the correct KMS key. // // The public key and its import token are permanently linked and must be used // together. Each public key and import token set is valid for 24 hours. The // expiration date and time appear in the ParametersValidTo field in the // GetParametersForImport response. You cannot use an expired public key or import -// token in an ImportKeyMaterial request. If your key and token expire, send -// another GetParametersForImport request. GetParametersForImport requires the -// following information: +// token in an ImportKeyMaterialrequest. If your key and token expire, send another +// GetParametersForImport request. +// +// GetParametersForImport requires the following information: +// // - The key ID of the KMS key for which you are importing the key material. +// // - The key spec of the public key ("wrapping key") that you will use to // encrypt your key material during import. +// // - The wrapping algorithm that you will use with the public key to encrypt // your key material. // // You can use the same or a different public key spec and wrapping algorithm each -// time you import or reimport the same key material. The KMS key that you use for -// this operation must be in a compatible key state. For details, see Key states -// of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. Cross-account use: No. You cannot -// perform this operation on a KMS key in a different Amazon Web Services account. -// Required permissions: kms:GetParametersForImport (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: -// - ImportKeyMaterial -// - DeleteImportedKeyMaterial +// time you import or reimport the same key material. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: [kms:GetParametersForImport] (key policy) +// +// Related operations: +// +// # ImportKeyMaterial +// +// # DeleteImportedKeyMaterial // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Importing key material]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html +// [kms:GetParametersForImport]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [reimport the original key material]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [multi-Region key]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html +// [custom key store]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html func (c *Client) GetParametersForImport(ctx context.Context, params *GetParametersForImportInput, optFns ...func(*Options)) (*GetParametersForImportOutput, error) { if params == nil { params = &GetParametersForImportInput{} @@ -81,47 +103,80 @@ func (c *Client) GetParametersForImport(ctx context.Context, params *GetParamete type GetParametersForImportInput struct { // The identifier of the KMS key that will be associated with the imported key - // material. The Origin of the KMS key must be EXTERNAL . All KMS key types are - // supported, including multi-Region keys. However, you cannot import key material - // into a KMS key in a custom key store. Specify the key ID or key ARN of the KMS - // key. For example: + // material. The Origin of the KMS key must be EXTERNAL . + // + // All KMS key types are supported, including multi-Region keys. However, you + // cannot import key material into a KMS key in a custom key store. + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string - // The algorithm you will use with the RSA public key ( PublicKey ) in the response - // to protect your key material during import. For more information, see Select a - // wrapping algorithm in the Key Management Service Developer Guide. For RSA_AES - // wrapping algorithms, you encrypt your key material with an AES key that you - // generate, then encrypt your AES key with the RSA public key from KMS. For RSAES - // wrapping algorithms, you encrypt your key material directly with the RSA public - // key from KMS. The wrapping algorithms that you can use depend on the type of key - // material that you are importing. To import an RSA private key, you must use an - // RSA_AES wrapping algorithm. + // The algorithm you will use with the asymmetric public key ( PublicKey ) in the + // response to protect your key material during import. For more information, see Select a wrapping algorithm + // in the Key Management Service Developer Guide. + // + // For RSA_AES wrapping algorithms, you encrypt your key material with an AES key + // that you generate, then encrypt your AES key with the RSA public key from KMS. + // For RSAES wrapping algorithms, you encrypt your key material directly with the + // RSA public key from KMS. For SM2PKE wrapping algorithms, you encrypt your key + // material directly with the SM2 public key from KMS. + // + // The wrapping algorithms that you can use depend on the type of key material + // that you are importing. To import an RSA private key, you must use an RSA_AES + // wrapping algorithm, except in China Regions, where you must use the SM2PKE + // wrapping algorithm to import an RSA private key. + // + // The SM2PKE wrapping algorithm is available only in China Regions. The + // RSA_AES_KEY_WRAP_SHA_256 and RSA_AES_KEY_WRAP_SHA_1 wrapping algorithms are not + // supported in China Regions. + // // - RSA_AES_KEY_WRAP_SHA_256 — Supported for wrapping RSA and ECC key material. + // // - RSA_AES_KEY_WRAP_SHA_1 — Supported for wrapping RSA and ECC key material. + // // - RSAES_OAEP_SHA_256 — Supported for all types of key material, except RSA - // key material (private key). You cannot use the RSAES_OAEP_SHA_256 wrapping - // algorithm with the RSA_2048 wrapping key spec to wrap ECC_NIST_P521 key - // material. + // key material (private key). + // + // You cannot use the RSAES_OAEP_SHA_256 wrapping algorithm with the RSA_2048 + // wrapping key spec to wrap ECC_NIST_P521 key material. + // // - RSAES_OAEP_SHA_1 — Supported for all types of key material, except RSA key - // material (private key). You cannot use the RSAES_OAEP_SHA_1 wrapping algorithm - // with the RSA_2048 wrapping key spec to wrap ECC_NIST_P521 key material. + // material (private key). + // + // You cannot use the RSAES_OAEP_SHA_1 wrapping algorithm with the RSA_2048 + // wrapping key spec to wrap ECC_NIST_P521 key material. + // // - RSAES_PKCS1_V1_5 (Deprecated) — As of October 10, 2023, KMS does not // support the RSAES_PKCS1_V1_5 wrapping algorithm. // + // - SM2PKE (China Regions only) — supported for wrapping RSA, ECC, and SM2 key + // material. + // // This member is required. WrappingAlgorithm types.AlgorithmSpec - // The type of RSA public key to return in the response. You will use this - // wrapping key with the specified wrapping algorithm to protect your key material - // during import. Use the longest RSA wrapping key that is practical. You cannot - // use an RSA_2048 public key to directly wrap an ECC_NIST_P521 private key. - // Instead, use an RSA_AES wrapping algorithm or choose a longer RSA public key. + // The type of public key to return in the response. You will use this wrapping + // key with the specified wrapping algorithm to protect your key material during + // import. + // + // Use the longest wrapping key that is practical. + // + // You cannot use an RSA_2048 public key to directly wrap an ECC_NIST_P521 private + // key. Instead, use an RSA_AES wrapping algorithm or choose a longer RSA public + // key. + // + // The SM2 wrapping key spec is available only in China Regions. // // This member is required. WrappingKeySpec types.WrappingKeySpec @@ -134,18 +189,18 @@ type GetParametersForImportOutput struct { // The import token to send in a subsequent ImportKeyMaterial request. ImportToken []byte - // The Amazon Resource Name ( key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN) - // ) of the KMS key to use in a subsequent ImportKeyMaterial request. This is the - // same KMS key specified in the GetParametersForImport request. + // The Amazon Resource Name ([key ARN] ) of the KMS key to use in a subsequent ImportKeyMaterial request. + // This is the same KMS key specified in the GetParametersForImport request. + // + // [key ARN]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN KeyId *string // The time at which the import token and public key are no longer valid. After - // this time, you cannot use them to make an ImportKeyMaterial request and you - // must send another GetParametersForImport request to get new ones. + // this time, you cannot use them to make an ImportKeyMaterialrequest and you must send another + // GetParametersForImport request to get new ones. ParametersValidTo *time.Time - // The public key to use to encrypt the key material before importing it with - // ImportKeyMaterial . + // The public key to use to encrypt the key material before importing it with ImportKeyMaterial. PublicKey []byte // Metadata pertaining to the operation's result. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetPublicKey.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetPublicKey.go index 9c52330f83c..d0e17429ba3 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetPublicKey.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_GetPublicKey.go @@ -15,45 +15,64 @@ import ( // asymmetric KMS key, which never leaves KMS unencrypted, callers with // kms:GetPublicKey permission can download the public key of an asymmetric KMS // key. You can share the public key to allow others to encrypt messages and verify -// signatures outside of KMS. For information about asymmetric KMS keys, see -// Asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) -// in the Key Management Service Developer Guide. You do not need to download the -// public key. Instead, you can use the public key within KMS by calling the -// Encrypt , ReEncrypt , or Verify operations with the identifier of an asymmetric -// KMS key. When you use the public key within KMS, you benefit from the +// signatures outside of KMS. For information about asymmetric KMS keys, see [Asymmetric KMS keys]in +// the Key Management Service Developer Guide. +// +// You do not need to download the public key. Instead, you can use the public key +// within KMS by calling the Encrypt, ReEncrypt, or Verify operations with the identifier of an +// asymmetric KMS key. When you use the public key within KMS, you benefit from the // authentication, authorization, and logging that are part of every KMS operation. // You also reduce of risk of encrypting data that cannot be decrypted. These -// features are not effective outside of KMS. To help you use the public key safely -// outside of KMS, GetPublicKey returns important information about the public key -// in the response, including: -// - KeySpec (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeySpec) -// : The type of key material in the public key, such as RSA_4096 or +// features are not effective outside of KMS. +// +// To help you use the public key safely outside of KMS, GetPublicKey returns +// important information about the public key in the response, including: +// +// [KeySpec] +// - : The type of key material in the public key, such as RSA_4096 or // ECC_NIST_P521 . -// - KeyUsage (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage) -// : Whether the key is used for encryption or signing. -// - EncryptionAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms) -// or SigningAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms) -// : A list of the encryption algorithms or the signing algorithms for the key. +// +// [KeyUsage] +// - : Whether the key is used for encryption or signing. +// +// [EncryptionAlgorithms] +// - or [SigningAlgorithms]: A list of the encryption algorithms or the signing algorithms for the +// key. // // Although KMS cannot enforce these restrictions on external operations, it is // crucial that you use this information to prevent the public key from being used // improperly. For example, you can prevent a public signing key from being used // encrypt data, or prevent a public key from being used with an encryption // algorithm that is not supported by KMS. You can also avoid errors, such as using -// the wrong signing algorithm in a verification operation. To verify a signature -// outside of KMS with an SM2 public key (China Regions only), you must specify the -// distinguishing ID. By default, KMS uses 1234567812345678 as the distinguishing -// ID. For more information, see Offline verification with SM2 key pairs (https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification) -// . The KMS key that you use for this operation must be in a compatible key state. -// For details, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. Cross-account use: Yes. To -// perform this operation with a KMS key in a different Amazon Web Services -// account, specify the key ARN or alias ARN in the value of the KeyId parameter. -// Required permissions: kms:GetPublicKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: CreateKey Eventual consistency: The KMS API -// follows an eventual consistency model. For more information, see KMS eventual -// consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// the wrong signing algorithm in a verification operation. +// +// To verify a signature outside of KMS with an SM2 public key (China Regions +// only), you must specify the distinguishing ID. By default, KMS uses +// 1234567812345678 as the distinguishing ID. For more information, see [Offline verification with SM2 key pairs]. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value of +// the KeyId parameter. +// +// Required permissions: [kms:GetPublicKey] (key policy) +// +// Related operations: CreateKey +// +// Eventual consistency: The KMS API follows an eventual consistency model. For +// more information, see [KMS eventual consistency]. +// +// [SigningAlgorithms]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [kms:GetPublicKey]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [EncryptionAlgorithms]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms +// [Asymmetric KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html +// [KeySpec]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeySpec +// [Offline verification with SM2 key pairs]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification +// [KeyUsage]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) GetPublicKey(ctx context.Context, params *GetPublicKeyInput, optFns ...func(*Options)) (*GetPublicKeyOutput, error) { if params == nil { params = &GetPublicKeyInput{} @@ -71,26 +90,37 @@ func (c *Client) GetPublicKey(ctx context.Context, params *GetPublicKeyInput, op type GetPublicKeyInput struct { - // Identifies the asymmetric KMS key that includes the public key. To specify a - // KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias - // name, prefix it with "alias/" . To specify a KMS key in a different Amazon Web - // Services account, you must use the key ARN or alias ARN. For example: + // Identifies the asymmetric KMS key that includes the public key. + // + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/" . To specify a KMS key in a + // different Amazon Web Services account, you must use the key ARN or alias ARN. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // // - Alias name: alias/ExampleAlias + // // - Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . To - // get the alias name and alias ARN, use ListAliases . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the alias name + // and alias ARN, use ListAliases. // // This member is required. KeyId *string - // A list of grant tokens. Use a grant token when your permission to call this - // operation comes from a new grant that has not yet achieved eventual consistency. - // For more information, see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) - // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) - // in the Key Management Service Developer Guide. + // A list of grant tokens. + // + // Use a grant token when your permission to call this operation comes from a new + // grant that has not yet achieved eventual consistency. For more information, see [Grant token] + // and [Using a grant token]in the Key Management Service Developer Guide. + // + // [Grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token + // [Using a grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token GrantTokens []string noSmithyDocumentSerde @@ -98,40 +128,53 @@ type GetPublicKeyInput struct { type GetPublicKeyOutput struct { - // Instead, use the KeySpec field in the GetPublicKey response. The KeySpec and - // CustomerMasterKeySpec fields have the same value. We recommend that you use the - // KeySpec field in your code. However, to avoid breaking changes, KMS supports - // both fields. + // Instead, use the KeySpec field in the GetPublicKey response. + // + // The KeySpec and CustomerMasterKeySpec fields have the same value. We recommend + // that you use the KeySpec field in your code. However, to avoid breaking + // changes, KMS supports both fields. // // Deprecated: This field has been deprecated. Instead, use the KeySpec field. CustomerMasterKeySpec types.CustomerMasterKeySpec - // The encryption algorithms that KMS supports for this key. This information is - // critical. If a public key encrypts data outside of KMS by using an unsupported - // encryption algorithm, the ciphertext cannot be decrypted. This field appears in - // the response only when the KeyUsage of the public key is ENCRYPT_DECRYPT . + // The encryption algorithms that KMS supports for this key. + // + // This information is critical. If a public key encrypts data outside of KMS by + // using an unsupported encryption algorithm, the ciphertext cannot be decrypted. + // + // This field appears in the response only when the KeyUsage of the public key is + // ENCRYPT_DECRYPT . EncryptionAlgorithms []types.EncryptionAlgorithmSpec - // The Amazon Resource Name ( key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN) - // ) of the asymmetric KMS key from which the public key was downloaded. + // The Amazon Resource Name ([key ARN] ) of the asymmetric KMS key from which the public key + // was downloaded. + // + // [key ARN]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN KeyId *string // The type of the of the public key that was downloaded. KeySpec types.KeySpec // The permitted use of the public key. Valid values are ENCRYPT_DECRYPT or - // SIGN_VERIFY . This information is critical. If a public key with SIGN_VERIFY - // key usage encrypts data outside of KMS, the ciphertext cannot be decrypted. + // SIGN_VERIFY . + // + // This information is critical. If a public key with SIGN_VERIFY key usage + // encrypts data outside of KMS, the ciphertext cannot be decrypted. KeyUsage types.KeyUsageType - // The exported public key. The value is a DER-encoded X.509 public key, also - // known as SubjectPublicKeyInfo (SPKI), as defined in RFC 5280 (https://tools.ietf.org/html/rfc5280) - // . When you use the HTTP API or the Amazon Web Services CLI, the value is - // Base64-encoded. Otherwise, it is not Base64-encoded. + // The exported public key. + // + // The value is a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo + // (SPKI), as defined in [RFC 5280]. When you use the HTTP API or the Amazon Web Services + // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. + // + // [RFC 5280]: https://tools.ietf.org/html/rfc5280 PublicKey []byte - // The signing algorithms that KMS supports for this key. This field appears in - // the response only when the KeyUsage of the public key is SIGN_VERIFY . + // The signing algorithms that KMS supports for this key. + // + // This field appears in the response only when the KeyUsage of the public key is + // SIGN_VERIFY . SigningAlgorithms []types.SigningAlgorithmSpec // Metadata pertaining to the operation's result. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ImportKeyMaterial.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ImportKeyMaterial.go index f595a5c9e19..b8c0273ec7d 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ImportKeyMaterial.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ImportKeyMaterial.go @@ -14,79 +14,109 @@ import ( // Imports or reimports key material into an existing KMS key that was created // without key material. ImportKeyMaterial also sets the expiration model and -// expiration date of the imported key material. By default, KMS keys are created -// with key material that KMS generates. This operation supports Importing key -// material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) -// , an advanced feature that lets you generate and import the cryptographic key -// material for a KMS key. For more information about importing key material into -// KMS, see Importing key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) -// in the Key Management Service Developer Guide. After you successfully import key -// material into a KMS key, you can reimport the same key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material) -// into that KMS key, but you cannot import different key material. You might -// reimport key material to replace key material that expired or key material that -// you deleted. You might also reimport key material to change the expiration model -// or expiration date of the key material. Each time you import key material into -// KMS, you can determine whether ( ExpirationModel ) and when ( ValidTo ) the key -// material expires. To change the expiration of your key material, you must import -// it again, either by calling ImportKeyMaterial or using the import features of -// the KMS console. Before calling ImportKeyMaterial : +// expiration date of the imported key material. +// +// By default, KMS keys are created with key material that KMS generates. This +// operation supports [Importing key material], an advanced feature that lets you generate and import the +// cryptographic key material for a KMS key. For more information about importing +// key material into KMS, see [Importing key material]in the Key Management Service Developer Guide. +// +// After you successfully import key material into a KMS key, you can [reimport the same key material] into that +// KMS key, but you cannot import different key material. You might reimport key +// material to replace key material that expired or key material that you deleted. +// You might also reimport key material to change the expiration model or +// expiration date of the key material. +// +// Each time you import key material into KMS, you can determine whether ( +// ExpirationModel ) and when ( ValidTo ) the key material expires. To change the +// expiration of your key material, you must import it again, either by calling +// ImportKeyMaterial or using the import features of the KMS console. +// +// Before calling ImportKeyMaterial : +// // - Create or identify a KMS key with no key material. The KMS key must have an // Origin value of EXTERNAL , which indicates that the KMS key is designed for -// imported key material. To create an new KMS key for imported key material, call -// the CreateKey operation with an Origin value of EXTERNAL . You can create a -// symmetric encryption KMS key, HMAC KMS key, asymmetric encryption KMS key, or -// asymmetric signing KMS key. You can also import key material into a -// multi-Region key of any supported type. However, you can't import key material -// into a KMS key in a custom key store . -// - Use the DescribeKey operation to verify that the KeyState of the KMS key is -// PendingImport , which indicates that the KMS key has no key material. If you -// are reimporting the same key material into an existing KMS key, you might need -// to call the DeleteImportedKeyMaterial to delete its existing key material. -// - Call the GetParametersForImport operation to get a public key and import -// token set for importing key material. -// - Use the public key in the GetParametersForImport response to encrypt your -// key material. +// imported key material. +// +// To create an new KMS key for imported key material, call the CreateKeyoperation with an +// +// Origin value of EXTERNAL . You can create a symmetric encryption KMS key, HMAC +// KMS key, asymmetric encryption KMS key, or asymmetric signing KMS key. You can +// also import key material into a multi-Region keyof any supported type. However, you can't +// import key material into a KMS key in a custom key store. +// +// - Use the DescribeKeyoperation to verify that the KeyState of the KMS key is +// PendingImport , which indicates that the KMS key has no key material. +// +// If you are reimporting the same key material into an existing KMS key, you +// +// might need to call the DeleteImportedKeyMaterialto delete its existing key material. +// +// - Call the GetParametersForImportoperation to get a public key and import token set for importing +// key material. +// +// - Use the public key in the GetParametersForImportresponse to encrypt your key material. // // Then, in an ImportKeyMaterial request, you submit your encrypted key material // and import token. When calling this operation, you must specify the following // values: +// // - The key ID or key ARN of the KMS key to associate with the imported key // material. Its Origin must be EXTERNAL and its KeyState must be PendingImport . -// You cannot perform this operation on a KMS key in a custom key store , or on a -// KMS key in a different Amazon Web Services account. To get the Origin and -// KeyState of a KMS key, call DescribeKey . +// You cannot perform this operation on a KMS key in a custom key store, or on a KMS key in a +// different Amazon Web Services account. To get the Origin and KeyState of a KMS +// key, call DescribeKey. +// // - The encrypted key material. -// - The import token that GetParametersForImport returned. You must use a public -// key and token from the same GetParametersForImport response. +// +// - The import token that GetParametersForImportreturned. You must use a public key and token from +// the same GetParametersForImport response. +// // - Whether the key material expires ( ExpirationModel ) and, if so, when ( -// ValidTo ). For help with this choice, see Setting an expiration time (https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration) -// in the Key Management Service Developer Guide. If you set an expiration date, -// KMS deletes the key material from the KMS key on the specified date, making the -// KMS key unusable. To use the KMS key in cryptographic operations again, you must -// reimport the same key material. However, you can delete and reimport the key -// material at any time, including before the key material expires. Each time you -// reimport, you can eliminate or reset the expiration time. +// ValidTo ). For help with this choice, see [Setting an expiration time]in the Key Management Service +// Developer Guide. +// +// If you set an expiration date, KMS deletes the key material from the KMS key on +// +// the specified date, making the KMS key unusable. To use the KMS key in +// cryptographic operations again, you must reimport the same key material. +// However, you can delete and reimport the key material at any time, including +// before the key material expires. Each time you reimport, you can eliminate or +// reset the expiration time. // // When this operation is successful, the key state of the KMS key changes from // PendingImport to Enabled , and you can use the KMS key in cryptographic -// operations. If this operation fails, use the exception to help determine the -// problem. If the error is related to the key material, the import token, or -// wrapping key, use GetParametersForImport to get a new public key and import -// token for the KMS key and repeat the import procedure. For help, see How To -// Import Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview) -// in the Key Management Service Developer Guide. The KMS key that you use for this -// operation must be in a compatible key state. For details, see Key states of KMS -// keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in -// the Key Management Service Developer Guide. Cross-account use: No. You cannot -// perform this operation on a KMS key in a different Amazon Web Services account. -// Required permissions: kms:ImportKeyMaterial (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: -// - DeleteImportedKeyMaterial -// - GetParametersForImport +// operations. +// +// If this operation fails, use the exception to help determine the problem. If +// the error is related to the key material, the import token, or wrapping key, use +// GetParametersForImportto get a new public key and import token for the KMS key and repeat the import +// procedure. For help, see [How To Import Key Material]in the Key Management Service Developer Guide. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: [kms:ImportKeyMaterial] (key policy) +// +// Related operations: +// +// # DeleteImportedKeyMaterial +// +// # GetParametersForImport // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Importing key material]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [How To Import Key Material]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview +// [kms:ImportKeyMaterial]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [reimport the same key material]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material +// [Setting an expiration time]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) ImportKeyMaterial(ctx context.Context, params *ImportKeyMaterialInput, optFns ...func(*Options)) (*ImportKeyMaterialOutput, error) { if params == nil { params = &ImportKeyMaterialInput{} @@ -105,57 +135,71 @@ func (c *Client) ImportKeyMaterial(ctx context.Context, params *ImportKeyMateria type ImportKeyMaterialInput struct { // The encrypted key material to import. The key material must be encrypted under - // the public wrapping key that GetParametersForImport returned, using the - // wrapping algorithm that you specified in the same GetParametersForImport - // request. + // the public wrapping key that GetParametersForImportreturned, using the wrapping algorithm that you + // specified in the same GetParametersForImport request. // // This member is required. EncryptedKeyMaterial []byte - // The import token that you received in the response to a previous - // GetParametersForImport request. It must be from the same response that contained - // the public key that you used to encrypt the key material. + // The import token that you received in the response to a previous GetParametersForImport request. It + // must be from the same response that contained the public key that you used to + // encrypt the key material. // // This member is required. ImportToken []byte // The identifier of the KMS key that will be associated with the imported key // material. This must be the same KMS key specified in the KeyID parameter of the - // corresponding GetParametersForImport request. The Origin of the KMS key must be - // EXTERNAL and its KeyState must be PendingImport . The KMS key can be a symmetric - // encryption KMS key, HMAC KMS key, asymmetric encryption KMS key, or asymmetric - // signing KMS key, including a multi-Region key of any supported type. You cannot - // perform this operation on a KMS key in a custom key store, or on a KMS key in a - // different Amazon Web Services account. Specify the key ID or key ARN of the KMS - // key. For example: + // corresponding GetParametersForImportrequest. The Origin of the KMS key must be EXTERNAL and its + // KeyState must be PendingImport . + // + // The KMS key can be a symmetric encryption KMS key, HMAC KMS key, asymmetric + // encryption KMS key, or asymmetric signing KMS key, including a multi-Region keyof any supported + // type. You cannot perform this operation on a KMS key in a custom key store, or + // on a KMS key in a different Amazon Web Services account. + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string // Specifies whether the key material expires. The default is KEY_MATERIAL_EXPIRES - // . For help with this choice, see Setting an expiration time (https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration) - // in the Key Management Service Developer Guide. When the value of ExpirationModel - // is KEY_MATERIAL_EXPIRES , you must specify a value for the ValidTo parameter. - // When value is KEY_MATERIAL_DOES_NOT_EXPIRE , you must omit the ValidTo - // parameter. You cannot change the ExpirationModel or ValidTo values for the - // current import after the request completes. To change either value, you must - // reimport the key material. + // . For help with this choice, see [Setting an expiration time]in the Key Management Service Developer Guide. + // + // When the value of ExpirationModel is KEY_MATERIAL_EXPIRES , you must specify a + // value for the ValidTo parameter. When value is KEY_MATERIAL_DOES_NOT_EXPIRE , + // you must omit the ValidTo parameter. + // + // You cannot change the ExpirationModel or ValidTo values for the current import + // after the request completes. To change either value, you must reimport the key + // material. + // + // [Setting an expiration time]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration ExpirationModel types.ExpirationModelType // The date and time when the imported key material expires. This parameter is // required when the value of the ExpirationModel parameter is KEY_MATERIAL_EXPIRES - // . Otherwise it is not valid. The value of this parameter must be a future date - // and time. The maximum value is 365 days from the request date. When the key - // material expires, KMS deletes the key material from the KMS key. Without its key - // material, the KMS key is unusable. To use the KMS key in cryptographic - // operations, you must reimport the same key material. You cannot change the - // ExpirationModel or ValidTo values for the current import after the request - // completes. To change either value, you must delete ( DeleteImportedKeyMaterial ) - // and reimport the key material. + // . Otherwise it is not valid. + // + // The value of this parameter must be a future date and time. The maximum value + // is 365 days from the request date. + // + // When the key material expires, KMS deletes the key material from the KMS key. + // Without its key material, the KMS key is unusable. To use the KMS key in + // cryptographic operations, you must reimport the same key material. + // + // You cannot change the ExpirationModel or ValidTo values for the current import + // after the request completes. To change either value, you must delete (DeleteImportedKeyMaterial ) and + // reimport the key material. ValidTo *time.Time noSmithyDocumentSerde diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListAliases.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListAliases.go index 41cfda0d4fc..a9bff503f88 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListAliases.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListAliases.go @@ -12,29 +12,45 @@ import ( ) // Gets a list of aliases in the caller's Amazon Web Services account and region. -// For more information about aliases, see CreateAlias . By default, the -// ListAliases operation returns all aliases in the account and region. To get only -// the aliases associated with a particular KMS key, use the KeyId parameter. The -// ListAliases response can include aliases that you created and associated with -// your customer managed keys, and aliases that Amazon Web Services created and -// associated with Amazon Web Services managed keys in your account. You can +// For more information about aliases, see CreateAlias. +// +// By default, the ListAliases operation returns all aliases in the account and +// region. To get only the aliases associated with a particular KMS key, use the +// KeyId parameter. +// +// The ListAliases response can include aliases that you created and associated +// with your customer managed keys, and aliases that Amazon Web Services created +// and associated with Amazon Web Services managed keys in your account. You can // recognize Amazon Web Services aliases because their names have the format aws/ , -// such as aws/dynamodb . The response might also include aliases that have no -// TargetKeyId field. These are predefined aliases that Amazon Web Services has -// created but has not yet associated with a KMS key. Aliases that Amazon Web -// Services creates in your account, including predefined aliases, do not count -// against your KMS aliases quota (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit) -// . Cross-account use: No. ListAliases does not return aliases in other Amazon -// Web Services accounts. Required permissions: kms:ListAliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (IAM policy) For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access) -// in the Key Management Service Developer Guide. Related operations: -// - CreateAlias -// - DeleteAlias -// - UpdateAlias +// such as aws/dynamodb . +// +// The response might also include aliases that have no TargetKeyId field. These +// are predefined aliases that Amazon Web Services has created but has not yet +// associated with a KMS key. Aliases that Amazon Web Services creates in your +// account, including predefined aliases, do not count against your [KMS aliases quota]. +// +// Cross-account use: No. ListAliases does not return aliases in other Amazon Web +// Services accounts. +// +// Required permissions: [kms:ListAliases] (IAM policy) +// +// For details, see [Controlling access to aliases] in the Key Management Service Developer Guide. +// +// Related operations: +// +// # CreateAlias +// +// # DeleteAlias +// +// # UpdateAlias // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [KMS aliases quota]: https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit +// [kms:ListAliases]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [Controlling access to aliases]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access func (c *Client) ListAliases(ctx context.Context, params *ListAliasesInput, optFns ...func(*Options)) (*ListAliasesOutput, error) { if params == nil { params = &ListAliasesInput{} @@ -53,20 +69,29 @@ func (c *Client) ListAliases(ctx context.Context, params *ListAliasesInput, optF type ListAliasesInput struct { // Lists only aliases that are associated with the specified KMS key. Enter a KMS - // key in your Amazon Web Services account. This parameter is optional. If you omit - // it, ListAliases returns all aliases in the account and Region. Specify the key - // ID or key ARN of the KMS key. For example: + // key in your Amazon Web Services account. + // + // This parameter is optional. If you omit it, ListAliases returns all aliases in + // the account and Region. + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. KeyId *string // Use this parameter to specify the maximum number of items to return. When this // value is present, KMS does not return more than the specified number of items, - // but it might return fewer. This value is optional. If you include a value, it - // must be between 1 and 100, inclusive. If you do not include a value, it defaults - // to 50. + // but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and 100, + // inclusive. If you do not include a value, it defaults to 50. Limit *int32 // Use this parameter in a subsequent request after you receive a response with @@ -88,7 +113,7 @@ type ListAliasesOutput struct { // A flag that indicates whether there are more items in the list. When this value // is true, the list in this response is truncated. To get more items, pass the - // value of the NextMarker element in thisresponse to the Marker parameter in a + // value of the NextMarker element in this response to the Marker parameter in a // subsequent request. Truncated bool @@ -185,9 +210,10 @@ var _ ListAliasesAPIClient = (*Client)(nil) type ListAliasesPaginatorOptions struct { // Use this parameter to specify the maximum number of items to return. When this // value is present, KMS does not return more than the specified number of items, - // but it might return fewer. This value is optional. If you include a value, it - // must be between 1 and 100, inclusive. If you do not include a value, it defaults - // to 50. + // but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and 100, + // inclusive. If you do not include a value, it defaults to 50. Limit int32 // Set to true if pagination should stop if the service returns a pagination token diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListGrants.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListGrants.go index ab4acaffabd..e56605b4f01 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListGrants.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListGrants.go @@ -11,29 +11,45 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Gets a list of all grants for the specified KMS key. You must specify the KMS -// key in all requests. You can filter the grant list by grant ID or grantee -// principal. For detailed information about grants, including grant terminology, -// see Grants in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) -// in the Key Management Service Developer Guide . For examples of working with -// grants in several programming languages, see Programming grants (https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html) -// . The GranteePrincipal field in the ListGrants response usually contains the -// user or role designated as the grantee principal in the grant. However, when the +// Gets a list of all grants for the specified KMS key. +// +// You must specify the KMS key in all requests. You can filter the grant list by +// grant ID or grantee principal. +// +// For detailed information about grants, including grant terminology, see [Grants in KMS] in the +// Key Management Service Developer Guide . For examples of working with grants in +// several programming languages, see [Programming grants]. +// +// The GranteePrincipal field in the ListGrants response usually contains the user +// or role designated as the grantee principal in the grant. However, when the // grantee principal in the grant is an Amazon Web Services service, the -// GranteePrincipal field contains the service principal (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) -// , which might represent several different grantee principals. Cross-account use: -// Yes. To perform this operation on a KMS key in a different Amazon Web Services -// account, specify the key ARN in the value of the KeyId parameter. Required -// permissions: kms:ListGrants (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: -// - CreateGrant -// - ListRetirableGrants -// - RetireGrant -// - RevokeGrant +// GranteePrincipal field contains the [service principal], which might represent several different +// grantee principals. +// +// Cross-account use: Yes. To perform this operation on a KMS key in a different +// Amazon Web Services account, specify the key ARN in the value of the KeyId +// parameter. +// +// Required permissions: [kms:ListGrants] (key policy) +// +// Related operations: +// +// # CreateGrant +// +// # ListRetirableGrants +// +// # RetireGrant +// +// # RevokeGrant // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Programming grants]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html +// [service principal]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services +// [Grants in KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html +// [kms:ListGrants]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) ListGrants(ctx context.Context, params *ListGrantsInput, optFns ...func(*Options)) (*ListGrantsOutput, error) { if params == nil { params = &ListGrantsInput{} @@ -52,12 +68,18 @@ func (c *Client) ListGrants(ctx context.Context, params *ListGrantsInput, optFns type ListGrantsInput struct { // Returns only grants for the specified KMS key. This parameter is required. + // // Specify the key ID or key ARN of the KMS key. To specify a KMS key in a - // different Amazon Web Services account, you must use the key ARN. For example: + // different Amazon Web Services account, you must use the key ARN. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string @@ -72,9 +94,10 @@ type ListGrantsInput struct { // Use this parameter to specify the maximum number of items to return. When this // value is present, KMS does not return more than the specified number of items, - // but it might return fewer. This value is optional. If you include a value, it - // must be between 1 and 100, inclusive. If you do not include a value, it defaults - // to 50. + // but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and 100, + // inclusive. If you do not include a value, it defaults to 50. Limit *int32 // Use this parameter in a subsequent request after you receive a response with @@ -96,7 +119,7 @@ type ListGrantsOutput struct { // A flag that indicates whether there are more items in the list. When this value // is true, the list in this response is truncated. To get more items, pass the - // value of the NextMarker element in thisresponse to the Marker parameter in a + // value of the NextMarker element in this response to the Marker parameter in a // subsequent request. Truncated bool @@ -196,9 +219,10 @@ var _ ListGrantsAPIClient = (*Client)(nil) type ListGrantsPaginatorOptions struct { // Use this parameter to specify the maximum number of items to return. When this // value is present, KMS does not return more than the specified number of items, - // but it might return fewer. This value is optional. If you include a value, it - // must be between 1 and 100, inclusive. If you do not include a value, it defaults - // to 50. + // but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and 100, + // inclusive. If you do not include a value, it defaults to 50. Limit int32 // Set to true if pagination should stop if the service returns a pagination token diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListKeyPolicies.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListKeyPolicies.go index 604fbdfa58b..4983a9f67d7 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListKeyPolicies.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListKeyPolicies.go @@ -11,17 +11,26 @@ import ( ) // Gets the names of the key policies that are attached to a KMS key. This -// operation is designed to get policy names that you can use in a GetKeyPolicy -// operation. However, the only valid policy name is default . Cross-account use: -// No. You cannot perform this operation on a KMS key in a different Amazon Web -// Services account. Required permissions: kms:ListKeyPolicies (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: -// - GetKeyPolicy -// - PutKeyPolicy (https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) +// operation is designed to get policy names that you can use in a GetKeyPolicyoperation. +// However, the only valid policy name is default . +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: [kms:ListKeyPolicies] (key policy) +// +// Related operations: +// +// # GetKeyPolicy +// +// [PutKeyPolicy] // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [kms:ListKeyPolicies]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [PutKeyPolicy]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) ListKeyPolicies(ctx context.Context, params *ListKeyPoliciesInput, optFns ...func(*Options)) (*ListKeyPoliciesOutput, error) { if params == nil { params = &ListKeyPoliciesInput{} @@ -39,21 +48,30 @@ func (c *Client) ListKeyPolicies(ctx context.Context, params *ListKeyPoliciesInp type ListKeyPoliciesInput struct { - // Gets the names of key policies for the specified KMS key. Specify the key ID or - // key ARN of the KMS key. For example: + // Gets the names of key policies for the specified KMS key. + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string // Use this parameter to specify the maximum number of items to return. When this // value is present, KMS does not return more than the specified number of items, - // but it might return fewer. This value is optional. If you include a value, it - // must be between 1 and 1000, inclusive. If you do not include a value, it - // defaults to 100. Only one policy can be attached to a key. + // but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and 1000, + // inclusive. If you do not include a value, it defaults to 100. + // + // Only one policy can be attached to a key. Limit *int32 // Use this parameter in a subsequent request after you receive a response with @@ -75,7 +93,7 @@ type ListKeyPoliciesOutput struct { // A flag that indicates whether there are more items in the list. When this value // is true, the list in this response is truncated. To get more items, pass the - // value of the NextMarker element in thisresponse to the Marker parameter in a + // value of the NextMarker element in this response to the Marker parameter in a // subsequent request. Truncated bool @@ -176,9 +194,12 @@ var _ ListKeyPoliciesAPIClient = (*Client)(nil) type ListKeyPoliciesPaginatorOptions struct { // Use this parameter to specify the maximum number of items to return. When this // value is present, KMS does not return more than the specified number of items, - // but it might return fewer. This value is optional. If you include a value, it - // must be between 1 and 1000, inclusive. If you do not include a value, it - // defaults to 100. Only one policy can be attached to a key. + // but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and 1000, + // inclusive. If you do not include a value, it defaults to 100. + // + // Only one policy can be attached to a key. Limit int32 // Set to true if pagination should stop if the service returns a pagination token diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListKeyRotations.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListKeyRotations.go new file mode 100644 index 00000000000..42da68b06b7 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListKeyRotations.go @@ -0,0 +1,294 @@ +// Code generated by smithy-go-codegen DO NOT EDIT. + +package kms + +import ( + "context" + "fmt" + awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" + "github.com/aws/aws-sdk-go-v2/service/kms/types" + "github.com/aws/smithy-go/middleware" + smithyhttp "github.com/aws/smithy-go/transport/http" +) + +// Returns information about all completed key material rotations for the +// specified KMS key. +// +// You must specify the KMS key in all requests. You can refine the key rotations +// list by limiting the number of rotations returned. +// +// For detailed information about automatic and on-demand key rotations, see [Rotating KMS keys] in +// the Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: [kms:ListKeyRotations] (key policy) +// +// Related operations: +// +// # EnableKeyRotation +// +// # DisableKeyRotation +// +// # GetKeyRotationStatus +// +// # RotateKeyOnDemand +// +// Eventual consistency: The KMS API follows an eventual consistency model. For +// more information, see [KMS eventual consistency]. +// +// [Rotating KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html +// [kms:ListKeyRotations]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +func (c *Client) ListKeyRotations(ctx context.Context, params *ListKeyRotationsInput, optFns ...func(*Options)) (*ListKeyRotationsOutput, error) { + if params == nil { + params = &ListKeyRotationsInput{} + } + + result, metadata, err := c.invokeOperation(ctx, "ListKeyRotations", params, optFns, c.addOperationListKeyRotationsMiddlewares) + if err != nil { + return nil, err + } + + out := result.(*ListKeyRotationsOutput) + out.ResultMetadata = metadata + return out, nil +} + +type ListKeyRotationsInput struct { + + // Gets the key rotations for the specified KMS key. + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // + // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // - Key ARN: + // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. + // + // This member is required. + KeyId *string + + // Use this parameter to specify the maximum number of items to return. When this + // value is present, KMS does not return more than the specified number of items, + // but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and 1000, + // inclusive. If you do not include a value, it defaults to 100. + Limit *int32 + + // Use this parameter in a subsequent request after you receive a response with + // truncated results. Set it to the value of NextMarker from the truncated + // response you just received. + Marker *string + + noSmithyDocumentSerde +} + +type ListKeyRotationsOutput struct { + + // When Truncated is true, this element is present and contains the value to use + // for the Marker parameter in a subsequent request. + NextMarker *string + + // A list of completed key material rotations. + Rotations []types.RotationsListEntry + + // A flag that indicates whether there are more items in the list. When this value + // is true, the list in this response is truncated. To get more items, pass the + // value of the NextMarker element in this response to the Marker parameter in a + // subsequent request. + Truncated bool + + // Metadata pertaining to the operation's result. + ResultMetadata middleware.Metadata + + noSmithyDocumentSerde +} + +func (c *Client) addOperationListKeyRotationsMiddlewares(stack *middleware.Stack, options Options) (err error) { + if err := stack.Serialize.Add(&setOperationInputMiddleware{}, middleware.After); err != nil { + return err + } + err = stack.Serialize.Add(&awsAwsjson11_serializeOpListKeyRotations{}, middleware.After) + if err != nil { + return err + } + err = stack.Deserialize.Add(&awsAwsjson11_deserializeOpListKeyRotations{}, middleware.After) + if err != nil { + return err + } + if err := addProtocolFinalizerMiddlewares(stack, options, "ListKeyRotations"); err != nil { + return fmt.Errorf("add protocol finalizers: %v", err) + } + + if err = addlegacyEndpointContextSetter(stack, options); err != nil { + return err + } + if err = addSetLoggerMiddleware(stack, options); err != nil { + return err + } + if err = addClientRequestID(stack); err != nil { + return err + } + if err = addComputeContentLength(stack); err != nil { + return err + } + if err = addResolveEndpointMiddleware(stack, options); err != nil { + return err + } + if err = addComputePayloadSHA256(stack); err != nil { + return err + } + if err = addRetry(stack, options); err != nil { + return err + } + if err = addRawResponseToMetadata(stack); err != nil { + return err + } + if err = addRecordResponseTiming(stack); err != nil { + return err + } + if err = addClientUserAgent(stack, options); err != nil { + return err + } + if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil { + return err + } + if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { + return err + } + if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil { + return err + } + if err = addOpListKeyRotationsValidationMiddleware(stack); err != nil { + return err + } + if err = stack.Initialize.Add(newServiceMetadataMiddleware_opListKeyRotations(options.Region), middleware.Before); err != nil { + return err + } + if err = addRecursionDetection(stack); err != nil { + return err + } + if err = addRequestIDRetrieverMiddleware(stack); err != nil { + return err + } + if err = addResponseErrorMiddleware(stack); err != nil { + return err + } + if err = addRequestResponseLogging(stack, options); err != nil { + return err + } + if err = addDisableHTTPSMiddleware(stack, options); err != nil { + return err + } + return nil +} + +// ListKeyRotationsAPIClient is a client that implements the ListKeyRotations +// operation. +type ListKeyRotationsAPIClient interface { + ListKeyRotations(context.Context, *ListKeyRotationsInput, ...func(*Options)) (*ListKeyRotationsOutput, error) +} + +var _ ListKeyRotationsAPIClient = (*Client)(nil) + +// ListKeyRotationsPaginatorOptions is the paginator options for ListKeyRotations +type ListKeyRotationsPaginatorOptions struct { + // Use this parameter to specify the maximum number of items to return. When this + // value is present, KMS does not return more than the specified number of items, + // but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and 1000, + // inclusive. If you do not include a value, it defaults to 100. + Limit int32 + + // Set to true if pagination should stop if the service returns a pagination token + // that matches the most recent token provided to the service. + StopOnDuplicateToken bool +} + +// ListKeyRotationsPaginator is a paginator for ListKeyRotations +type ListKeyRotationsPaginator struct { + options ListKeyRotationsPaginatorOptions + client ListKeyRotationsAPIClient + params *ListKeyRotationsInput + nextToken *string + firstPage bool +} + +// NewListKeyRotationsPaginator returns a new ListKeyRotationsPaginator +func NewListKeyRotationsPaginator(client ListKeyRotationsAPIClient, params *ListKeyRotationsInput, optFns ...func(*ListKeyRotationsPaginatorOptions)) *ListKeyRotationsPaginator { + if params == nil { + params = &ListKeyRotationsInput{} + } + + options := ListKeyRotationsPaginatorOptions{} + if params.Limit != nil { + options.Limit = *params.Limit + } + + for _, fn := range optFns { + fn(&options) + } + + return &ListKeyRotationsPaginator{ + options: options, + client: client, + params: params, + firstPage: true, + nextToken: params.Marker, + } +} + +// HasMorePages returns a boolean indicating whether more pages are available +func (p *ListKeyRotationsPaginator) HasMorePages() bool { + return p.firstPage || (p.nextToken != nil && len(*p.nextToken) != 0) +} + +// NextPage retrieves the next ListKeyRotations page. +func (p *ListKeyRotationsPaginator) NextPage(ctx context.Context, optFns ...func(*Options)) (*ListKeyRotationsOutput, error) { + if !p.HasMorePages() { + return nil, fmt.Errorf("no more pages available") + } + + params := *p.params + params.Marker = p.nextToken + + var limit *int32 + if p.options.Limit > 0 { + limit = &p.options.Limit + } + params.Limit = limit + + result, err := p.client.ListKeyRotations(ctx, ¶ms, optFns...) + if err != nil { + return nil, err + } + p.firstPage = false + + prevToken := p.nextToken + p.nextToken = result.NextMarker + + if p.options.StopOnDuplicateToken && + prevToken != nil && + p.nextToken != nil && + *prevToken == *p.nextToken { + p.nextToken = nil + } + + return result, nil +} + +func newServiceMetadataMiddleware_opListKeyRotations(region string) *awsmiddleware.RegisterServiceMetadata { + return &awsmiddleware.RegisterServiceMetadata{ + Region: region, + ServiceID: ServiceID, + OperationName: "ListKeyRotations", + } +} diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListKeys.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListKeys.go index 2a9165710b0..1b10793bbec 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListKeys.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListKeys.go @@ -12,17 +12,28 @@ import ( ) // Gets a list of all KMS keys in the caller's Amazon Web Services account and -// Region. Cross-account use: No. You cannot perform this operation on a KMS key in -// a different Amazon Web Services account. Required permissions: kms:ListKeys (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (IAM policy) Related operations: -// - CreateKey -// - DescribeKey -// - ListAliases -// - ListResourceTags +// Region. +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: [kms:ListKeys] (IAM policy) +// +// Related operations: +// +// # CreateKey +// +// # DescribeKey +// +// # ListAliases +// +// # ListResourceTags // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [kms:ListKeys]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) ListKeys(ctx context.Context, params *ListKeysInput, optFns ...func(*Options)) (*ListKeysOutput, error) { if params == nil { params = &ListKeysInput{} @@ -42,9 +53,10 @@ type ListKeysInput struct { // Use this parameter to specify the maximum number of items to return. When this // value is present, KMS does not return more than the specified number of items, - // but it might return fewer. This value is optional. If you include a value, it - // must be between 1 and 1000, inclusive. If you do not include a value, it - // defaults to 100. + // but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and 1000, + // inclusive. If you do not include a value, it defaults to 100. Limit *int32 // Use this parameter in a subsequent request after you receive a response with @@ -66,7 +78,7 @@ type ListKeysOutput struct { // A flag that indicates whether there are more items in the list. When this value // is true, the list in this response is truncated. To get more items, pass the - // value of the NextMarker element in thisresponse to the Marker parameter in a + // value of the NextMarker element in this response to the Marker parameter in a // subsequent request. Truncated bool @@ -163,9 +175,10 @@ var _ ListKeysAPIClient = (*Client)(nil) type ListKeysPaginatorOptions struct { // Use this parameter to specify the maximum number of items to return. When this // value is present, KMS does not return more than the specified number of items, - // but it might return fewer. This value is optional. If you include a value, it - // must be between 1 and 1000, inclusive. If you do not include a value, it - // defaults to 100. + // but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and 1000, + // inclusive. If you do not include a value, it defaults to 100. Limit int32 // Set to true if pagination should stop if the service returns a pagination token diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListResourceTags.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListResourceTags.go index f04cc827c52..7e87bdef71f 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListResourceTags.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListResourceTags.go @@ -11,22 +11,34 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Returns all tags on the specified KMS key. For general information about tags, -// including the format and syntax, see Tagging Amazon Web Services resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) -// in the Amazon Web Services General Reference. For information about using tags -// in KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html) -// . Cross-account use: No. You cannot perform this operation on a KMS key in a -// different Amazon Web Services account. Required permissions: -// kms:ListResourceTags (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: -// - CreateKey -// - ReplicateKey -// - TagResource -// - UntagResource +// Returns all tags on the specified KMS key. +// +// For general information about tags, including the format and syntax, see [Tagging Amazon Web Services resources] in +// the Amazon Web Services General Reference. For information about using tags in +// KMS, see [Tagging keys]. +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: [kms:ListResourceTags] (key policy) +// +// Related operations: +// +// # CreateKey +// +// # ReplicateKey +// +// # TagResource +// +// # UntagResource // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Tagging keys]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html +// [kms:ListResourceTags]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [Tagging Amazon Web Services resources]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html func (c *Client) ListResourceTags(ctx context.Context, params *ListResourceTagsInput, optFns ...func(*Options)) (*ListResourceTagsOutput, error) { if params == nil { params = &ListResourceTagsInput{} @@ -44,27 +56,36 @@ func (c *Client) ListResourceTags(ctx context.Context, params *ListResourceTagsI type ListResourceTagsInput struct { - // Gets tags on the specified KMS key. Specify the key ID or key ARN of the KMS - // key. For example: + // Gets tags on the specified KMS key. + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string // Use this parameter to specify the maximum number of items to return. When this // value is present, KMS does not return more than the specified number of items, - // but it might return fewer. This value is optional. If you include a value, it - // must be between 1 and 50, inclusive. If you do not include a value, it defaults - // to 50. + // but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and 50, + // inclusive. If you do not include a value, it defaults to 50. Limit *int32 // Use this parameter in a subsequent request after you receive a response with // truncated results. Set it to the value of NextMarker from the truncated - // response you just received. Do not attempt to construct this value. Use only the - // value of NextMarker from the truncated response you just received. + // response you just received. + // + // Do not attempt to construct this value. Use only the value of NextMarker from + // the truncated response you just received. Marker *string noSmithyDocumentSerde @@ -73,19 +94,22 @@ type ListResourceTagsInput struct { type ListResourceTagsOutput struct { // When Truncated is true, this element is present and contains the value to use - // for the Marker parameter in a subsequent request. Do not assume or infer any - // information from this value. + // for the Marker parameter in a subsequent request. + // + // Do not assume or infer any information from this value. NextMarker *string - // A list of tags. Each tag consists of a tag key and a tag value. Tagging or - // untagging a KMS key can allow or deny permission to the KMS key. For details, - // see ABAC for KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) - // in the Key Management Service Developer Guide. + // A list of tags. Each tag consists of a tag key and a tag value. + // + // Tagging or untagging a KMS key can allow or deny permission to the KMS key. For + // details, see [ABAC for KMS]in the Key Management Service Developer Guide. + // + // [ABAC for KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html Tags []types.Tag // A flag that indicates whether there are more items in the list. When this value // is true, the list in this response is truncated. To get more items, pass the - // value of the NextMarker element in thisresponse to the Marker parameter in a + // value of the NextMarker element in this response to the Marker parameter in a // subsequent request. Truncated bool @@ -186,9 +210,10 @@ var _ ListResourceTagsAPIClient = (*Client)(nil) type ListResourceTagsPaginatorOptions struct { // Use this parameter to specify the maximum number of items to return. When this // value is present, KMS does not return more than the specified number of items, - // but it might return fewer. This value is optional. If you include a value, it - // must be between 1 and 50, inclusive. If you do not include a value, it defaults - // to 50. + // but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and 50, + // inclusive. If you do not include a value, it defaults to 50. Limit int32 // Set to true if pagination should stop if the service returns a pagination token diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListRetirableGrants.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListRetirableGrants.go index 68d96486ecd..b0caa931cbf 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListRetirableGrants.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ListRetirableGrants.go @@ -12,36 +12,50 @@ import ( ) // Returns information about all grants in the Amazon Web Services account and -// Region that have the specified retiring principal. You can specify any principal -// in your Amazon Web Services account. The grants that are returned include grants -// for KMS keys in your Amazon Web Services account and other Amazon Web Services -// accounts. You might use this operation to determine which grants you may retire. -// To retire a grant, use the RetireGrant operation. For detailed information -// about grants, including grant terminology, see Grants in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) -// in the Key Management Service Developer Guide . For examples of working with -// grants in several programming languages, see Programming grants (https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html) -// . Cross-account use: You must specify a principal in your Amazon Web Services +// Region that have the specified retiring principal. +// +// You can specify any principal in your Amazon Web Services account. The grants +// that are returned include grants for KMS keys in your Amazon Web Services +// account and other Amazon Web Services accounts. You might use this operation to +// determine which grants you may retire. To retire a grant, use the RetireGrantoperation. +// +// For detailed information about grants, including grant terminology, see [Grants in KMS] in the +// Key Management Service Developer Guide . For examples of working with grants in +// several programming languages, see [Programming grants]. +// +// Cross-account use: You must specify a principal in your Amazon Web Services // account. This operation returns a list of grants where the retiring principal // specified in the ListRetirableGrants request is the same retiring principal on // the grant. This can include grants on KMS keys owned by other Amazon Web // Services accounts, but you do not need kms:ListRetirableGrants permission (or // any other additional permission) in any Amazon Web Services account other than -// your own. Required permissions: kms:ListRetirableGrants (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (IAM policy) in your Amazon Web Services account. KMS authorizes -// ListRetirableGrants requests by evaluating the caller account's +// your own. +// +// Required permissions: [kms:ListRetirableGrants] (IAM policy) in your Amazon Web Services account. +// +// KMS authorizes ListRetirableGrants requests by evaluating the caller account's // kms:ListRetirableGrants permissions. The authorized resource in // ListRetirableGrants calls is the retiring principal specified in the request. // KMS does not evaluate the caller's permissions to verify their access to any KMS -// keys or grants that might be returned by the ListRetirableGrants call. Related -// operations: -// - CreateGrant -// - ListGrants -// - RetireGrant -// - RevokeGrant +// keys or grants that might be returned by the ListRetirableGrants call. +// +// Related operations: +// +// # CreateGrant +// +// # ListGrants +// +// # RetireGrant +// +// # RevokeGrant // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Programming grants]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html +// [kms:ListRetirableGrants]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [Grants in KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) ListRetirableGrants(ctx context.Context, params *ListRetirableGrantsInput, optFns ...func(*Options)) (*ListRetirableGrantsOutput, error) { if params == nil { params = &ListRetirableGrantsInput{} @@ -60,21 +74,25 @@ func (c *Client) ListRetirableGrants(ctx context.Context, params *ListRetirableG type ListRetirableGrantsInput struct { // The retiring principal for which to list grants. Enter a principal in your - // Amazon Web Services account. To specify the retiring principal, use the Amazon - // Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - // of an Amazon Web Services principal. Valid principals include Amazon Web - // Services accounts, IAM users, IAM roles, federated users, and assumed role - // users. For help with the ARN syntax for a principal, see IAM ARNs (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) - // in the Identity and Access Management User Guide . + // Amazon Web Services account. + // + // To specify the retiring principal, use the [Amazon Resource Name (ARN)] of an Amazon Web Services + // principal. Valid principals include Amazon Web Services accounts, IAM users, IAM + // roles, federated users, and assumed role users. For help with the ARN syntax for + // a principal, see [IAM ARNs]in the Identity and Access Management User Guide . + // + // [IAM ARNs]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns + // [Amazon Resource Name (ARN)]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html // // This member is required. RetiringPrincipal *string // Use this parameter to specify the maximum number of items to return. When this // value is present, KMS does not return more than the specified number of items, - // but it might return fewer. This value is optional. If you include a value, it - // must be between 1 and 100, inclusive. If you do not include a value, it defaults - // to 50. + // but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and 100, + // inclusive. If you do not include a value, it defaults to 50. Limit *int32 // Use this parameter in a subsequent request after you receive a response with @@ -96,7 +114,7 @@ type ListRetirableGrantsOutput struct { // A flag that indicates whether there are more items in the list. When this value // is true, the list in this response is truncated. To get more items, pass the - // value of the NextMarker element in thisresponse to the Marker parameter in a + // value of the NextMarker element in this response to the Marker parameter in a // subsequent request. Truncated bool @@ -198,9 +216,10 @@ var _ ListRetirableGrantsAPIClient = (*Client)(nil) type ListRetirableGrantsPaginatorOptions struct { // Use this parameter to specify the maximum number of items to return. When this // value is present, KMS does not return more than the specified number of items, - // but it might return fewer. This value is optional. If you include a value, it - // must be between 1 and 100, inclusive. If you do not include a value, it defaults - // to 50. + // but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and 100, + // inclusive. If you do not include a value, it defaults to 50. Limit int32 // Set to true if pagination should stop if the service returns a pagination token diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_PutKeyPolicy.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_PutKeyPolicy.go index 4d9da0789f9..492e0c40daa 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_PutKeyPolicy.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_PutKeyPolicy.go @@ -10,19 +10,29 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Attaches a key policy to the specified KMS key. For more information about key -// policies, see Key Policies (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) -// in the Key Management Service Developer Guide. For help writing and formatting a -// JSON policy document, see the IAM JSON Policy Reference (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) -// in the Identity and Access Management User Guide . For examples of adding a key -// policy in multiple programming languages, see Setting a key policy (https://docs.aws.amazon.com/kms/latest/developerguide/programming-key-policies.html#put-policy) -// in the Key Management Service Developer Guide. Cross-account use: No. You cannot -// perform this operation on a KMS key in a different Amazon Web Services account. -// Required permissions: kms:PutKeyPolicy (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: GetKeyPolicy Eventual consistency: The KMS API -// follows an eventual consistency model. For more information, see KMS eventual -// consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// Attaches a key policy to the specified KMS key. +// +// For more information about key policies, see [Key Policies] in the Key Management Service +// Developer Guide. For help writing and formatting a JSON policy document, see the +// [IAM JSON Policy Reference]in the Identity and Access Management User Guide . For examples of adding a key +// policy in multiple programming languages, see [Setting a key policy]in the Key Management Service +// Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: [kms:PutKeyPolicy] (key policy) +// +// Related operations: GetKeyPolicy +// +// Eventual consistency: The KMS API follows an eventual consistency model. For +// more information, see [KMS eventual consistency]. +// +// [IAM JSON Policy Reference]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html +// [kms:PutKeyPolicy]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [Setting a key policy]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-key-policies.html#put-policy +// [Key Policies]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) PutKeyPolicy(ctx context.Context, params *PutKeyPolicyInput, optFns ...func(*Options)) (*PutKeyPolicyOutput, error) { if params == nil { params = &PutKeyPolicyInput{} @@ -40,53 +50,75 @@ func (c *Client) PutKeyPolicy(ctx context.Context, params *PutKeyPolicyInput, op type PutKeyPolicyInput struct { - // Sets the key policy on the specified KMS key. Specify the key ID or key ARN of - // the KMS key. For example: + // Sets the key policy on the specified KMS key. + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string - // The key policy to attach to the KMS key. The key policy must meet the following - // criteria: + // The key policy to attach to the KMS key. + // + // The key policy must meet the following criteria: + // // - The key policy must allow the calling principal to make a subsequent // PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key - // becomes unmanageable. For more information, see Default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key) - // in the Key Management Service Developer Guide. (To omit this condition, set - // BypassPolicyLockoutSafetyCheck to true.) + // becomes unmanageable. For more information, see [Default key policy]in the Key Management Service + // Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck + // to true.) + // // - Each statement in the key policy must contain one or more principals. The // principals in the key policy must exist and be visible to KMS. When you create a // new Amazon Web Services principal, you might need to enforce a delay before // including the new principal in a key policy because the new principal might not - // be immediately visible to KMS. For more information, see Changes that I make - // are not always immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) - // in the Amazon Web Services Identity and Access Management User Guide. + // be immediately visible to KMS. For more information, see [Changes that I make are not always immediately visible]in the Amazon Web + // Services Identity and Access Management User Guide. + // // A key policy document can include only the following characters: + // // - Printable ASCII characters from the space character ( \u0020 ) through the // end of the ASCII character range. + // // - Printable characters in the Basic Latin and Latin-1 Supplement character // set (through \u00FF ). + // // - The tab ( \u0009 ), line feed ( \u000A ), and carriage return ( \u000D ) // special characters - // For information about key policies, see Key policies in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) - // in the Key Management Service Developer Guide.For help writing and formatting a - // JSON policy document, see the IAM JSON Policy Reference (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) + // + // For information about key policies, see [Key policies in KMS] in the Key Management Service + // Developer Guide.For help writing and formatting a JSON policy document, see the [IAM JSON Policy Reference] // in the Identity and Access Management User Guide . // + // [Key policies in KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html + // [IAM JSON Policy Reference]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html + // [Default key policy]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key + // [Changes that I make are not always immediately visible]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency + // // This member is required. Policy *string // Skips ("bypasses") the key policy lockout safety check. The default value is - // false. Setting this value to true increases the risk that the KMS key becomes - // unmanageable. Do not set this value to true indiscriminately. For more - // information, see Default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key) - // in the Key Management Service Developer Guide. Use this parameter only when you - // intend to prevent the principal that is making the request from making a - // subsequent PutKeyPolicy (https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) - // request on the KMS key. + // false. + // + // Setting this value to true increases the risk that the KMS key becomes + // unmanageable. Do not set this value to true indiscriminately. + // + // For more information, see [Default key policy] in the Key Management Service Developer Guide. + // + // Use this parameter only when you intend to prevent the principal that is making + // the request from making a subsequent [PutKeyPolicy]request on the KMS key. + // + // [Default key policy]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key + // [PutKeyPolicy]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html BypassPolicyLockoutSafetyCheck bool // The name of the key policy. If no policy name is specified, the default value diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ReEncrypt.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ReEncrypt.go index cbcd4c4934e..8eca789a2e6 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ReEncrypt.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ReEncrypt.go @@ -13,24 +13,24 @@ import ( // Decrypts ciphertext and then reencrypts it entirely within KMS. You can use // this operation to change the KMS key under which data is encrypted, such as when -// you manually rotate (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually) -// a KMS key or change the KMS key that protects a ciphertext. You can also use it -// to reencrypt ciphertext under the same KMS key, such as to change the -// encryption context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) -// of a ciphertext. The ReEncrypt operation can decrypt ciphertext that was -// encrypted by using a KMS key in an KMS operation, such as Encrypt or -// GenerateDataKey . It can also decrypt ciphertext that was encrypted by using the -// public key of an asymmetric KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks) -// outside of KMS. However, it cannot decrypt ciphertext produced by other -// libraries, such as the Amazon Web Services Encryption SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/) -// or Amazon S3 client-side encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html) -// . These libraries return a ciphertext format that is incompatible with KMS. When -// you use the ReEncrypt operation, you need to provide information for the +// you [manually rotate]a KMS key or change the KMS key that protects a ciphertext. You can also +// use it to reencrypt ciphertext under the same KMS key, such as to change the [encryption context]of +// a ciphertext. +// +// The ReEncrypt operation can decrypt ciphertext that was encrypted by using a +// KMS key in an KMS operation, such as Encryptor GenerateDataKey. It can also decrypt ciphertext that +// was encrypted by using the public key of an [asymmetric KMS key]outside of KMS. However, it cannot +// decrypt ciphertext produced by other libraries, such as the [Amazon Web Services Encryption SDK]or [Amazon S3 client-side encryption]. These +// libraries return a ciphertext format that is incompatible with KMS. +// +// When you use the ReEncrypt operation, you need to provide information for the // decrypt operation and the subsequent encrypt operation. +// // - If your ciphertext was encrypted under an asymmetric KMS key, you must use // the SourceKeyId parameter to identify the KMS key that encrypted the // ciphertext. You must also supply the encryption algorithm that was used. This // information is required to decrypt the data. +// // - If your ciphertext was encrypted under a symmetric encryption KMS key, the // SourceKeyId parameter is optional. KMS can get this information from metadata // that it adds to the symmetric ciphertext blob. This feature adds durability to @@ -41,46 +41,72 @@ import ( // KMS key you specify. If the ciphertext was encrypted under a different KMS key, // the ReEncrypt operation fails. This practice ensures that you use the KMS key // that you intend. +// // - To reencrypt the data, you must use the DestinationKeyId parameter to // specify the KMS key that re-encrypts the data after it is decrypted. If the // destination KMS key is an asymmetric KMS key, you must also provide the // encryption algorithm. The algorithm that you choose must be compatible with the -// KMS key. When you use an asymmetric KMS key to encrypt or reencrypt data, be -// sure to record the KMS key and encryption algorithm that you choose. You will be -// required to provide the same KMS key and encryption algorithm when you decrypt -// the data. If the KMS key and algorithm do not match the values used to encrypt -// the data, the decrypt operation fails. You are not required to supply the key ID -// and encryption algorithm when you decrypt with symmetric encryption KMS keys -// because KMS stores this information in the ciphertext blob. KMS cannot store -// metadata in ciphertext generated with asymmetric keys. The standard format for -// asymmetric key ciphertext does not include configurable fields. +// KMS key. +// +// When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to +// +// record the KMS key and encryption algorithm that you choose. You will be +// required to provide the same KMS key and encryption algorithm when you decrypt +// the data. If the KMS key and algorithm do not match the values used to encrypt +// the data, the decrypt operation fails. +// +// You are not required to supply the key ID and encryption algorithm when you +// +// decrypt with symmetric encryption KMS keys because KMS stores this information +// in the ciphertext blob. KMS cannot store metadata in ciphertext generated with +// asymmetric keys. The standard format for asymmetric key ciphertext does not +// include configurable fields. // // The KMS key that you use for this operation must be in a compatible key state. -// For details, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. Cross-account use: Yes. The -// source KMS key and destination KMS key can be in different Amazon Web Services -// accounts. Either or both KMS keys can be in a different account than the caller. -// To specify a KMS key in a different account, you must use its key ARN or alias -// ARN. Required permissions: -// - kms:ReEncryptFrom (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// permission on the source KMS key (key policy) -// - kms:ReEncryptTo (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// permission on the destination KMS key (key policy) +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: Yes. The source KMS key and destination KMS key can be in +// different Amazon Web Services accounts. Either or both KMS keys can be in a +// different account than the caller. To specify a KMS key in a different account, +// you must use its key ARN or alias ARN. +// +// Required permissions: +// +// [kms:ReEncryptFrom] +// - permission on the source KMS key (key policy) +// +// [kms:ReEncryptTo] +// - permission on the destination KMS key (key policy) // // To permit reencryption from or to a KMS key, include the "kms:ReEncrypt*" -// permission in your key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) -// . This permission is automatically included in the key policy when you use the -// console to create a KMS key. But you must include it manually when you create a -// KMS key programmatically or when you use the PutKeyPolicy operation to set a -// key policy. Related operations: -// - Decrypt -// - Encrypt -// - GenerateDataKey -// - GenerateDataKeyPair +// permission in your [key policy]. This permission is automatically included in the key +// policy when you use the console to create a KMS key. But you must include it +// manually when you create a KMS key programmatically or when you use the PutKeyPolicy +// operation to set a key policy. +// +// Related operations: +// +// # Decrypt +// +// # Encrypt +// +// # GenerateDataKey +// +// # GenerateDataKeyPair // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Amazon Web Services Encryption SDK]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/ +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [asymmetric KMS key]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks +// [key policy]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html +// [Amazon S3 client-side encryption]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html +// [kms:ReEncryptTo]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [encryption context]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context +// [manually rotate]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually +// [kms:ReEncryptFrom]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) ReEncrypt(ctx context.Context, params *ReEncryptInput, optFns ...func(*Options)) (*ReEncryptOutput, error) { if params == nil { params = &ReEncryptInput{} @@ -105,94 +131,135 @@ type ReEncryptInput struct { // A unique identifier for the KMS key that is used to reencrypt the data. Specify // a symmetric encryption KMS key or an asymmetric KMS key with a KeyUsage value - // of ENCRYPT_DECRYPT . To find the KeyUsage value of a KMS key, use the - // DescribeKey operation. To specify a KMS key, use its key ID, key ARN, alias - // name, or alias ARN. When using an alias name, prefix it with "alias/" . To - // specify a KMS key in a different Amazon Web Services account, you must use the - // key ARN or alias ARN. For example: + // of ENCRYPT_DECRYPT . To find the KeyUsage value of a KMS key, use the DescribeKey + // operation. + // + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/" . To specify a KMS key in a + // different Amazon Web Services account, you must use the key ARN or alias ARN. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // // - Alias name: alias/ExampleAlias + // // - Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . To - // get the alias name and alias ARN, use ListAliases . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the alias name + // and alias ARN, use ListAliases. // // This member is required. DestinationKeyId *string // Specifies the encryption algorithm that KMS will use to reecrypt the data after // it has decrypted it. The default value, SYMMETRIC_DEFAULT , represents the - // encryption algorithm used for symmetric encryption KMS keys. This parameter is - // required only when the destination KMS key is an asymmetric KMS key. + // encryption algorithm used for symmetric encryption KMS keys. + // + // This parameter is required only when the destination KMS key is an asymmetric + // KMS key. DestinationEncryptionAlgorithm types.EncryptionAlgorithmSpec - // Specifies that encryption context to use when the reencrypting the data. Do not - // include confidential or sensitive information in this field. This field may be - // displayed in plaintext in CloudTrail logs and other output. A destination - // encryption context is valid only when the destination KMS key is a symmetric - // encryption KMS key. The standard ciphertext format for asymmetric KMS keys does - // not include fields for metadata. An encryption context is a collection of - // non-secret key-value pairs that represent additional authenticated data. When - // you use an encryption context to encrypt data, you must specify the same (an - // exact case-sensitive match) encryption context to decrypt the data. An - // encryption context is supported only on operations with symmetric encryption KMS - // keys. On operations with symmetric encryption KMS keys, an encryption context is - // optional, but it is strongly recommended. For more information, see Encryption - // context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) - // in the Key Management Service Developer Guide. + // Specifies that encryption context to use when the reencrypting the data. + // + // Do not include confidential or sensitive information in this field. This field + // may be displayed in plaintext in CloudTrail logs and other output. + // + // A destination encryption context is valid only when the destination KMS key is + // a symmetric encryption KMS key. The standard ciphertext format for asymmetric + // KMS keys does not include fields for metadata. + // + // An encryption context is a collection of non-secret key-value pairs that + // represent additional authenticated data. When you use an encryption context to + // encrypt data, you must specify the same (an exact case-sensitive match) + // encryption context to decrypt the data. An encryption context is supported only + // on operations with symmetric encryption KMS keys. On operations with symmetric + // encryption KMS keys, an encryption context is optional, but it is strongly + // recommended. + // + // For more information, see [Encryption context] in the Key Management Service Developer Guide. + // + // [Encryption context]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context DestinationEncryptionContext map[string]string - // Checks if your request will succeed. DryRun is an optional parameter. To learn - // more about how to use this parameter, see Testing your KMS API calls (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html) - // in the Key Management Service Developer Guide. + // Checks if your request will succeed. DryRun is an optional parameter. + // + // To learn more about how to use this parameter, see [Testing your KMS API calls] in the Key Management + // Service Developer Guide. + // + // [Testing your KMS API calls]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html DryRun *bool - // A list of grant tokens. Use a grant token when your permission to call this - // operation comes from a new grant that has not yet achieved eventual consistency. - // For more information, see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) - // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) - // in the Key Management Service Developer Guide. + // A list of grant tokens. + // + // Use a grant token when your permission to call this operation comes from a new + // grant that has not yet achieved eventual consistency. For more information, see [Grant token] + // and [Using a grant token]in the Key Management Service Developer Guide. + // + // [Grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token + // [Using a grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token GrantTokens []string // Specifies the encryption algorithm that KMS will use to decrypt the ciphertext // before it is reencrypted. The default value, SYMMETRIC_DEFAULT , represents the - // algorithm used for symmetric encryption KMS keys. Specify the same algorithm - // that was used to encrypt the ciphertext. If you specify a different algorithm, - // the decrypt attempt fails. This parameter is required only when the ciphertext - // was encrypted under an asymmetric KMS key. + // algorithm used for symmetric encryption KMS keys. + // + // Specify the same algorithm that was used to encrypt the ciphertext. If you + // specify a different algorithm, the decrypt attempt fails. + // + // This parameter is required only when the ciphertext was encrypted under an + // asymmetric KMS key. SourceEncryptionAlgorithm types.EncryptionAlgorithmSpec // Specifies the encryption context to use to decrypt the ciphertext. Enter the - // same encryption context that was used to encrypt the ciphertext. An encryption - // context is a collection of non-secret key-value pairs that represent additional - // authenticated data. When you use an encryption context to encrypt data, you must - // specify the same (an exact case-sensitive match) encryption context to decrypt - // the data. An encryption context is supported only on operations with symmetric - // encryption KMS keys. On operations with symmetric encryption KMS keys, an - // encryption context is optional, but it is strongly recommended. For more - // information, see Encryption context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) - // in the Key Management Service Developer Guide. + // same encryption context that was used to encrypt the ciphertext. + // + // An encryption context is a collection of non-secret key-value pairs that + // represent additional authenticated data. When you use an encryption context to + // encrypt data, you must specify the same (an exact case-sensitive match) + // encryption context to decrypt the data. An encryption context is supported only + // on operations with symmetric encryption KMS keys. On operations with symmetric + // encryption KMS keys, an encryption context is optional, but it is strongly + // recommended. + // + // For more information, see [Encryption context] in the Key Management Service Developer Guide. + // + // [Encryption context]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context SourceEncryptionContext map[string]string // Specifies the KMS key that KMS will use to decrypt the ciphertext before it is - // re-encrypted. Enter a key ID of the KMS key that was used to encrypt the - // ciphertext. If you identify a different KMS key, the ReEncrypt operation throws - // an IncorrectKeyException . This parameter is required only when the ciphertext - // was encrypted under an asymmetric KMS key. If you used a symmetric encryption - // KMS key, KMS can get the KMS key from metadata that it adds to the symmetric - // ciphertext blob. However, it is always recommended as a best practice. This - // practice ensures that you use the KMS key that you intend. To specify a KMS key, - // use its key ID, key ARN, alias name, or alias ARN. When using an alias name, - // prefix it with "alias/" . To specify a KMS key in a different Amazon Web - // Services account, you must use the key ARN or alias ARN. For example: + // re-encrypted. + // + // Enter a key ID of the KMS key that was used to encrypt the ciphertext. If you + // identify a different KMS key, the ReEncrypt operation throws an + // IncorrectKeyException . + // + // This parameter is required only when the ciphertext was encrypted under an + // asymmetric KMS key. If you used a symmetric encryption KMS key, KMS can get the + // KMS key from metadata that it adds to the symmetric ciphertext blob. However, it + // is always recommended as a best practice. This practice ensures that you use the + // KMS key that you intend. + // + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/" . To specify a KMS key in a + // different Amazon Web Services account, you must use the key ARN or alias ARN. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // // - Alias name: alias/ExampleAlias + // // - Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . To - // get the alias name and alias ARN, use ListAliases . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the alias name + // and alias ARN, use ListAliases. SourceKeyId *string noSmithyDocumentSerde @@ -207,8 +274,9 @@ type ReEncryptOutput struct { // The encryption algorithm that was used to reencrypt the data. DestinationEncryptionAlgorithm types.EncryptionAlgorithmSpec - // The Amazon Resource Name ( key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN) - // ) of the KMS key that was used to reencrypt the data. + // The Amazon Resource Name ([key ARN] ) of the KMS key that was used to reencrypt the data. + // + // [key ARN]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN KeyId *string // The encryption algorithm that was used to decrypt the ciphertext before it was diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ReplicateKey.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ReplicateKey.go index 4eb5fc4cceb..2f6e7ae15c4 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ReplicateKey.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ReplicateKey.go @@ -15,29 +15,24 @@ import ( // a multi-Region replica key based on a multi-Region primary key in a different // Region of the same Amazon Web Services partition. You can create multiple // replicas of a primary key, but each must be in a different Region. To create a -// multi-Region primary key, use the CreateKey operation. This operation supports -// multi-Region keys, an KMS feature that lets you create multiple interoperable -// KMS keys in different Amazon Web Services Regions. Because these KMS keys have -// the same key ID, key material, and other metadata, you can use them -// interchangeably to encrypt data in one Amazon Web Services Region and decrypt it -// in a different Amazon Web Services Region without re-encrypting the data or -// making a cross-Region call. For more information about multi-Region keys, see -// Multi-Region keys in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) -// in the Key Management Service Developer Guide. A replica key is a -// fully-functional KMS key that can be used independently of its primary and peer -// replica keys. A primary key and its replica keys share properties that make them -// interoperable. They have the same key ID (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id) -// and key material. They also have the same key spec (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec) -// , key usage (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage) -// , key material origin (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin) -// , and automatic key rotation status (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) -// . KMS automatically synchronizes these shared properties among related -// multi-Region keys. All other properties of a replica key can differ, including -// its key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) -// , tags (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html) -// , aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html) -// , and Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// . KMS pricing and quotas for KMS keys apply to each primary key and replica key. +// multi-Region primary key, use the CreateKeyoperation. +// +// This operation supports multi-Region keys, an KMS feature that lets you create +// multiple interoperable KMS keys in different Amazon Web Services Regions. +// Because these KMS keys have the same key ID, key material, and other metadata, +// you can use them interchangeably to encrypt data in one Amazon Web Services +// Region and decrypt it in a different Amazon Web Services Region without +// re-encrypting the data or making a cross-Region call. For more information about +// multi-Region keys, see [Multi-Region keys in KMS]in the Key Management Service Developer Guide. +// +// A replica key is a fully-functional KMS key that can be used independently of +// its primary and peer replica keys. A primary key and its replica keys share +// properties that make them interoperable. They have the same [key ID]and key material. +// They also have the same [key spec], [key usage], [key material origin], and [automatic key rotation status]. KMS automatically synchronizes these shared +// properties among related multi-Region keys. All other properties of a replica +// key can differ, including its [key policy], [tags], [aliases], and [Key states of KMS keys]. KMS pricing and quotas for KMS keys +// apply to each primary key and replica key. +// // When this operation completes, the new replica key has a transient key state of // Creating . This key state changes to Enabled (or PendingImport ) after a few // seconds when the process of creating the new replica key is complete. While the @@ -45,39 +40,64 @@ import ( // cryptographic operations. If you are creating and using the replica key // programmatically, retry on KMSInvalidStateException or call DescribeKey to // check its KeyState value before using it. For details about the Creating key -// state, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. You cannot create more than one -// replica of a primary key in any Region. If the Region already includes a replica -// of the key you're trying to replicate, ReplicateKey returns an -// AlreadyExistsException error. If the key state of the existing replica is -// PendingDeletion , you can cancel the scheduled key deletion ( CancelKeyDeletion +// state, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// You cannot create more than one replica of a primary key in any Region. If the +// Region already includes a replica of the key you're trying to replicate, +// ReplicateKey returns an AlreadyExistsException error. If the key state of the +// existing replica is PendingDeletion , you can cancel the scheduled key deletion (CancelKeyDeletion // ) or wait for the key to be deleted. The new replica key you create will have -// the same shared properties (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-sync-properties) -// as the original replica key. The CloudTrail log of a ReplicateKey operation -// records a ReplicateKey operation in the primary key's Region and a CreateKey -// operation in the replica key's Region. If you replicate a multi-Region primary -// key with imported key material, the replica key is created with no key material. -// You must import the same key material that you imported into the primary key. -// For details, see Importing key material into multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html) -// in the Key Management Service Developer Guide. To convert a replica key to a -// primary key, use the UpdatePrimaryRegion operation. ReplicateKey uses different -// default values for the KeyPolicy and Tags parameters than those used in the KMS -// console. For details, see the parameter descriptions. Cross-account use: No. You -// cannot use this operation to create a replica key in a different Amazon Web -// Services account. Required permissions: +// the same [shared properties]as the original replica key. +// +// The CloudTrail log of a ReplicateKey operation records a ReplicateKey operation +// in the primary key's Region and a CreateKeyoperation in the replica key's Region. +// +// If you replicate a multi-Region primary key with imported key material, the +// replica key is created with no key material. You must import the same key +// material that you imported into the primary key. For details, see [Importing key material into multi-Region keys]in the Key +// Management Service Developer Guide. +// +// To convert a replica key to a primary key, use the UpdatePrimaryRegion operation. +// +// ReplicateKey uses different default values for the KeyPolicy and Tags +// parameters than those used in the KMS console. For details, see the parameter +// descriptions. +// +// Cross-account use: No. You cannot use this operation to create a replica key in +// a different Amazon Web Services account. +// +// Required permissions: +// // - kms:ReplicateKey on the primary key (in the primary key's Region). Include // this permission in the primary key's key policy. +// // - kms:CreateKey in an IAM policy in the replica Region. +// // - To use the Tags parameter, kms:TagResource in an IAM policy in the replica // Region. // -// Related operations -// - CreateKey -// - UpdatePrimaryRegion +// # Related operations +// +// # CreateKey +// +// # UpdatePrimaryRegion // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [key ID]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id +// [automatic key rotation status]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html +// [aliases]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html +// [key usage]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage +// [Multi-Region keys in KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html +// [key policy]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [tags]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [key spec]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec +// [Importing key material into multi-Region keys]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html +// [key material origin]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin +// [shared properties]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-sync-properties func (c *Client) ReplicateKey(ctx context.Context, params *ReplicateKeyInput, optFns ...func(*Options)) (*ReplicateKeyOutput, error) { if params == nil { params = &ReplicateKeyInput{} @@ -96,108 +116,150 @@ func (c *Client) ReplicateKey(ctx context.Context, params *ReplicateKeyInput, op type ReplicateKeyInput struct { // Identifies the multi-Region primary key that is being replicated. To determine - // whether a KMS key is a multi-Region primary key, use the DescribeKey operation - // to check the value of the MultiRegionKeyType property. Specify the key ID or - // key ARN of a multi-Region primary key. For example: + // whether a KMS key is a multi-Region primary key, use the DescribeKeyoperation to check the + // value of the MultiRegionKeyType property. + // + // Specify the key ID or key ARN of a multi-Region primary key. + // + // For example: + // // - Key ID: mrk-1234abcd12ab34cd56ef1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string - // The Region ID of the Amazon Web Services Region for this replica key. Enter the - // Region ID, such as us-east-1 or ap-southeast-2 . For a list of Amazon Web - // Services Regions in which KMS is supported, see KMS service endpoints (https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region) - // in the Amazon Web Services General Reference. HMAC KMS keys are not supported in - // all Amazon Web Services Regions. If you try to replicate an HMAC KMS key in an - // Amazon Web Services Region in which HMAC keys are not supported, the - // ReplicateKey operation returns an UnsupportedOperationException . For a list of - // Regions in which HMAC KMS keys are supported, see HMAC keys in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html) - // in the Key Management Service Developer Guide. The replica must be in a - // different Amazon Web Services Region than its primary key and other replicas of - // that primary key, but in the same Amazon Web Services partition. KMS must be - // available in the replica Region. If the Region is not enabled by default, the - // Amazon Web Services account must be enabled in the Region. For information about - // Amazon Web Services partitions, see Amazon Resource Names (ARNs) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - // in the Amazon Web Services General Reference. For information about enabling and - // disabling Regions, see Enabling a Region (https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable) - // and Disabling a Region (https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable) - // in the Amazon Web Services General Reference. + // The Region ID of the Amazon Web Services Region for this replica key. + // + // Enter the Region ID, such as us-east-1 or ap-southeast-2 . For a list of Amazon + // Web Services Regions in which KMS is supported, see [KMS service endpoints]in the Amazon Web Services + // General Reference. + // + // HMAC KMS keys are not supported in all Amazon Web Services Regions. If you try + // to replicate an HMAC KMS key in an Amazon Web Services Region in which HMAC keys + // are not supported, the ReplicateKey operation returns an + // UnsupportedOperationException . For a list of Regions in which HMAC KMS keys are + // supported, see [HMAC keys in KMS]in the Key Management Service Developer Guide. + // + // The replica must be in a different Amazon Web Services Region than its primary + // key and other replicas of that primary key, but in the same Amazon Web Services + // partition. KMS must be available in the replica Region. If the Region is not + // enabled by default, the Amazon Web Services account must be enabled in the + // Region. For information about Amazon Web Services partitions, see [Amazon Resource Names (ARNs)]in the Amazon + // Web Services General Reference. For information about enabling and disabling + // Regions, see [Enabling a Region]and [Disabling a Region] in the Amazon Web Services General Reference. + // + // [Disabling a Region]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable + // [Enabling a Region]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable + // [KMS service endpoints]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region + // [HMAC keys in KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html + // [Amazon Resource Names (ARNs)]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html // // This member is required. ReplicaRegion *string // Skips ("bypasses") the key policy lockout safety check. The default value is - // false. Setting this value to true increases the risk that the KMS key becomes - // unmanageable. Do not set this value to true indiscriminately. For more - // information, see Default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key) - // in the Key Management Service Developer Guide. Use this parameter only when you - // intend to prevent the principal that is making the request from making a - // subsequent PutKeyPolicy (https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) - // request on the KMS key. + // false. + // + // Setting this value to true increases the risk that the KMS key becomes + // unmanageable. Do not set this value to true indiscriminately. + // + // For more information, see [Default key policy] in the Key Management Service Developer Guide. + // + // Use this parameter only when you intend to prevent the principal that is making + // the request from making a subsequent [PutKeyPolicy]request on the KMS key. + // + // [Default key policy]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key + // [PutKeyPolicy]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html BypassPolicyLockoutSafetyCheck bool // A description of the KMS key. The default value is an empty string (no - // description). Do not include confidential or sensitive information in this - // field. This field may be displayed in plaintext in CloudTrail logs and other - // output. The description is not a shared property of multi-Region keys. You can - // specify the same description or a different description for each key in a set of - // related multi-Region keys. KMS does not synchronize this property. + // description). + // + // Do not include confidential or sensitive information in this field. This field + // may be displayed in plaintext in CloudTrail logs and other output. + // + // The description is not a shared property of multi-Region keys. You can specify + // the same description or a different description for each key in a set of related + // multi-Region keys. KMS does not synchronize this property. Description *string // The key policy to attach to the KMS key. This parameter is optional. If you do - // not provide a key policy, KMS attaches the default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) - // to the KMS key. The key policy is not a shared property of multi-Region keys. - // You can specify the same key policy or a different key policy for each key in a - // set of related multi-Region keys. KMS does not synchronize this property. If you - // provide a key policy, it must meet the following criteria: + // not provide a key policy, KMS attaches the [default key policy]to the KMS key. + // + // The key policy is not a shared property of multi-Region keys. You can specify + // the same key policy or a different key policy for each key in a set of related + // multi-Region keys. KMS does not synchronize this property. + // + // If you provide a key policy, it must meet the following criteria: + // // - The key policy must allow the calling principal to make a subsequent // PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key - // becomes unmanageable. For more information, see Default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key) - // in the Key Management Service Developer Guide. (To omit this condition, set - // BypassPolicyLockoutSafetyCheck to true.) + // becomes unmanageable. For more information, see [Default key policy]in the Key Management Service + // Developer Guide. (To omit this condition, set BypassPolicyLockoutSafetyCheck + // to true.) + // // - Each statement in the key policy must contain one or more principals. The // principals in the key policy must exist and be visible to KMS. When you create a // new Amazon Web Services principal, you might need to enforce a delay before // including the new principal in a key policy because the new principal might not - // be immediately visible to KMS. For more information, see Changes that I make - // are not always immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) - // in the Amazon Web Services Identity and Access Management User Guide. + // be immediately visible to KMS. For more information, see [Changes that I make are not always immediately visible]in the Amazon Web + // Services Identity and Access Management User Guide. + // // A key policy document can include only the following characters: + // // - Printable ASCII characters from the space character ( \u0020 ) through the // end of the ASCII character range. + // // - Printable characters in the Basic Latin and Latin-1 Supplement character // set (through \u00FF ). + // // - The tab ( \u0009 ), line feed ( \u000A ), and carriage return ( \u000D ) // special characters - // For information about key policies, see Key policies in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) - // in the Key Management Service Developer Guide. For help writing and formatting a - // JSON policy document, see the IAM JSON Policy Reference (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) - // in the Identity and Access Management User Guide . + // + // For information about key policies, see [Key policies in KMS] in the Key Management Service + // Developer Guide. For help writing and formatting a JSON policy document, see the + // [IAM JSON Policy Reference]in the Identity and Access Management User Guide . + // + // [Key policies in KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html + // [default key policy]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default + // [IAM JSON Policy Reference]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html + // [Default key policy]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key + // [Changes that I make are not always immediately visible]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency Policy *string // Assigns one or more tags to the replica key. Use this parameter to tag the KMS - // key when it is created. To tag an existing KMS key, use the TagResource - // operation. Do not include confidential or sensitive information in this field. - // This field may be displayed in plaintext in CloudTrail logs and other output. + // key when it is created. To tag an existing KMS key, use the TagResourceoperation. + // + // Do not include confidential or sensitive information in this field. This field + // may be displayed in plaintext in CloudTrail logs and other output. + // // Tagging or untagging a KMS key can allow or deny permission to the KMS key. For - // details, see ABAC for KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) - // in the Key Management Service Developer Guide. To use this parameter, you must - // have kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) - // permission in an IAM policy. Tags are not a shared property of multi-Region - // keys. You can specify the same tags or different tags for each key in a set of - // related multi-Region keys. KMS does not synchronize this property. Each tag - // consists of a tag key and a tag value. Both the tag key and the tag value are - // required, but the tag value can be an empty (null) string. You cannot have more - // than one tag on a KMS key with the same tag key. If you specify an existing tag - // key with a different tag value, KMS replaces the current tag value with the - // specified one. When you add tags to an Amazon Web Services resource, Amazon Web - // Services generates a cost allocation report with usage and costs aggregated by - // tags. Tags can also be used to control access to a KMS key. For details, see - // Tagging Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html) - // . + // details, see [ABAC for KMS]in the Key Management Service Developer Guide. + // + // To use this parameter, you must have [kms:TagResource] permission in an IAM policy. + // + // Tags are not a shared property of multi-Region keys. You can specify the same + // tags or different tags for each key in a set of related multi-Region keys. KMS + // does not synchronize this property. + // + // Each tag consists of a tag key and a tag value. Both the tag key and the tag + // value are required, but the tag value can be an empty (null) string. You cannot + // have more than one tag on a KMS key with the same tag key. If you specify an + // existing tag key with a different tag value, KMS replaces the current tag value + // with the specified one. + // + // When you add tags to an Amazon Web Services resource, Amazon Web Services + // generates a cost allocation report with usage and costs aggregated by tags. Tags + // can also be used to control access to a KMS key. For details, see [Tagging Keys]. + // + // [kms:TagResource]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html + // [Tagging Keys]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html + // [ABAC for KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html Tags []types.Tag noSmithyDocumentSerde @@ -205,11 +267,12 @@ type ReplicateKeyInput struct { type ReplicateKeyOutput struct { - // Displays details about the new replica key, including its Amazon Resource Name ( - // key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN) - // ) and Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) - // . It also includes the ARN and Amazon Web Services Region of its primary key and - // other replica keys. + // Displays details about the new replica key, including its Amazon Resource Name ([key ARN] + // ) and [Key states of KMS keys]. It also includes the ARN and Amazon Web Services Region of its primary + // key and other replica keys. + // + // [key ARN]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN + // [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html ReplicaKeyMetadata *types.KeyMetadata // The key policy of the new replica key. The value is a key policy document in diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_RetireGrant.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_RetireGrant.go index e52867b2461..df3e02ef06b 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_RetireGrant.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_RetireGrant.go @@ -11,30 +11,44 @@ import ( ) // Deletes a grant. Typically, you retire a grant when you no longer need its -// permissions. To identify the grant to retire, use a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) -// , or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. -// The CreateGrant operation returns both values. This operation can be called by -// the retiring principal for a grant, by the grantee principal if the grant allows -// the RetireGrant operation, and by the Amazon Web Services account in which the -// grant is created. It can also be called by principals to whom permission for -// retiring a grant is delegated. For details, see Retiring and revoking grants (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete) -// in the Key Management Service Developer Guide. For detailed information about -// grants, including grant terminology, see Grants in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) -// in the Key Management Service Developer Guide . For examples of working with -// grants in several programming languages, see Programming grants (https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html) -// . Cross-account use: Yes. You can retire a grant on a KMS key in a different -// Amazon Web Services account. Required permissions: Permission to retire a grant -// is determined primarily by the grant. For details, see Retiring and revoking -// grants (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete) -// in the Key Management Service Developer Guide. Related operations: -// - CreateGrant -// - ListGrants -// - ListRetirableGrants -// - RevokeGrant +// permissions. To identify the grant to retire, use a [grant token], or both the grant ID and +// a key identifier (key ID or key ARN) of the KMS key. The CreateGrantoperation returns both +// values. +// +// This operation can be called by the retiring principal for a grant, by the +// grantee principal if the grant allows the RetireGrant operation, and by the +// Amazon Web Services account in which the grant is created. It can also be called +// by principals to whom permission for retiring a grant is delegated. For details, +// see [Retiring and revoking grants]in the Key Management Service Developer Guide. +// +// For detailed information about grants, including grant terminology, see [Grants in KMS] in the +// Key Management Service Developer Guide . For examples of working with grants in +// several programming languages, see [Programming grants]. +// +// Cross-account use: Yes. You can retire a grant on a KMS key in a different +// Amazon Web Services account. +// +// Required permissions: Permission to retire a grant is determined primarily by +// the grant. For details, see [Retiring and revoking grants]in the Key Management Service Developer Guide. +// +// Related operations: +// +// # CreateGrant +// +// # ListGrants +// +// # ListRetirableGrants +// +// # RevokeGrant // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Programming grants]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html +// [grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token +// [Retiring and revoking grants]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete +// [Grants in KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) RetireGrant(ctx context.Context, params *RetireGrantInput, optFns ...func(*Options)) (*RetireGrantOutput, error) { if params == nil { params = &RetireGrantInput{} @@ -52,26 +66,34 @@ func (c *Client) RetireGrant(ctx context.Context, params *RetireGrantInput, optF type RetireGrantInput struct { - // Checks if your request will succeed. DryRun is an optional parameter. To learn - // more about how to use this parameter, see Testing your KMS API calls (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html) - // in the Key Management Service Developer Guide. + // Checks if your request will succeed. DryRun is an optional parameter. + // + // To learn more about how to use this parameter, see [Testing your KMS API calls] in the Key Management + // Service Developer Guide. + // + // [Testing your KMS API calls]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html DryRun *bool - // Identifies the grant to retire. To get the grant ID, use CreateGrant , - // ListGrants , or ListRetirableGrants . + // Identifies the grant to retire. To get the grant ID, use CreateGrant, ListGrants, or ListRetirableGrants. + // // - Grant ID Example - // 0123456789012345678901234567890123456789012345678901234567890123 GrantId *string // Identifies the grant to be retired. You can use a grant token to identify a new - // grant even before it has achieved eventual consistency. Only the CreateGrant - // operation returns a grant token. For details, see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) - // and Eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency) - // in the Key Management Service Developer Guide. + // grant even before it has achieved eventual consistency. + // + // Only the CreateGrant operation returns a grant token. For details, see [Grant token] and [Eventual consistency] in the Key + // Management Service Developer Guide. + // + // [Grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token + // [Eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency GrantToken *string - // The key ARN KMS key associated with the grant. To find the key ARN, use the - // ListKeys operation. For example: + // The key ARN KMS key associated with the grant. To find the key ARN, use the ListKeys + // operation. + // + // For example: // arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab KeyId *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_RevokeGrant.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_RevokeGrant.go index ca1a1eceb76..582f5dbe47a 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_RevokeGrant.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_RevokeGrant.go @@ -11,27 +11,43 @@ import ( ) // Deletes the specified grant. You revoke a grant to terminate the permissions -// that the grant allows. For more information, see Retiring and revoking grants (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete) -// in the Key Management Service Developer Guide . When you create, retire, or -// revoke a grant, there might be a brief delay, usually less than five minutes, -// until the grant is available throughout KMS. This state is known as eventual -// consistency. For details, see Eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency) -// in the Key Management Service Developer Guide . For detailed information about -// grants, including grant terminology, see Grants in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) -// in the Key Management Service Developer Guide . For examples of working with -// grants in several programming languages, see Programming grants (https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html) -// . Cross-account use: Yes. To perform this operation on a KMS key in a different +// that the grant allows. For more information, see [Retiring and revoking grants]in the Key Management Service +// Developer Guide . +// +// When you create, retire, or revoke a grant, there might be a brief delay, +// usually less than five minutes, until the grant is available throughout KMS. +// This state is known as eventual consistency. For details, see [Eventual consistency]in the Key +// Management Service Developer Guide . +// +// For detailed information about grants, including grant terminology, see [Grants in KMS] in the +// Key Management Service Developer Guide . For examples of working with grants in +// several programming languages, see [Programming grants]. +// +// Cross-account use: Yes. To perform this operation on a KMS key in a different // Amazon Web Services account, specify the key ARN in the value of the KeyId -// parameter. Required permissions: kms:RevokeGrant (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy). Related operations: -// - CreateGrant -// - ListGrants -// - ListRetirableGrants -// - RetireGrant +// parameter. +// +// Required permissions: [kms:RevokeGrant] (key policy). +// +// Related operations: +// +// # CreateGrant +// +// # ListGrants +// +// # ListRetirableGrants +// +// # RetireGrant // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency +// [Programming grants]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html +// [kms:RevokeGrant]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [Retiring and revoking grants]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete +// [Grants in KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) RevokeGrant(ctx context.Context, params *RevokeGrantInput, optFns ...func(*Options)) (*RevokeGrantOutput, error) { if params == nil { params = &RevokeGrantInput{} @@ -49,27 +65,35 @@ func (c *Client) RevokeGrant(ctx context.Context, params *RevokeGrantInput, optF type RevokeGrantInput struct { - // Identifies the grant to revoke. To get the grant ID, use CreateGrant , - // ListGrants , or ListRetirableGrants . + // Identifies the grant to revoke. To get the grant ID, use CreateGrant, ListGrants, or ListRetirableGrants. // // This member is required. GrantId *string // A unique identifier for the KMS key associated with the grant. To get the key - // ID and key ARN for a KMS key, use ListKeys or DescribeKey . Specify the key ID - // or key ARN of the KMS key. To specify a KMS key in a different Amazon Web - // Services account, you must use the key ARN. For example: + // ID and key ARN for a KMS key, use ListKeysor DescribeKey. + // + // Specify the key ID or key ARN of the KMS key. To specify a KMS key in a + // different Amazon Web Services account, you must use the key ARN. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string - // Checks if your request will succeed. DryRun is an optional parameter. To learn - // more about how to use this parameter, see Testing your KMS API calls (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html) - // in the Key Management Service Developer Guide. + // Checks if your request will succeed. DryRun is an optional parameter. + // + // To learn more about how to use this parameter, see [Testing your KMS API calls] in the Key Management + // Service Developer Guide. + // + // [Testing your KMS API calls]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html DryRun *bool noSmithyDocumentSerde diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_RotateKeyOnDemand.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_RotateKeyOnDemand.go new file mode 100644 index 00000000000..e54b429e78a --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_RotateKeyOnDemand.go @@ -0,0 +1,216 @@ +// Code generated by smithy-go-codegen DO NOT EDIT. + +package kms + +import ( + "context" + "fmt" + awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" + "github.com/aws/smithy-go/middleware" + smithyhttp "github.com/aws/smithy-go/transport/http" +) + +// Immediately initiates rotation of the key material of the specified symmetric +// encryption KMS key. +// +// You can perform [on-demand rotation] of the key material in customer managed KMS keys, regardless +// of whether or not [automatic key rotation]is enabled. On-demand rotations do not change existing +// automatic rotation schedules. For example, consider a KMS key that has automatic +// key rotation enabled with a rotation period of 730 days. If the key is scheduled +// to automatically rotate on April 14, 2024, and you perform an on-demand rotation +// on April 10, 2024, the key will automatically rotate, as scheduled, on April 14, +// 2024 and every 730 days thereafter. +// +// You can perform on-demand key rotation a maximum of 10 times per KMS key. You +// can use the KMS console to view the number of remaining on-demand rotations +// available for a KMS key. +// +// You can use GetKeyRotationStatus to identify any in progress on-demand rotations. You can use ListKeyRotations to +// identify the date that completed on-demand rotations were performed. You can +// monitor rotation of the key material for your KMS keys in CloudTrail and Amazon +// CloudWatch. +// +// On-demand key rotation is supported only on [symmetric encryption KMS keys]. You cannot perform on-demand +// rotation of [asymmetric KMS keys], [HMAC KMS keys], KMS keys with [imported key material], or KMS keys in a [custom key store]. To perform on-demand +// rotation of a set of related [multi-Region keys], invoke the on-demand rotation on the primary key. +// +// You cannot initiate on-demand rotation of [Amazon Web Services managed KMS keys]. KMS always rotates the key material +// of Amazon Web Services managed keys every year. Rotation of [Amazon Web Services owned KMS keys]is managed by the +// Amazon Web Services service that owns the key. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: [kms:RotateKeyOnDemand] (key policy) +// +// Related operations: +// +// # EnableKeyRotation +// +// # DisableKeyRotation +// +// # GetKeyRotationStatus +// +// # ListKeyRotations +// +// Eventual consistency: The KMS API follows an eventual consistency model. For +// more information, see [KMS eventual consistency]. +// +// [on-demand rotation]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-on-demand +// [Amazon Web Services owned KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk +// [automatic key rotation]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-enable-disable +// [kms:RotateKeyOnDemand]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [multi-Region keys]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [imported key material]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [HMAC KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html +// [Amazon Web Services managed KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk +// [asymmetric KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html +// [symmetric encryption KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks +// [custom key store]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html +func (c *Client) RotateKeyOnDemand(ctx context.Context, params *RotateKeyOnDemandInput, optFns ...func(*Options)) (*RotateKeyOnDemandOutput, error) { + if params == nil { + params = &RotateKeyOnDemandInput{} + } + + result, metadata, err := c.invokeOperation(ctx, "RotateKeyOnDemand", params, optFns, c.addOperationRotateKeyOnDemandMiddlewares) + if err != nil { + return nil, err + } + + out := result.(*RotateKeyOnDemandOutput) + out.ResultMetadata = metadata + return out, nil +} + +type RotateKeyOnDemandInput struct { + + // Identifies a symmetric encryption KMS key. You cannot perform on-demand + // rotation of [asymmetric KMS keys], [HMAC KMS keys], KMS keys with [imported key material], or KMS keys in a [custom key store]. To perform on-demand + // rotation of a set of related [multi-Region keys], invoke the on-demand rotation on the primary key. + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // + // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // - Key ARN: + // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. + // + // [imported key material]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html + // [HMAC KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html + // [asymmetric KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html + // [multi-Region keys]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate + // [custom key store]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html + // + // This member is required. + KeyId *string + + noSmithyDocumentSerde +} + +type RotateKeyOnDemandOutput struct { + + // Identifies the symmetric encryption KMS key that you initiated on-demand + // rotation on. + KeyId *string + + // Metadata pertaining to the operation's result. + ResultMetadata middleware.Metadata + + noSmithyDocumentSerde +} + +func (c *Client) addOperationRotateKeyOnDemandMiddlewares(stack *middleware.Stack, options Options) (err error) { + if err := stack.Serialize.Add(&setOperationInputMiddleware{}, middleware.After); err != nil { + return err + } + err = stack.Serialize.Add(&awsAwsjson11_serializeOpRotateKeyOnDemand{}, middleware.After) + if err != nil { + return err + } + err = stack.Deserialize.Add(&awsAwsjson11_deserializeOpRotateKeyOnDemand{}, middleware.After) + if err != nil { + return err + } + if err := addProtocolFinalizerMiddlewares(stack, options, "RotateKeyOnDemand"); err != nil { + return fmt.Errorf("add protocol finalizers: %v", err) + } + + if err = addlegacyEndpointContextSetter(stack, options); err != nil { + return err + } + if err = addSetLoggerMiddleware(stack, options); err != nil { + return err + } + if err = addClientRequestID(stack); err != nil { + return err + } + if err = addComputeContentLength(stack); err != nil { + return err + } + if err = addResolveEndpointMiddleware(stack, options); err != nil { + return err + } + if err = addComputePayloadSHA256(stack); err != nil { + return err + } + if err = addRetry(stack, options); err != nil { + return err + } + if err = addRawResponseToMetadata(stack); err != nil { + return err + } + if err = addRecordResponseTiming(stack); err != nil { + return err + } + if err = addClientUserAgent(stack, options); err != nil { + return err + } + if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil { + return err + } + if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { + return err + } + if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil { + return err + } + if err = addOpRotateKeyOnDemandValidationMiddleware(stack); err != nil { + return err + } + if err = stack.Initialize.Add(newServiceMetadataMiddleware_opRotateKeyOnDemand(options.Region), middleware.Before); err != nil { + return err + } + if err = addRecursionDetection(stack); err != nil { + return err + } + if err = addRequestIDRetrieverMiddleware(stack); err != nil { + return err + } + if err = addResponseErrorMiddleware(stack); err != nil { + return err + } + if err = addRequestResponseLogging(stack, options); err != nil { + return err + } + if err = addDisableHTTPSMiddleware(stack, options); err != nil { + return err + } + return nil +} + +func newServiceMetadataMiddleware_opRotateKeyOnDemand(region string) *awsmiddleware.RegisterServiceMetadata { + return &awsmiddleware.RegisterServiceMetadata{ + Region: region, + ServiceID: ServiceID, + OperationName: "RotateKeyOnDemand", + } +} diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ScheduleKeyDeletion.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ScheduleKeyDeletion.go index a8e3354fbc8..f2de79497f1 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ScheduleKeyDeletion.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_ScheduleKeyDeletion.go @@ -17,46 +17,62 @@ import ( // operation is successful, the key state of the KMS key changes to PendingDeletion // and the key can't be used in any cryptographic operations. It remains in this // state for the duration of the waiting period. Before the waiting period ends, -// you can use CancelKeyDeletion to cancel the deletion of the KMS key. After the -// waiting period ends, KMS deletes the KMS key, its key material, and all KMS data -// associated with it, including all aliases that refer to it. Deleting a KMS key -// is a destructive and potentially dangerous operation. When a KMS key is deleted, -// all data that was encrypted under the KMS key is unrecoverable. (The only -// exception is a multi-Region replica key (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) -// , or an asymmetric or HMAC KMS key with imported key material .) To prevent the -// use of a KMS key without deleting it, use DisableKey . You can schedule the -// deletion of a multi-Region primary key and its replica keys at any time. -// However, KMS will not delete a multi-Region primary key with existing replica -// keys. If you schedule the deletion of a primary key with replicas, its key state -// changes to PendingReplicaDeletion and it cannot be replicated or used in -// cryptographic operations. This status can continue indefinitely. When the last -// of its replicas keys is deleted (not just scheduled), the key state of the -// primary key changes to PendingDeletion and its waiting period ( -// PendingWindowInDays ) begins. For details, see Deleting multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) -// in the Key Management Service Developer Guide. When KMS deletes a KMS key from -// an CloudHSM key store (https://docs.aws.amazon.com/kms/latest/developerguide/delete-cmk-keystore.html) -// , it makes a best effort to delete the associated key material from the -// associated CloudHSM cluster. However, you might need to manually delete the -// orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key) -// from the cluster and its backups. Deleting a KMS key from an external key store (https://docs.aws.amazon.com/kms/latest/developerguide/delete-xks-key.html) -// has no effect on the associated external key. However, for both types of custom -// key stores, deleting a KMS key is destructive and irreversible. You cannot -// decrypt ciphertext encrypted under the KMS key by using only its associated -// external key or CloudHSM key. Also, you cannot recreate a KMS key in an external -// key store by creating a new KMS key with the same key material. For more -// information about scheduling a KMS key for deletion, see Deleting KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) -// in the Key Management Service Developer Guide. The KMS key that you use for this -// operation must be in a compatible key state. For details, see Key states of KMS -// keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in -// the Key Management Service Developer Guide. Cross-account use: No. You cannot -// perform this operation on a KMS key in a different Amazon Web Services account. -// Required permissions: kms:ScheduleKeyDeletion (key policy) Related operations -// - CancelKeyDeletion -// - DisableKey +// you can use CancelKeyDeletionto cancel the deletion of the KMS key. After the waiting period +// ends, KMS deletes the KMS key, its key material, and all KMS data associated +// with it, including all aliases that refer to it. +// +// Deleting a KMS key is a destructive and potentially dangerous operation. When a +// KMS key is deleted, all data that was encrypted under the KMS key is +// unrecoverable. (The only exception is a [multi-Region replica key], or an asymmetric or HMAC KMS key with imported key material.) To prevent the use of a KMS +// key without deleting it, use DisableKey. +// +// You can schedule the deletion of a multi-Region primary key and its replica +// keys at any time. However, KMS will not delete a multi-Region primary key with +// existing replica keys. If you schedule the deletion of a primary key with +// replicas, its key state changes to PendingReplicaDeletion and it cannot be +// replicated or used in cryptographic operations. This status can continue +// indefinitely. When the last of its replicas keys is deleted (not just +// scheduled), the key state of the primary key changes to PendingDeletion and its +// waiting period ( PendingWindowInDays ) begins. For details, see [Deleting multi-Region keys] in the Key +// Management Service Developer Guide. +// +// When KMS [deletes a KMS key from an CloudHSM key store], it makes a best effort to delete the associated key material from +// the associated CloudHSM cluster. However, you might need to manually [delete the orphaned key material]from the +// cluster and its backups. [Deleting a KMS key from an external key store]has no effect on the associated external key. However, +// for both types of custom key stores, deleting a KMS key is destructive and +// irreversible. You cannot decrypt ciphertext encrypted under the KMS key by using +// only its associated external key or CloudHSM key. Also, you cannot recreate a +// KMS key in an external key store by creating a new KMS key with the same key +// material. +// +// For more information about scheduling a KMS key for deletion, see [Deleting KMS keys] in the Key +// Management Service Developer Guide. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: kms:ScheduleKeyDeletion (key policy) +// +// # Related operations +// +// # CancelKeyDeletion +// +// # DisableKey // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [delete the orphaned key material]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [Deleting a KMS key from an external key store]: https://docs.aws.amazon.com/kms/latest/developerguide/delete-xks-key.html +// [Deleting multi-Region keys]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html +// [Deleting KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html +// [multi-Region replica key]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [deletes a KMS key from an CloudHSM key store]: https://docs.aws.amazon.com/kms/latest/developerguide/delete-cmk-keystore.html func (c *Client) ScheduleKeyDeletion(ctx context.Context, params *ScheduleKeyDeletionInput, optFns ...func(*Options)) (*ScheduleKeyDeletionOutput, error) { if params == nil { params = &ScheduleKeyDeletionInput{} @@ -74,25 +90,35 @@ func (c *Client) ScheduleKeyDeletion(ctx context.Context, params *ScheduleKeyDel type ScheduleKeyDeletionInput struct { - // The unique identifier of the KMS key to delete. Specify the key ID or key ARN - // of the KMS key. For example: + // The unique identifier of the KMS key to delete. + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string // The waiting period, specified in number of days. After the waiting period ends, - // KMS deletes the KMS key. If the KMS key is a multi-Region primary key with - // replica keys, the waiting period begins when the last of its replica keys is - // deleted. Otherwise, the waiting period begins immediately. This value is - // optional. If you include a value, it must be between 7 and 30, inclusive. If you - // do not include a value, it defaults to 30. You can use the - // kms:ScheduleKeyDeletionPendingWindowInDays (https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-schedule-key-deletion-pending-window-in-days) - // condition key to further constrain the values that principals can specify in the - // PendingWindowInDays parameter. + // KMS deletes the KMS key. + // + // If the KMS key is a multi-Region primary key with replica keys, the waiting + // period begins when the last of its replica keys is deleted. Otherwise, the + // waiting period begins immediately. + // + // This value is optional. If you include a value, it must be between 7 and 30, + // inclusive. If you do not include a value, it defaults to 30. You can use the [kms:ScheduleKeyDeletionPendingWindowInDays] + // kms:ScheduleKeyDeletionPendingWindowInDays condition key to further constrain + // the values that principals can specify in the PendingWindowInDays parameter. + // + // [kms:ScheduleKeyDeletionPendingWindowInDays]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-schedule-key-deletion-pending-window-in-days PendingWindowInDays *int32 noSmithyDocumentSerde @@ -100,25 +126,31 @@ type ScheduleKeyDeletionInput struct { type ScheduleKeyDeletionOutput struct { - // The date and time after which KMS deletes the KMS key. If the KMS key is a - // multi-Region primary key with replica keys, this field does not appear. The - // deletion date for the primary key isn't known until its last replica key is - // deleted. + // The date and time after which KMS deletes the KMS key. + // + // If the KMS key is a multi-Region primary key with replica keys, this field does + // not appear. The deletion date for the primary key isn't known until its last + // replica key is deleted. DeletionDate *time.Time - // The Amazon Resource Name ( key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN) - // ) of the KMS key whose deletion is scheduled. + // The Amazon Resource Name ([key ARN] ) of the KMS key whose deletion is scheduled. + // + // [key ARN]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN KeyId *string - // The current status of the KMS key. For more information about how key state - // affects the use of a KMS key, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) - // in the Key Management Service Developer Guide. + // The current status of the KMS key. + // + // For more information about how key state affects the use of a KMS key, see [Key states of KMS keys] in + // the Key Management Service Developer Guide. + // + // [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html KeyState types.KeyState - // The waiting period before the KMS key is deleted. If the KMS key is a - // multi-Region primary key with replicas, the waiting period begins when the last - // of its replica keys is deleted. Otherwise, the waiting period begins - // immediately. + // The waiting period before the KMS key is deleted. + // + // If the KMS key is a multi-Region primary key with replicas, the waiting period + // begins when the last of its replica keys is deleted. Otherwise, the waiting + // period begins immediately. PendingWindowInDays *int32 // Metadata pertaining to the operation's result. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Sign.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Sign.go index c69fe69e42c..ebd7cf5e70e 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Sign.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Sign.go @@ -11,48 +11,63 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Creates a digital signature (https://en.wikipedia.org/wiki/Digital_signature) -// for a message or message digest by using the private key in an asymmetric -// signing KMS key. To verify the signature, use the Verify operation, or use the -// public key in the same asymmetric KMS key outside of KMS. For information about -// asymmetric KMS keys, see Asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) -// in the Key Management Service Developer Guide. Digital signatures are generated -// and verified by using asymmetric key pair, such as an RSA or ECC pair that is -// represented by an asymmetric KMS key. The key owner (or an authorized user) uses -// their private key to sign a message. Anyone with the public key can verify that -// the message was signed with that particular private key and that the message -// hasn't changed since it was signed. To use the Sign operation, provide the -// following information: +// Creates a [digital signature] for a message or message digest by using the private key in an +// asymmetric signing KMS key. To verify the signature, use the Verifyoperation, or use +// the public key in the same asymmetric KMS key outside of KMS. For information +// about asymmetric KMS keys, see [Asymmetric KMS keys]in the Key Management Service Developer Guide. +// +// Digital signatures are generated and verified by using asymmetric key pair, +// such as an RSA or ECC pair that is represented by an asymmetric KMS key. The key +// owner (or an authorized user) uses their private key to sign a message. Anyone +// with the public key can verify that the message was signed with that particular +// private key and that the message hasn't changed since it was signed. +// +// To use the Sign operation, provide the following information: +// // - Use the KeyId parameter to identify an asymmetric KMS key with a KeyUsage -// value of SIGN_VERIFY . To get the KeyUsage value of a KMS key, use the -// DescribeKey operation. The caller must have kms:Sign permission on the KMS -// key. +// value of SIGN_VERIFY . To get the KeyUsage value of a KMS key, use the DescribeKey +// operation. The caller must have kms:Sign permission on the KMS key. +// // - Use the Message parameter to specify the message or message digest to sign. // You can submit messages of up to 4096 bytes. To sign a larger message, generate // a hash digest of the message, and then provide the hash digest in the Message // parameter. To indicate whether the message is a full message or a digest, use // the MessageType parameter. +// // - Choose a signing algorithm that is compatible with the KMS key. // // When signing a message, be sure to record the KMS key and the signing -// algorithm. This information is required to verify the signature. Best practices -// recommend that you limit the time during which any signature is effective. This -// deters an attack where the actor uses a signed message to establish validity -// repeatedly or long after the message is superseded. Signatures do not include a -// timestamp, but you can include a timestamp in the signed message to help you -// detect when its time to refresh the signature. To verify the signature that this -// operation generates, use the Verify operation. Or use the GetPublicKey -// operation to download the public key and then use the public key to verify the -// signature outside of KMS. The KMS key that you use for this operation must be in -// a compatible key state. For details, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. Cross-account use: Yes. To -// perform this operation with a KMS key in a different Amazon Web Services -// account, specify the key ARN or alias ARN in the value of the KeyId parameter. -// Required permissions: kms:Sign (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: Verify Eventual consistency: The KMS API -// follows an eventual consistency model. For more information, see KMS eventual -// consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// algorithm. This information is required to verify the signature. +// +// Best practices recommend that you limit the time during which any signature is +// effective. This deters an attack where the actor uses a signed message to +// establish validity repeatedly or long after the message is superseded. +// Signatures do not include a timestamp, but you can include a timestamp in the +// signed message to help you detect when its time to refresh the signature. +// +// To verify the signature that this operation generates, use the Verify operation. Or +// use the GetPublicKeyoperation to download the public key and then use the public key to +// verify the signature outside of KMS. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value of +// the KeyId parameter. +// +// Required permissions: [kms:Sign] (key policy) +// +// Related operations: Verify +// +// Eventual consistency: The KMS API follows an eventual consistency model. For +// more information, see [KMS eventual consistency]. +// +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [digital signature]: https://en.wikipedia.org/wiki/Digital_signature +// [Asymmetric KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html +// [kms:Sign]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) Sign(ctx context.Context, params *SignInput, optFns ...func(*Options)) (*SignOutput, error) { if params == nil { params = &SignInput{} @@ -73,70 +88,95 @@ type SignInput struct { // Identifies an asymmetric KMS key. KMS uses the private key in the asymmetric // KMS key to sign the message. The KeyUsage type of the KMS key must be // SIGN_VERIFY . To find the KeyUsage of a KMS key, use the DescribeKey operation. + // // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When // using an alias name, prefix it with "alias/" . To specify a KMS key in a // different Amazon Web Services account, you must use the key ARN or alias ARN. + // // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // // - Alias name: alias/ExampleAlias + // // - Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . To - // get the alias name and alias ARN, use ListAliases . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the alias name + // and alias ARN, use ListAliases. // // This member is required. KeyId *string // Specifies the message or message digest to sign. Messages can be 0-4096 bytes. - // To sign a larger message, provide a message digest. If you provide a message - // digest, use the DIGEST value of MessageType to prevent the digest from being - // hashed again while signing. + // To sign a larger message, provide a message digest. + // + // If you provide a message digest, use the DIGEST value of MessageType to prevent + // the digest from being hashed again while signing. // // This member is required. Message []byte - // Specifies the signing algorithm to use when signing the message. Choose an - // algorithm that is compatible with the type and size of the specified asymmetric - // KMS key. When signing with RSA key pairs, RSASSA-PSS algorithms are preferred. - // We include RSASSA-PKCS1-v1_5 algorithms for compatibility with existing - // applications. + // Specifies the signing algorithm to use when signing the message. + // + // Choose an algorithm that is compatible with the type and size of the specified + // asymmetric KMS key. When signing with RSA key pairs, RSASSA-PSS algorithms are + // preferred. We include RSASSA-PKCS1-v1_5 algorithms for compatibility with + // existing applications. // // This member is required. SigningAlgorithm types.SigningAlgorithmSpec - // Checks if your request will succeed. DryRun is an optional parameter. To learn - // more about how to use this parameter, see Testing your KMS API calls (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html) - // in the Key Management Service Developer Guide. + // Checks if your request will succeed. DryRun is an optional parameter. + // + // To learn more about how to use this parameter, see [Testing your KMS API calls] in the Key Management + // Service Developer Guide. + // + // [Testing your KMS API calls]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html DryRun *bool - // A list of grant tokens. Use a grant token when your permission to call this - // operation comes from a new grant that has not yet achieved eventual consistency. - // For more information, see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) - // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) - // in the Key Management Service Developer Guide. + // A list of grant tokens. + // + // Use a grant token when your permission to call this operation comes from a new + // grant that has not yet achieved eventual consistency. For more information, see [Grant token] + // and [Using a grant token]in the Key Management Service Developer Guide. + // + // [Grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token + // [Using a grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token GrantTokens []string // Tells KMS whether the value of the Message parameter should be hashed as part // of the signing algorithm. Use RAW for unhashed messages; use DIGEST for message - // digests, which are already hashed. When the value of MessageType is RAW , KMS - // uses the standard signing algorithm, which begins with a hash function. When the - // value is DIGEST , KMS skips the hashing step in the signing algorithm. Use the - // DIGEST value only when the value of the Message parameter is a message digest. - // If you use the DIGEST value with an unhashed message, the security of the - // signing operation can be compromised. When the value of MessageType is DIGEST , - // the length of the Message value must match the length of hashed messages for - // the specified signing algorithm. You can submit a message digest and omit the - // MessageType or specify RAW so the digest is hashed again while signing. - // However, this can cause verification failures when verifying with a system that - // assumes a single hash. The hashing algorithm in that Sign uses is based on the - // SigningAlgorithm value. + // digests, which are already hashed. + // + // When the value of MessageType is RAW , KMS uses the standard signing algorithm, + // which begins with a hash function. When the value is DIGEST , KMS skips the + // hashing step in the signing algorithm. + // + // Use the DIGEST value only when the value of the Message parameter is a message + // digest. If you use the DIGEST value with an unhashed message, the security of + // the signing operation can be compromised. + // + // When the value of MessageType is DIGEST , the length of the Message value must + // match the length of hashed messages for the specified signing algorithm. + // + // You can submit a message digest and omit the MessageType or specify RAW so the + // digest is hashed again while signing. However, this can cause verification + // failures when verifying with a system that assumes a single hash. + // + // The hashing algorithm in that Sign uses is based on the SigningAlgorithm value. + // // - Signing algorithms that end in SHA_256 use the SHA_256 hashing algorithm. + // // - Signing algorithms that end in SHA_384 use the SHA_384 hashing algorithm. + // // - Signing algorithms that end in SHA_512 use the SHA_512 hashing algorithm. - // - SM2DSA uses the SM3 hashing algorithm. For details, see Offline - // verification with SM2 key pairs (https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification) - // . + // + // - SM2DSA uses the SM3 hashing algorithm. For details, see [Offline verification with SM2 key pairs]. + // + // [Offline verification with SM2 key pairs]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification MessageType types.MessageType noSmithyDocumentSerde @@ -144,21 +184,27 @@ type SignInput struct { type SignOutput struct { - // The Amazon Resource Name ( key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN) - // ) of the asymmetric KMS key that was used to sign the message. + // The Amazon Resource Name ([key ARN] ) of the asymmetric KMS key that was used to sign the + // message. + // + // [key ARN]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN KeyId *string // The cryptographic signature that was generated for the message. + // // - When used with the supported RSA signing algorithms, the encoding of this - // value is defined by PKCS #1 in RFC 8017 (https://tools.ietf.org/html/rfc8017) - // . + // value is defined by [PKCS #1 in RFC 8017]. + // // - When used with the ECDSA_SHA_256 , ECDSA_SHA_384 , or ECDSA_SHA_512 signing // algorithms, this value is a DER-encoded object as defined by ANSI X9.62–2005 and - // RFC 3279 Section 2.2.3 (https://tools.ietf.org/html/rfc3279#section-2.2.3) . - // This is the most commonly used signature format and is appropriate for most + // [RFC 3279 Section 2.2.3]. This is the most commonly used signature format and is appropriate for most // uses. + // // When you use the HTTP API or the Amazon Web Services CLI, the value is // Base64-encoded. Otherwise, it is not Base64-encoded. + // + // [RFC 3279 Section 2.2.3]: https://tools.ietf.org/html/rfc3279#section-2.2.3 + // [PKCS #1 in RFC 8017]: https://tools.ietf.org/html/rfc8017 Signature []byte // The signing algorithm that was used to sign the message. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_TagResource.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_TagResource.go index 001db07b674..f24835fe51e 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_TagResource.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_TagResource.go @@ -11,38 +11,56 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Adds or edits tags on a customer managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) -// . Tagging or untagging a KMS key can allow or deny permission to the KMS key. -// For details, see ABAC for KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) -// in the Key Management Service Developer Guide. Each tag consists of a tag key -// and a tag value, both of which are case-sensitive strings. The tag value can be -// an empty (null) string. To add a tag, specify a new tag key and a tag value. To -// edit a tag, specify an existing tag key and a new tag value. You can use this -// operation to tag a customer managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) -// , but you cannot tag an Amazon Web Services managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) -// , an Amazon Web Services owned key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) -// , a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#keystore-concept) -// , or an alias (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#alias-concept) -// . You can also add tags to a KMS key while creating it ( CreateKey ) or -// replicating it ( ReplicateKey ). For information about using tags in KMS, see -// Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html) -// . For general information about tags, including the format and syntax, see -// Tagging Amazon Web Services resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) -// in the Amazon Web Services General Reference. The KMS key that you use for this -// operation must be in a compatible key state. For details, see Key states of KMS -// keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in -// the Key Management Service Developer Guide. Cross-account use: No. You cannot -// perform this operation on a KMS key in a different Amazon Web Services account. -// Required permissions: kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations -// - CreateKey -// - ListResourceTags -// - ReplicateKey -// - UntagResource +// Adds or edits tags on a [customer managed key]. +// +// Tagging or untagging a KMS key can allow or deny permission to the KMS key. For +// details, see [ABAC for KMS]in the Key Management Service Developer Guide. +// +// Each tag consists of a tag key and a tag value, both of which are +// case-sensitive strings. The tag value can be an empty (null) string. To add a +// tag, specify a new tag key and a tag value. To edit a tag, specify an existing +// tag key and a new tag value. +// +// You can use this operation to tag a [customer managed key], but you cannot tag an [Amazon Web Services managed key], an [Amazon Web Services owned key], a [custom key store], or an [alias]. +// +// You can also add tags to a KMS key while creating it (CreateKey ) or replicating it (ReplicateKey ). +// +// For information about using tags in KMS, see [Tagging keys]. For general information about +// tags, including the format and syntax, see [Tagging Amazon Web Services resources]in the Amazon Web Services General +// Reference. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: [kms:TagResource] (key policy) +// +// # Related operations +// +// # CreateKey +// +// # ListResourceTags +// +// # ReplicateKey +// +// # UntagResource // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Amazon Web Services owned key]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [kms:TagResource]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [customer managed key]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk +// [Tagging keys]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html +// [alias]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#alias-concept +// [ABAC for KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [Amazon Web Services managed key]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk +// [custom key store]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#keystore-concept +// [Tagging Amazon Web Services resources]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html func (c *Client) TagResource(ctx context.Context, params *TagResourceInput, optFns ...func(*Options)) (*TagResourceOutput, error) { if params == nil { params = &TagResourceInput{} @@ -60,22 +78,31 @@ func (c *Client) TagResource(ctx context.Context, params *TagResourceInput, optF type TagResourceInput struct { - // Identifies a customer managed key in the account and Region. Specify the key ID - // or key ARN of the KMS key. For example: + // Identifies a customer managed key in the account and Region. + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string // One or more tags. Each tag consists of a tag key and a tag value. The tag value - // can be an empty (null) string. Do not include confidential or sensitive - // information in this field. This field may be displayed in plaintext in - // CloudTrail logs and other output. You cannot have more than one tag on a KMS key - // with the same tag key. If you specify an existing tag key with a different tag - // value, KMS replaces the current tag value with the specified one. + // can be an empty (null) string. + // + // Do not include confidential or sensitive information in this field. This field + // may be displayed in plaintext in CloudTrail logs and other output. + // + // You cannot have more than one tag on a KMS key with the same tag key. If you + // specify an existing tag key with a different tag value, KMS replaces the current + // tag value with the specified one. // // This member is required. Tags []types.Tag diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UntagResource.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UntagResource.go index c3cae702817..157eb8d0f3f 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UntagResource.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UntagResource.go @@ -10,32 +10,48 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Deletes tags from a customer managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) -// . To delete a tag, specify the tag key and the KMS key. Tagging or untagging a -// KMS key can allow or deny permission to the KMS key. For details, see ABAC for -// KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) in the Key -// Management Service Developer Guide. When it succeeds, the UntagResource -// operation doesn't return any output. Also, if the specified tag key isn't found -// on the KMS key, it doesn't throw an exception or return a response. To confirm -// that the operation worked, use the ListResourceTags operation. For information -// about using tags in KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html) -// . For general information about tags, including the format and syntax, see -// Tagging Amazon Web Services resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) -// in the Amazon Web Services General Reference. The KMS key that you use for this -// operation must be in a compatible key state. For details, see Key states of KMS -// keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in -// the Key Management Service Developer Guide. Cross-account use: No. You cannot -// perform this operation on a KMS key in a different Amazon Web Services account. -// Required permissions: kms:UntagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations -// - CreateKey -// - ListResourceTags -// - ReplicateKey -// - TagResource +// Deletes tags from a [customer managed key]. To delete a tag, specify the tag key and the KMS key. +// +// Tagging or untagging a KMS key can allow or deny permission to the KMS key. For +// details, see [ABAC for KMS]in the Key Management Service Developer Guide. +// +// When it succeeds, the UntagResource operation doesn't return any output. Also, +// if the specified tag key isn't found on the KMS key, it doesn't throw an +// exception or return a response. To confirm that the operation worked, use the ListResourceTags +// operation. +// +// For information about using tags in KMS, see [Tagging keys]. For general information about +// tags, including the format and syntax, see [Tagging Amazon Web Services resources]in the Amazon Web Services General +// Reference. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: [kms:UntagResource] (key policy) +// +// # Related operations +// +// # CreateKey +// +// # ListResourceTags +// +// # ReplicateKey +// +// # TagResource // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [kms:UntagResource]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [customer managed key]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk +// [Tagging keys]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html +// [ABAC for KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [Tagging Amazon Web Services resources]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html func (c *Client) UntagResource(ctx context.Context, params *UntagResourceInput, optFns ...func(*Options)) (*UntagResourceOutput, error) { if params == nil { params = &UntagResourceInput{} @@ -53,12 +69,18 @@ func (c *Client) UntagResource(ctx context.Context, params *UntagResourceInput, type UntagResourceInput struct { - // Identifies the KMS key from which you are removing tags. Specify the key ID or - // key ARN of the KMS key. For example: + // Identifies the KMS key from which you are removing tags. + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdateAlias.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdateAlias.go index cb429fd7382..f885e497b3c 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdateAlias.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdateAlias.go @@ -13,40 +13,60 @@ import ( // Associates an existing KMS alias with a different KMS key. Each alias is // associated with only one KMS key at a time, although a KMS key can have multiple // aliases. The alias and the KMS key must be in the same Amazon Web Services -// account and Region. Adding, deleting, or updating an alias can allow or deny -// permission to the KMS key. For details, see ABAC for KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) -// in the Key Management Service Developer Guide. The current and new KMS key must -// be the same type (both symmetric or both asymmetric or both HMAC), and they must -// have the same key usage. This restriction prevents errors in code that uses -// aliases. If you must assign an alias to a different type of KMS key, use -// DeleteAlias to delete the old alias and CreateAlias to create a new alias. You -// cannot use UpdateAlias to change an alias name. To change an alias name, use -// DeleteAlias to delete the old alias and CreateAlias to create a new alias. +// account and Region. +// +// Adding, deleting, or updating an alias can allow or deny permission to the KMS +// key. For details, see [ABAC for KMS]in the Key Management Service Developer Guide. +// +// The current and new KMS key must be the same type (both symmetric or both +// asymmetric or both HMAC), and they must have the same key usage. This +// restriction prevents errors in code that uses aliases. If you must assign an +// alias to a different type of KMS key, use DeleteAliasto delete the old alias and CreateAlias to +// create a new alias. +// +// You cannot use UpdateAlias to change an alias name. To change an alias name, +// use DeleteAliasto delete the old alias and CreateAlias to create a new alias. +// // Because an alias is not a property of a KMS key, you can create, update, and // delete the aliases of a KMS key without affecting the KMS key. Also, aliases do -// not appear in the response from the DescribeKey operation. To get the aliases -// of all KMS keys in the account, use the ListAliases operation. The KMS key that -// you use for this operation must be in a compatible key state. For details, see -// Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. Cross-account use: No. You cannot -// perform this operation on a KMS key in a different Amazon Web Services account. -// Required permissions -// - kms:UpdateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// on the alias (IAM policy). -// - kms:UpdateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// on the current KMS key (key policy). -// - kms:UpdateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// on the new KMS key (key policy). -// -// For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access) -// in the Key Management Service Developer Guide. Related operations: -// - CreateAlias -// - DeleteAlias -// - ListAliases +// not appear in the response from the DescribeKeyoperation. To get the aliases of all KMS +// keys in the account, use the ListAliasesoperation. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// # Required permissions +// +// [kms:UpdateAlias] +// - on the alias (IAM policy). +// +// [kms:UpdateAlias] +// - on the current KMS key (key policy). +// +// [kms:UpdateAlias] +// - on the new KMS key (key policy). +// +// For details, see [Controlling access to aliases] in the Key Management Service Developer Guide. +// +// Related operations: +// +// # CreateAlias +// +// # DeleteAlias +// +// # ListAliases // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [ABAC for KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html +// [kms:UpdateAlias]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [Controlling access to aliases]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access func (c *Client) UpdateAlias(ctx context.Context, params *UpdateAliasInput, optFns ...func(*Options)) (*UpdateAliasOutput, error) { if params == nil { params = &UpdateAliasInput{} @@ -66,25 +86,37 @@ type UpdateAliasInput struct { // Identifies the alias that is changing its KMS key. This value must begin with // alias/ followed by the alias name, such as alias/ExampleAlias . You cannot use - // UpdateAlias to change the alias name. Do not include confidential or sensitive - // information in this field. This field may be displayed in plaintext in - // CloudTrail logs and other output. + // UpdateAlias to change the alias name. + // + // Do not include confidential or sensitive information in this field. This field + // may be displayed in plaintext in CloudTrail logs and other output. // // This member is required. AliasName *string - // Identifies the customer managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) - // to associate with the alias. You don't have permission to associate an alias - // with an Amazon Web Services managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) - // . The KMS key must be in the same Amazon Web Services account and Region as the + // Identifies the [customer managed key] to associate with the alias. You don't have permission to + // associate an alias with an [Amazon Web Services managed key]. + // + // The KMS key must be in the same Amazon Web Services account and Region as the // alias. Also, the new target KMS key must be the same type as the current target // KMS key (both symmetric or both asymmetric or both HMAC) and they must have the - // same key usage. Specify the key ID or key ARN of the KMS key. For example: + // same key usage. + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . To - // verify that the alias is mapped to the correct KMS key, use ListAliases . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. + // + // To verify that the alias is mapped to the correct KMS key, use ListAliases. + // + // [customer managed key]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk + // [Amazon Web Services managed key]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk // // This member is required. TargetKeyId *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdateCustomKeyStore.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdateCustomKeyStore.go index 14447d9d9b8..578980488c9 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdateCustomKeyStore.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdateCustomKeyStore.go @@ -12,67 +12,92 @@ import ( ) // Changes the properties of a custom key store. You can use this operation to -// change the properties of an CloudHSM key store or an external key store. Use the -// required CustomKeyStoreId parameter to identify the custom key store. Use the -// remaining optional parameters to change its properties. This operation does not -// return any property values. To verify the updated property values, use the -// DescribeCustomKeyStores operation. This operation is part of the custom key -// stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// feature in KMS, which combines the convenience and extensive integration of KMS -// with the isolation and control of a key store that you own and manage. When -// updating the properties of an external key store, verify that the updated +// change the properties of an CloudHSM key store or an external key store. +// +// Use the required CustomKeyStoreId parameter to identify the custom key store. +// Use the remaining optional parameters to change its properties. This operation +// does not return any property values. To verify the updated property values, use +// the DescribeCustomKeyStoresoperation. +// +// This operation is part of the [custom key stores] feature in KMS, which combines the convenience +// and extensive integration of KMS with the isolation and control of a key store +// that you own and manage. +// +// When updating the properties of an external key store, verify that the updated // settings connect your key store, via the external key store proxy, to the same // external key manager as the previous settings, or to a backup or snapshot of the // external key manager with the same cryptographic keys. If the updated connection // settings fail, you can fix them and retry, although an extended delay might // disrupt Amazon Web Services services. However, if KMS permanently loses its // access to cryptographic keys, ciphertext encrypted under those keys is -// unrecoverable. For external key stores: Some external key managers provide a -// simpler method for updating an external key store. For details, see your -// external key manager documentation. When updating an external key store in the -// KMS console, you can upload a JSON-based proxy configuration file with the -// desired values. You cannot upload the proxy configuration file to the -// UpdateCustomKeyStore operation. However, you can use the file to help you -// determine the correct values for the UpdateCustomKeyStore parameters. For an -// CloudHSM key store, you can use this operation to change the custom key store -// friendly name ( NewCustomKeyStoreName ), to tell KMS about a change to the +// unrecoverable. +// +// For external key stores: +// +// Some external key managers provide a simpler method for updating an external +// key store. For details, see your external key manager documentation. +// +// When updating an external key store in the KMS console, you can upload a +// JSON-based proxy configuration file with the desired values. You cannot upload +// the proxy configuration file to the UpdateCustomKeyStore operation. However, +// you can use the file to help you determine the correct values for the +// UpdateCustomKeyStore parameters. +// +// For an CloudHSM key store, you can use this operation to change the custom key +// store friendly name ( NewCustomKeyStoreName ), to tell KMS about a change to the // kmsuser crypto user password ( KeyStorePassword ), or to associate the custom // key store with a different, but related, CloudHSM cluster ( CloudHsmClusterId ). // To update any property of an CloudHSM key store, the ConnectionState of the -// CloudHSM key store must be DISCONNECTED . For an external key store, you can use -// this operation to change the custom key store friendly name ( -// NewCustomKeyStoreName ), or to tell KMS about a change to the external key store -// proxy authentication credentials ( XksProxyAuthenticationCredential ), -// connection method ( XksProxyConnectivity ), external proxy endpoint ( -// XksProxyUriEndpoint ) and path ( XksProxyUriPath ). For external key stores with -// an XksProxyConnectivity of VPC_ENDPOINT_SERVICE , you can also update the Amazon -// VPC endpoint service name ( XksProxyVpcEndpointServiceName ). To update most -// properties of an external key store, the ConnectionState of the external key -// store must be DISCONNECTED . However, you can update the CustomKeyStoreName , +// CloudHSM key store must be DISCONNECTED . +// +// For an external key store, you can use this operation to change the custom key +// store friendly name ( NewCustomKeyStoreName ), or to tell KMS about a change to +// the external key store proxy authentication credentials ( +// XksProxyAuthenticationCredential ), connection method ( XksProxyConnectivity ), +// external proxy endpoint ( XksProxyUriEndpoint ) and path ( XksProxyUriPath ). +// For external key stores with an XksProxyConnectivity of VPC_ENDPOINT_SERVICE , +// you can also update the Amazon VPC endpoint service name ( +// XksProxyVpcEndpointServiceName ). To update most properties of an external key +// store, the ConnectionState of the external key store must be DISCONNECTED . +// However, you can update the CustomKeyStoreName , // XksProxyAuthenticationCredential , and XksProxyUriPath of an external key store -// when it is in the CONNECTED or DISCONNECTED state. If your update requires a -// DISCONNECTED state, before using UpdateCustomKeyStore , use the -// DisconnectCustomKeyStore operation to disconnect the custom key store. After the -// UpdateCustomKeyStore operation completes, use the ConnectCustomKeyStore to -// reconnect the custom key store. To find the ConnectionState of the custom key -// store, use the DescribeCustomKeyStores operation. Before updating the custom -// key store, verify that the new values allow KMS to connect the custom key store -// to its backing key store. For example, before you change the XksProxyUriPath -// value, verify that the external key store proxy is reachable at the new path. If -// the operation succeeds, it returns a JSON object with no properties. +// when it is in the CONNECTED or DISCONNECTED state. +// +// If your update requires a DISCONNECTED state, before using UpdateCustomKeyStore +// , use the DisconnectCustomKeyStoreoperation to disconnect the custom key store. After the +// UpdateCustomKeyStore operation completes, use the ConnectCustomKeyStore to reconnect the custom key +// store. To find the ConnectionState of the custom key store, use the DescribeCustomKeyStores operation. +// +// Before updating the custom key store, verify that the new values allow KMS to +// connect the custom key store to its backing key store. For example, before you +// change the XksProxyUriPath value, verify that the external key store proxy is +// reachable at the new path. +// +// If the operation succeeds, it returns a JSON object with no properties. +// // Cross-account use: No. You cannot perform this operation on a custom key store -// in a different Amazon Web Services account. Required permissions: -// kms:UpdateCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (IAM policy) Related operations: -// - ConnectCustomKeyStore -// - CreateCustomKeyStore -// - DeleteCustomKeyStore -// - DescribeCustomKeyStores -// - DisconnectCustomKeyStore +// in a different Amazon Web Services account. +// +// Required permissions: [kms:UpdateCustomKeyStore] (IAM policy) +// +// Related operations: +// +// # ConnectCustomKeyStore +// +// # CreateCustomKeyStore +// +// # DeleteCustomKeyStore +// +// # DescribeCustomKeyStores +// +// # DisconnectCustomKeyStore // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [custom key stores]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html +// [kms:UpdateCustomKeyStore]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) UpdateCustomKeyStore(ctx context.Context, params *UpdateCustomKeyStoreInput, optFns ...func(*Options)) (*UpdateCustomKeyStoreOutput, error) { if params == nil { params = &UpdateCustomKeyStoreInput{} @@ -91,92 +116,119 @@ func (c *Client) UpdateCustomKeyStore(ctx context.Context, params *UpdateCustomK type UpdateCustomKeyStoreInput struct { // Identifies the custom key store that you want to update. Enter the ID of the - // custom key store. To find the ID of a custom key store, use the - // DescribeCustomKeyStores operation. + // custom key store. To find the ID of a custom key store, use the DescribeCustomKeyStoresoperation. // // This member is required. CustomKeyStoreId *string // Associates the custom key store with a related CloudHSM cluster. This parameter // is valid only for custom key stores with a CustomKeyStoreType of AWS_CLOUDHSM . - // Enter the cluster ID of the cluster that you used to create the custom key store - // or a cluster that shares a backup history and has the same cluster certificate - // as the original cluster. You cannot use this parameter to associate a custom key - // store with an unrelated cluster. In addition, the replacement cluster must - // fulfill the requirements (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) - // for a cluster associated with a custom key store. To view the cluster - // certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) - // operation. To change this value, the CloudHSM key store must be disconnected. + // + // Enter the cluster ID of the cluster that you used to create the custom key + // store or a cluster that shares a backup history and has the same cluster + // certificate as the original cluster. You cannot use this parameter to associate + // a custom key store with an unrelated cluster. In addition, the replacement + // cluster must [fulfill the requirements]for a cluster associated with a custom key store. To view the + // cluster certificate of a cluster, use the [DescribeClusters]operation. + // + // To change this value, the CloudHSM key store must be disconnected. + // + // [fulfill the requirements]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore + // [DescribeClusters]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html CloudHsmClusterId *string // Enter the current password of the kmsuser crypto user (CU) in the CloudHSM // cluster that is associated with the custom key store. This parameter is valid - // only for custom key stores with a CustomKeyStoreType of AWS_CLOUDHSM . This - // parameter tells KMS the current password of the kmsuser crypto user (CU). It - // does not set or change the password of any users in the CloudHSM cluster. To - // change this value, the CloudHSM key store must be disconnected. + // only for custom key stores with a CustomKeyStoreType of AWS_CLOUDHSM . + // + // This parameter tells KMS the current password of the kmsuser crypto user (CU). + // It does not set or change the password of any users in the CloudHSM cluster. + // + // To change this value, the CloudHSM key store must be disconnected. KeyStorePassword *string // Changes the friendly name of the custom key store to the value that you // specify. The custom key store name must be unique in the Amazon Web Services - // account. Do not include confidential or sensitive information in this field. - // This field may be displayed in plaintext in CloudTrail logs and other output. To - // change this value, an CloudHSM key store must be disconnected. An external key - // store can be connected or disconnected. + // account. + // + // Do not include confidential or sensitive information in this field. This field + // may be displayed in plaintext in CloudTrail logs and other output. + // + // To change this value, an CloudHSM key store must be disconnected. An external + // key store can be connected or disconnected. NewCustomKeyStoreName *string // Changes the credentials that KMS uses to sign requests to the external key // store proxy (XKS proxy). This parameter is valid only for custom key stores with - // a CustomKeyStoreType of EXTERNAL_KEY_STORE . You must specify both the - // AccessKeyId and SecretAccessKey value in the authentication credential, even if - // you are only updating one value. This parameter doesn't establish or change your - // authentication credentials on the proxy. It just tells KMS the credential that - // you established with your external key store proxy. For example, if you rotate - // the credential on your external key store proxy, you can use this parameter to - // update the credential in KMS. You can change this value when the external key - // store is connected or disconnected. + // a CustomKeyStoreType of EXTERNAL_KEY_STORE . + // + // You must specify both the AccessKeyId and SecretAccessKey value in the + // authentication credential, even if you are only updating one value. + // + // This parameter doesn't establish or change your authentication credentials on + // the proxy. It just tells KMS the credential that you established with your + // external key store proxy. For example, if you rotate the credential on your + // external key store proxy, you can use this parameter to update the credential in + // KMS. + // + // You can change this value when the external key store is connected or + // disconnected. XksProxyAuthenticationCredential *types.XksProxyAuthenticationCredentialType // Changes the connectivity setting for the external key store. To indicate that // the external key store proxy uses a Amazon VPC endpoint service to communicate - // with KMS, specify VPC_ENDPOINT_SERVICE . Otherwise, specify PUBLIC_ENDPOINT . If - // you change the XksProxyConnectivity to VPC_ENDPOINT_SERVICE , you must also + // with KMS, specify VPC_ENDPOINT_SERVICE . Otherwise, specify PUBLIC_ENDPOINT . + // + // If you change the XksProxyConnectivity to VPC_ENDPOINT_SERVICE , you must also // change the XksProxyUriEndpoint and add an XksProxyVpcEndpointServiceName value. + // // If you change the XksProxyConnectivity to PUBLIC_ENDPOINT , you must also change // the XksProxyUriEndpoint and specify a null or empty string for the - // XksProxyVpcEndpointServiceName value. To change this value, the external key - // store must be disconnected. + // XksProxyVpcEndpointServiceName value. + // + // To change this value, the external key store must be disconnected. XksProxyConnectivity types.XksProxyConnectivityType // Changes the URI endpoint that KMS uses to connect to your external key store // proxy (XKS proxy). This parameter is valid only for custom key stores with a - // CustomKeyStoreType of EXTERNAL_KEY_STORE . For external key stores with an - // XksProxyConnectivity value of PUBLIC_ENDPOINT , the protocol must be HTTPS. For - // external key stores with an XksProxyConnectivity value of VPC_ENDPOINT_SERVICE , - // specify https:// followed by the private DNS name associated with the VPC - // endpoint service. Each external key store must use a different private DNS name. + // CustomKeyStoreType of EXTERNAL_KEY_STORE . + // + // For external key stores with an XksProxyConnectivity value of PUBLIC_ENDPOINT , + // the protocol must be HTTPS. + // + // For external key stores with an XksProxyConnectivity value of + // VPC_ENDPOINT_SERVICE , specify https:// followed by the private DNS name + // associated with the VPC endpoint service. Each external key store must use a + // different private DNS name. + // // The combined XksProxyUriEndpoint and XksProxyUriPath values must be unique in - // the Amazon Web Services account and Region. To change this value, the external - // key store must be disconnected. + // the Amazon Web Services account and Region. + // + // To change this value, the external key store must be disconnected. XksProxyUriEndpoint *string // Changes the base path to the proxy APIs for this external key store. To find // this value, see the documentation for your external key manager and external key // store proxy (XKS proxy). This parameter is valid only for custom key stores with - // a CustomKeyStoreType of EXTERNAL_KEY_STORE . The value must start with / and - // must end with /kms/xks/v1 , where v1 represents the version of the KMS external - // key store proxy API. You can include an optional prefix between the required - // elements such as /example/kms/xks/v1 . The combined XksProxyUriEndpoint and - // XksProxyUriPath values must be unique in the Amazon Web Services account and - // Region. You can change this value when the external key store is connected or + // a CustomKeyStoreType of EXTERNAL_KEY_STORE . + // + // The value must start with / and must end with /kms/xks/v1 , where v1 represents + // the version of the KMS external key store proxy API. You can include an optional + // prefix between the required elements such as /example/kms/xks/v1 . + // + // The combined XksProxyUriEndpoint and XksProxyUriPath values must be unique in + // the Amazon Web Services account and Region. + // + // You can change this value when the external key store is connected or // disconnected. XksProxyUriPath *string // Changes the name that KMS uses to identify the Amazon VPC endpoint service for // your external key store proxy (XKS proxy). This parameter is valid when the // CustomKeyStoreType is EXTERNAL_KEY_STORE and the XksProxyConnectivity is - // VPC_ENDPOINT_SERVICE . To change this value, the external key store must be - // disconnected. + // VPC_ENDPOINT_SERVICE . + // + // To change this value, the external key store must be disconnected. XksProxyVpcEndpointServiceName *string noSmithyDocumentSerde diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdateKeyDescription.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdateKeyDescription.go index d3636033222..59aeba93b78 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdateKeyDescription.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdateKeyDescription.go @@ -10,19 +10,29 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Updates the description of a KMS key. To see the description of a KMS key, use -// DescribeKey . The KMS key that you use for this operation must be in a -// compatible key state. For details, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. Cross-account use: No. You cannot -// perform this operation on a KMS key in a different Amazon Web Services account. -// Required permissions: kms:UpdateKeyDescription (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations -// - CreateKey -// - DescribeKey +// Updates the description of a KMS key. To see the description of a KMS key, use DescribeKey +// . +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a KMS key in a +// different Amazon Web Services account. +// +// Required permissions: [kms:UpdateKeyDescription] (key policy) +// +// # Related operations +// +// # CreateKey +// +// # DescribeKey // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [kms:UpdateKeyDescription]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) UpdateKeyDescription(ctx context.Context, params *UpdateKeyDescriptionInput, optFns ...func(*Options)) (*UpdateKeyDescriptionOutput, error) { if params == nil { params = &UpdateKeyDescriptionInput{} @@ -40,19 +50,26 @@ func (c *Client) UpdateKeyDescription(ctx context.Context, params *UpdateKeyDesc type UpdateKeyDescriptionInput struct { - // New description for the KMS key. Do not include confidential or sensitive - // information in this field. This field may be displayed in plaintext in - // CloudTrail logs and other output. + // New description for the KMS key. + // + // Do not include confidential or sensitive information in this field. This field + // may be displayed in plaintext in CloudTrail logs and other output. // // This member is required. Description *string - // Updates the description of the specified KMS key. Specify the key ID or key ARN - // of the KMS key. For example: + // Updates the description of the specified KMS key. + // + // Specify the key ID or key ARN of the KMS key. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdatePrimaryRegion.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdatePrimaryRegion.go index ee5bbc6e8f7..2182c64e622 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdatePrimaryRegion.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_UpdatePrimaryRegion.go @@ -10,61 +10,81 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Changes the primary key of a multi-Region key. This operation changes the -// replica key in the specified Region to a primary key and changes the former -// primary key to a replica key. For example, suppose you have a primary key in -// us-east-1 and a replica key in eu-west-2 . If you run UpdatePrimaryRegion with -// a PrimaryRegion value of eu-west-2 , the primary key is now the key in eu-west-2 -// , and the key in us-east-1 becomes a replica key. For details, see Updating the -// primary Region (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-update) -// in the Key Management Service Developer Guide. This operation supports -// multi-Region keys, an KMS feature that lets you create multiple interoperable -// KMS keys in different Amazon Web Services Regions. Because these KMS keys have -// the same key ID, key material, and other metadata, you can use them -// interchangeably to encrypt data in one Amazon Web Services Region and decrypt it -// in a different Amazon Web Services Region without re-encrypting the data or -// making a cross-Region call. For more information about multi-Region keys, see -// Multi-Region keys in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) -// in the Key Management Service Developer Guide. The primary key of a multi-Region -// key is the source for properties that are always shared by primary and replica -// keys, including the key material, key ID (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id) -// , key spec (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec) -// , key usage (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage) -// , key material origin (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin) -// , and automatic key rotation (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) -// . It's the only key that can be replicated. You cannot delete the primary key (https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) -// until all replica keys are deleted. The key ID and primary Region that you -// specify uniquely identify the replica key that will become the primary key. The -// primary Region must already have a replica key. This operation does not create a -// KMS key in the specified Region. To find the replica keys, use the DescribeKey -// operation on the primary key or any replica key. To create a replica key, use -// the ReplicateKey operation. You can run this operation while using the affected -// multi-Region keys in cryptographic operations. This operation should not delay, -// interrupt, or cause failures in cryptographic operations. Even after this -// operation completes, the process of updating the primary Region might still be -// in progress for a few more seconds. Operations such as DescribeKey might -// display both the old and new primary keys as replicas. The old and new primary -// keys have a transient key state of Updating . The original key state is restored -// when the update is complete. While the key state is Updating , you can use the -// keys in cryptographic operations, but you cannot replicate the new primary key -// or perform certain management operations, such as enabling or disabling these -// keys. For details about the Updating key state, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. This operation does not return -// any output. To verify that primary key is changed, use the DescribeKey -// operation. Cross-account use: No. You cannot use this operation in a different -// Amazon Web Services account. Required permissions: +// Changes the primary key of a multi-Region key. +// +// This operation changes the replica key in the specified Region to a primary key +// and changes the former primary key to a replica key. For example, suppose you +// have a primary key in us-east-1 and a replica key in eu-west-2 . If you run +// UpdatePrimaryRegion with a PrimaryRegion value of eu-west-2 , the primary key is +// now the key in eu-west-2 , and the key in us-east-1 becomes a replica key. For +// details, see [Updating the primary Region]in the Key Management Service Developer Guide. +// +// This operation supports multi-Region keys, an KMS feature that lets you create +// multiple interoperable KMS keys in different Amazon Web Services Regions. +// Because these KMS keys have the same key ID, key material, and other metadata, +// you can use them interchangeably to encrypt data in one Amazon Web Services +// Region and decrypt it in a different Amazon Web Services Region without +// re-encrypting the data or making a cross-Region call. For more information about +// multi-Region keys, see [Multi-Region keys in KMS]in the Key Management Service Developer Guide. +// +// The primary key of a multi-Region key is the source for properties that are +// always shared by primary and replica keys, including the key material, [key ID], [key spec], [key usage], [key material origin], +// and [automatic key rotation]. It's the only key that can be replicated. You cannot [delete the primary key] until all replica +// keys are deleted. +// +// The key ID and primary Region that you specify uniquely identify the replica +// key that will become the primary key. The primary Region must already have a +// replica key. This operation does not create a KMS key in the specified Region. +// To find the replica keys, use the DescribeKeyoperation on the primary key or any replica +// key. To create a replica key, use the ReplicateKeyoperation. +// +// You can run this operation while using the affected multi-Region keys in +// cryptographic operations. This operation should not delay, interrupt, or cause +// failures in cryptographic operations. +// +// Even after this operation completes, the process of updating the primary Region +// might still be in progress for a few more seconds. Operations such as +// DescribeKey might display both the old and new primary keys as replicas. The old +// and new primary keys have a transient key state of Updating . The original key +// state is restored when the update is complete. While the key state is Updating , +// you can use the keys in cryptographic operations, but you cannot replicate the +// new primary key or perform certain management operations, such as enabling or +// disabling these keys. For details about the Updating key state, see [Key states of KMS keys] in the Key +// Management Service Developer Guide. +// +// This operation does not return any output. To verify that primary key is +// changed, use the DescribeKeyoperation. +// +// Cross-account use: No. You cannot use this operation in a different Amazon Web +// Services account. +// +// Required permissions: +// // - kms:UpdatePrimaryRegion on the current primary key (in the primary key's // Region). Include this permission primary key's key policy. +// // - kms:UpdatePrimaryRegion on the current replica key (in the replica key's // Region). Include this permission in the replica key's key policy. // -// Related operations -// - CreateKey -// - ReplicateKey +// # Related operations +// +// # CreateKey +// +// # ReplicateKey // // Eventual consistency: The KMS API follows an eventual consistency model. For -// more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// more information, see [KMS eventual consistency]. +// +// [key ID]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [delete the primary key]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html +// [key usage]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage +// [Updating the primary Region]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-update +// [Multi-Region keys in KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html +// [key spec]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec +// [key material origin]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin +// [automatic key rotation]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) UpdatePrimaryRegion(ctx context.Context, params *UpdatePrimaryRegionInput, optFns ...func(*Options)) (*UpdatePrimaryRegionOutput, error) { if params == nil { params = &UpdatePrimaryRegionInput{} @@ -83,20 +103,28 @@ func (c *Client) UpdatePrimaryRegion(ctx context.Context, params *UpdatePrimaryR type UpdatePrimaryRegionInput struct { // Identifies the current primary key. When the operation completes, this KMS key - // will be a replica key. Specify the key ID or key ARN of a multi-Region primary - // key. For example: + // will be a replica key. + // + // Specify the key ID or key ARN of a multi-Region primary key. + // + // For example: + // // - Key ID: mrk-1234abcd12ab34cd56ef1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // This member is required. KeyId *string // The Amazon Web Services Region of the new primary key. Enter the Region ID, // such as us-east-1 or ap-southeast-2 . There must be an existing replica key in - // this Region. When the operation completes, the multi-Region key in this Region - // will be the primary key. + // this Region. + // + // When the operation completes, the multi-Region key in this Region will be the + // primary key. // // This member is required. PrimaryRegion *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Verify.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Verify.go index 6b880e43af4..9c2ba35636c 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Verify.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_Verify.go @@ -12,40 +12,56 @@ import ( ) // Verifies a digital signature that was generated by the Sign operation. +// // Verification confirms that an authorized user signed the message with the // specified KMS key and signing algorithm, and the message hasn't changed since it // was signed. If the signature is verified, the value of the SignatureValid field // in the response is True . If the signature verification fails, the Verify -// operation fails with an KMSInvalidSignatureException exception. A digital -// signature is generated by using the private key in an asymmetric KMS key. The -// signature is verified by using the public key in the same asymmetric KMS key. -// For information about asymmetric KMS keys, see Asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) -// in the Key Management Service Developer Guide. To use the Verify operation, -// specify the same asymmetric KMS key, message, and signing algorithm that were -// used to produce the signature. The message type does not need to be the same as -// the one used for signing, but it must indicate whether the value of the Message -// parameter should be hashed as part of the verification process. You can also -// verify the digital signature by using the public key of the KMS key outside of -// KMS. Use the GetPublicKey operation to download the public key in the +// operation fails with an KMSInvalidSignatureException exception. +// +// A digital signature is generated by using the private key in an asymmetric KMS +// key. The signature is verified by using the public key in the same asymmetric +// KMS key. For information about asymmetric KMS keys, see [Asymmetric KMS keys]in the Key Management +// Service Developer Guide. +// +// To use the Verify operation, specify the same asymmetric KMS key, message, and +// signing algorithm that were used to produce the signature. The message type does +// not need to be the same as the one used for signing, but it must indicate +// whether the value of the Message parameter should be hashed as part of the +// verification process. +// +// You can also verify the digital signature by using the public key of the KMS +// key outside of KMS. Use the GetPublicKeyoperation to download the public key in the // asymmetric KMS key and then use the public key to verify the signature outside // of KMS. The advantage of using the Verify operation is that it is performed // within KMS. As a result, it's easy to call, the operation is performed within // the FIPS boundary, it is logged in CloudTrail, and you can use key policy and // IAM policy to determine who is authorized to use the KMS key to verify -// signatures. To verify a signature outside of KMS with an SM2 public key (China -// Regions only), you must specify the distinguishing ID. By default, KMS uses -// 1234567812345678 as the distinguishing ID. For more information, see Offline -// verification with SM2 key pairs (https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification) -// . The KMS key that you use for this operation must be in a compatible key state. -// For details, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide. Cross-account use: Yes. To -// perform this operation with a KMS key in a different Amazon Web Services -// account, specify the key ARN or alias ARN in the value of the KeyId parameter. -// Required permissions: kms:Verify (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: Sign Eventual consistency: The KMS API follows -// an eventual consistency model. For more information, see KMS eventual -// consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// signatures. +// +// To verify a signature outside of KMS with an SM2 public key (China Regions +// only), you must specify the distinguishing ID. By default, KMS uses +// 1234567812345678 as the distinguishing ID. For more information, see [Offline verification with SM2 key pairs]. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value of +// the KeyId parameter. +// +// Required permissions: [kms:Verify] (key policy) +// +// Related operations: Sign +// +// Eventual consistency: The KMS API follows an eventual consistency model. For +// more information, see [KMS eventual consistency]. +// +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [Asymmetric KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html +// [Offline verification with SM2 key pairs]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification +// [kms:Verify]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html func (c *Client) Verify(ctx context.Context, params *VerifyInput, optFns ...func(*Options)) (*VerifyOutput, error) { if params == nil { params = &VerifyInput{} @@ -65,26 +81,36 @@ type VerifyInput struct { // Identifies the asymmetric KMS key that will be used to verify the signature. // This must be the same KMS key that was used to generate the signature. If you - // specify a different KMS key, the signature verification fails. To specify a KMS - // key, use its key ID, key ARN, alias name, or alias ARN. When using an alias - // name, prefix it with "alias/" . To specify a KMS key in a different Amazon Web - // Services account, you must use the key ARN or alias ARN. For example: + // specify a different KMS key, the signature verification fails. + // + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/" . To specify a KMS key in a + // different Amazon Web Services account, you must use the key ARN or alias ARN. + // + // For example: + // // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // // - Key ARN: // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // // - Alias name: alias/ExampleAlias + // // - Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias - // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey . To - // get the alias name and alias ARN, use ListAliases . + // + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the alias name + // and alias ARN, use ListAliases. // // This member is required. KeyId *string // Specifies the message that was signed. You can submit a raw message of up to // 4096 bytes, or a hash digest of the message. If you submit a digest, use the - // MessageType parameter with a value of DIGEST . If the message specified here is - // different from the message that was signed, the signature verification fails. A - // message and its hash digest are considered to be the same message. + // MessageType parameter with a value of DIGEST . + // + // If the message specified here is different from the message that was signed, + // the signature verification fails. A message and its hash digest are considered + // to be the same message. // // This member is required. Message []byte @@ -100,38 +126,56 @@ type VerifyInput struct { // This member is required. SigningAlgorithm types.SigningAlgorithmSpec - // Checks if your request will succeed. DryRun is an optional parameter. To learn - // more about how to use this parameter, see Testing your KMS API calls (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html) - // in the Key Management Service Developer Guide. + // Checks if your request will succeed. DryRun is an optional parameter. + // + // To learn more about how to use this parameter, see [Testing your KMS API calls] in the Key Management + // Service Developer Guide. + // + // [Testing your KMS API calls]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html DryRun *bool - // A list of grant tokens. Use a grant token when your permission to call this - // operation comes from a new grant that has not yet achieved eventual consistency. - // For more information, see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) - // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) - // in the Key Management Service Developer Guide. + // A list of grant tokens. + // + // Use a grant token when your permission to call this operation comes from a new + // grant that has not yet achieved eventual consistency. For more information, see [Grant token] + // and [Using a grant token]in the Key Management Service Developer Guide. + // + // [Grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token + // [Using a grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token GrantTokens []string // Tells KMS whether the value of the Message parameter should be hashed as part // of the signing algorithm. Use RAW for unhashed messages; use DIGEST for message - // digests, which are already hashed. When the value of MessageType is RAW , KMS - // uses the standard signing algorithm, which begins with a hash function. When the - // value is DIGEST , KMS skips the hashing step in the signing algorithm. Use the - // DIGEST value only when the value of the Message parameter is a message digest. - // If you use the DIGEST value with an unhashed message, the security of the - // verification operation can be compromised. When the value of MessageType is - // DIGEST , the length of the Message value must match the length of hashed - // messages for the specified signing algorithm. You can submit a message digest - // and omit the MessageType or specify RAW so the digest is hashed again while - // signing. However, if the signed message is hashed once while signing, but twice - // while verifying, verification fails, even when the message hasn't changed. The - // hashing algorithm in that Verify uses is based on the SigningAlgorithm value. + // digests, which are already hashed. + // + // When the value of MessageType is RAW , KMS uses the standard signing algorithm, + // which begins with a hash function. When the value is DIGEST , KMS skips the + // hashing step in the signing algorithm. + // + // Use the DIGEST value only when the value of the Message parameter is a message + // digest. If you use the DIGEST value with an unhashed message, the security of + // the verification operation can be compromised. + // + // When the value of MessageType is DIGEST , the length of the Message value must + // match the length of hashed messages for the specified signing algorithm. + // + // You can submit a message digest and omit the MessageType or specify RAW so the + // digest is hashed again while signing. However, if the signed message is hashed + // once while signing, but twice while verifying, verification fails, even when the + // message hasn't changed. + // + // The hashing algorithm in that Verify uses is based on the SigningAlgorithm + // value. + // // - Signing algorithms that end in SHA_256 use the SHA_256 hashing algorithm. + // // - Signing algorithms that end in SHA_384 use the SHA_384 hashing algorithm. + // // - Signing algorithms that end in SHA_512 use the SHA_512 hashing algorithm. - // - SM2DSA uses the SM3 hashing algorithm. For details, see Offline - // verification with SM2 key pairs (https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification) - // . + // + // - SM2DSA uses the SM3 hashing algorithm. For details, see [Offline verification with SM2 key pairs]. + // + // [Offline verification with SM2 key pairs]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification MessageType types.MessageType noSmithyDocumentSerde @@ -139,8 +183,10 @@ type VerifyInput struct { type VerifyOutput struct { - // The Amazon Resource Name ( key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN) - // ) of the asymmetric KMS key that was used to verify the signature. + // The Amazon Resource Name ([key ARN] ) of the asymmetric KMS key that was used to verify + // the signature. + // + // [key ARN]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN KeyId *string // A Boolean value that indicates whether the signature was verified. A value of diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_VerifyMac.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_VerifyMac.go index cbffec19181..27bfa87ab1b 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_VerifyMac.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/api_op_VerifyMac.go @@ -17,22 +17,33 @@ import ( // specify, and compares the computed HMAC to the HMAC that you specify. If the // HMACs are identical, the verification succeeds; otherwise, it fails. // Verification indicates that the message hasn't changed since the HMAC was -// calculated, and the specified key was used to generate and verify the HMAC. HMAC -// KMS keys and the HMAC algorithms that KMS uses conform to industry standards -// defined in RFC 2104 (https://datatracker.ietf.org/doc/html/rfc2104) . This -// operation is part of KMS support for HMAC KMS keys. For details, see HMAC keys -// in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html) in the -// Key Management Service Developer Guide. The KMS key that you use for this -// operation must be in a compatible key state. For details, see Key states of KMS -// keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in -// the Key Management Service Developer Guide. Cross-account use: Yes. To perform -// this operation with a KMS key in a different Amazon Web Services account, -// specify the key ARN or alias ARN in the value of the KeyId parameter. Required -// permissions: kms:VerifyMac (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) Related operations: GenerateMac Eventual consistency: The KMS API -// follows an eventual consistency model. For more information, see KMS eventual -// consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html) -// . +// calculated, and the specified key was used to generate and verify the HMAC. +// +// HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry +// standards defined in [RFC 2104]. +// +// This operation is part of KMS support for HMAC KMS keys. For details, see [HMAC keys in KMS] in +// the Key Management Service Developer Guide. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see [Key states of KMS keys]in the Key Management Service Developer Guide. +// +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value of +// the KeyId parameter. +// +// Required permissions: [kms:VerifyMac] (key policy) +// +// Related operations: GenerateMac +// +// Eventual consistency: The KMS API follows an eventual consistency model. For +// more information, see [KMS eventual consistency]. +// +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html +// [RFC 2104]: https://datatracker.ietf.org/doc/html/rfc2104 +// [kms:VerifyMac]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html +// [KMS eventual consistency]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html +// [HMAC keys in KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html func (c *Client) VerifyMac(ctx context.Context, params *VerifyMacInput, optFns ...func(*Options)) (*VerifyMacOutput, error) { if params == nil { params = &VerifyMacInput{} @@ -50,16 +61,17 @@ func (c *Client) VerifyMac(ctx context.Context, params *VerifyMacInput, optFns . type VerifyMacInput struct { - // The KMS key that will be used in the verification. Enter a key ID of the KMS - // key that was used to generate the HMAC. If you identify a different KMS key, the - // VerifyMac operation fails. + // The KMS key that will be used in the verification. + // + // Enter a key ID of the KMS key that was used to generate the HMAC. If you + // identify a different KMS key, the VerifyMac operation fails. // // This member is required. KeyId *string - // The HMAC to verify. Enter the HMAC that was generated by the GenerateMac - // operation when you specified the same message, HMAC KMS key, and MAC algorithm - // as the values specified in this request. + // The HMAC to verify. Enter the HMAC that was generated by the GenerateMac operation when + // you specified the same message, HMAC KMS key, and MAC algorithm as the values + // specified in this request. // // This member is required. Mac []byte @@ -72,23 +84,31 @@ type VerifyMacInput struct { MacAlgorithm types.MacAlgorithmSpec // The message that will be used in the verification. Enter the same message that - // was used to generate the HMAC. GenerateMac and VerifyMac do not provide special - // handling for message digests. If you generated an HMAC for a hash digest of a - // message, you must verify the HMAC for the same hash digest. + // was used to generate the HMAC. + // + // GenerateMacand VerifyMac do not provide special handling for message digests. If you + // generated an HMAC for a hash digest of a message, you must verify the HMAC for + // the same hash digest. // // This member is required. Message []byte - // Checks if your request will succeed. DryRun is an optional parameter. To learn - // more about how to use this parameter, see Testing your KMS API calls (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html) - // in the Key Management Service Developer Guide. + // Checks if your request will succeed. DryRun is an optional parameter. + // + // To learn more about how to use this parameter, see [Testing your KMS API calls] in the Key Management + // Service Developer Guide. + // + // [Testing your KMS API calls]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html DryRun *bool - // A list of grant tokens. Use a grant token when your permission to call this - // operation comes from a new grant that has not yet achieved eventual consistency. - // For more information, see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) - // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) - // in the Key Management Service Developer Guide. + // A list of grant tokens. + // + // Use a grant token when your permission to call this operation comes from a new + // grant that has not yet achieved eventual consistency. For more information, see [Grant token] + // and [Using a grant token]in the Key Management Service Developer Guide. + // + // [Grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token + // [Using a grant token]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token GrantTokens []string noSmithyDocumentSerde @@ -104,9 +124,11 @@ type VerifyMacOutput struct { // A Boolean value that indicates whether the HMAC was verified. A value of True // indicates that the HMAC ( Mac ) was generated with the specified Message , HMAC - // KMS key ( KeyID ) and MacAlgorithm. . If the HMAC is not verified, the VerifyMac - // operation fails with a KMSInvalidMacException exception. This exception - // indicates that one or more of the inputs changed since the HMAC was computed. + // KMS key ( KeyID ) and MacAlgorithm. . + // + // If the HMAC is not verified, the VerifyMac operation fails with a + // KMSInvalidMacException exception. This exception indicates that one or more of + // the inputs changed since the HMAC was computed. MacValid bool // Metadata pertaining to the operation's result. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/deserializers.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/deserializers.go index b4bdc25e3cf..c1a69f0f6cb 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/deserializers.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/deserializers.go @@ -19,8 +19,17 @@ import ( "io" "io/ioutil" "strings" + "time" ) +func deserializeS3Expires(v string) (*time.Time, error) { + t, err := smithytime.ParseHTTPDate(v) + if err != nil { + return nil, nil + } + return &t, nil +} + type awsAwsjson11_deserializeOpCancelKeyDeletion struct { } @@ -3885,6 +3894,128 @@ func awsAwsjson11_deserializeOpErrorListKeyPolicies(response *smithyhttp.Respons } } +type awsAwsjson11_deserializeOpListKeyRotations struct { +} + +func (*awsAwsjson11_deserializeOpListKeyRotations) ID() string { + return "OperationDeserializer" +} + +func (m *awsAwsjson11_deserializeOpListKeyRotations) HandleDeserialize(ctx context.Context, in middleware.DeserializeInput, next middleware.DeserializeHandler) ( + out middleware.DeserializeOutput, metadata middleware.Metadata, err error, +) { + out, metadata, err = next.HandleDeserialize(ctx, in) + if err != nil { + return out, metadata, err + } + + response, ok := out.RawResponse.(*smithyhttp.Response) + if !ok { + return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)} + } + + if response.StatusCode < 200 || response.StatusCode >= 300 { + return out, metadata, awsAwsjson11_deserializeOpErrorListKeyRotations(response, &metadata) + } + output := &ListKeyRotationsOutput{} + out.Result = output + + var buff [1024]byte + ringBuffer := smithyio.NewRingBuffer(buff[:]) + + body := io.TeeReader(response.Body, ringBuffer) + decoder := json.NewDecoder(body) + decoder.UseNumber() + var shape interface{} + if err := decoder.Decode(&shape); err != nil && err != io.EOF { + var snapshot bytes.Buffer + io.Copy(&snapshot, ringBuffer) + err = &smithy.DeserializationError{ + Err: fmt.Errorf("failed to decode response body, %w", err), + Snapshot: snapshot.Bytes(), + } + return out, metadata, err + } + + err = awsAwsjson11_deserializeOpDocumentListKeyRotationsOutput(&output, shape) + if err != nil { + var snapshot bytes.Buffer + io.Copy(&snapshot, ringBuffer) + err = &smithy.DeserializationError{ + Err: fmt.Errorf("failed to decode response body, %w", err), + Snapshot: snapshot.Bytes(), + } + return out, metadata, err + } + + return out, metadata, err +} + +func awsAwsjson11_deserializeOpErrorListKeyRotations(response *smithyhttp.Response, metadata *middleware.Metadata) error { + var errorBuffer bytes.Buffer + if _, err := io.Copy(&errorBuffer, response.Body); err != nil { + return &smithy.DeserializationError{Err: fmt.Errorf("failed to copy error response body, %w", err)} + } + errorBody := bytes.NewReader(errorBuffer.Bytes()) + + errorCode := "UnknownError" + errorMessage := errorCode + + headerCode := response.Header.Get("X-Amzn-ErrorType") + + var buff [1024]byte + ringBuffer := smithyio.NewRingBuffer(buff[:]) + + body := io.TeeReader(errorBody, ringBuffer) + decoder := json.NewDecoder(body) + decoder.UseNumber() + bodyInfo, err := getProtocolErrorInfo(decoder) + if err != nil { + var snapshot bytes.Buffer + io.Copy(&snapshot, ringBuffer) + err = &smithy.DeserializationError{ + Err: fmt.Errorf("failed to decode response body, %w", err), + Snapshot: snapshot.Bytes(), + } + return err + } + + errorBody.Seek(0, io.SeekStart) + if typ, ok := resolveProtocolErrorType(headerCode, bodyInfo); ok { + errorCode = restjson.SanitizeErrorCode(typ) + } + if len(bodyInfo.Message) != 0 { + errorMessage = bodyInfo.Message + } + switch { + case strings.EqualFold("InvalidArnException", errorCode): + return awsAwsjson11_deserializeErrorInvalidArnException(response, errorBody) + + case strings.EqualFold("InvalidMarkerException", errorCode): + return awsAwsjson11_deserializeErrorInvalidMarkerException(response, errorBody) + + case strings.EqualFold("KMSInternalException", errorCode): + return awsAwsjson11_deserializeErrorKMSInternalException(response, errorBody) + + case strings.EqualFold("KMSInvalidStateException", errorCode): + return awsAwsjson11_deserializeErrorKMSInvalidStateException(response, errorBody) + + case strings.EqualFold("NotFoundException", errorCode): + return awsAwsjson11_deserializeErrorNotFoundException(response, errorBody) + + case strings.EqualFold("UnsupportedOperationException", errorCode): + return awsAwsjson11_deserializeErrorUnsupportedOperationException(response, errorBody) + + default: + genericError := &smithy.GenericAPIError{ + Code: errorCode, + Message: errorMessage, + } + return genericError + + } +} + type awsAwsjson11_deserializeOpListKeys struct { } @@ -4819,6 +4950,137 @@ func awsAwsjson11_deserializeOpErrorRevokeGrant(response *smithyhttp.Response, m } } +type awsAwsjson11_deserializeOpRotateKeyOnDemand struct { +} + +func (*awsAwsjson11_deserializeOpRotateKeyOnDemand) ID() string { + return "OperationDeserializer" +} + +func (m *awsAwsjson11_deserializeOpRotateKeyOnDemand) HandleDeserialize(ctx context.Context, in middleware.DeserializeInput, next middleware.DeserializeHandler) ( + out middleware.DeserializeOutput, metadata middleware.Metadata, err error, +) { + out, metadata, err = next.HandleDeserialize(ctx, in) + if err != nil { + return out, metadata, err + } + + response, ok := out.RawResponse.(*smithyhttp.Response) + if !ok { + return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)} + } + + if response.StatusCode < 200 || response.StatusCode >= 300 { + return out, metadata, awsAwsjson11_deserializeOpErrorRotateKeyOnDemand(response, &metadata) + } + output := &RotateKeyOnDemandOutput{} + out.Result = output + + var buff [1024]byte + ringBuffer := smithyio.NewRingBuffer(buff[:]) + + body := io.TeeReader(response.Body, ringBuffer) + decoder := json.NewDecoder(body) + decoder.UseNumber() + var shape interface{} + if err := decoder.Decode(&shape); err != nil && err != io.EOF { + var snapshot bytes.Buffer + io.Copy(&snapshot, ringBuffer) + err = &smithy.DeserializationError{ + Err: fmt.Errorf("failed to decode response body, %w", err), + Snapshot: snapshot.Bytes(), + } + return out, metadata, err + } + + err = awsAwsjson11_deserializeOpDocumentRotateKeyOnDemandOutput(&output, shape) + if err != nil { + var snapshot bytes.Buffer + io.Copy(&snapshot, ringBuffer) + err = &smithy.DeserializationError{ + Err: fmt.Errorf("failed to decode response body, %w", err), + Snapshot: snapshot.Bytes(), + } + return out, metadata, err + } + + return out, metadata, err +} + +func awsAwsjson11_deserializeOpErrorRotateKeyOnDemand(response *smithyhttp.Response, metadata *middleware.Metadata) error { + var errorBuffer bytes.Buffer + if _, err := io.Copy(&errorBuffer, response.Body); err != nil { + return &smithy.DeserializationError{Err: fmt.Errorf("failed to copy error response body, %w", err)} + } + errorBody := bytes.NewReader(errorBuffer.Bytes()) + + errorCode := "UnknownError" + errorMessage := errorCode + + headerCode := response.Header.Get("X-Amzn-ErrorType") + + var buff [1024]byte + ringBuffer := smithyio.NewRingBuffer(buff[:]) + + body := io.TeeReader(errorBody, ringBuffer) + decoder := json.NewDecoder(body) + decoder.UseNumber() + bodyInfo, err := getProtocolErrorInfo(decoder) + if err != nil { + var snapshot bytes.Buffer + io.Copy(&snapshot, ringBuffer) + err = &smithy.DeserializationError{ + Err: fmt.Errorf("failed to decode response body, %w", err), + Snapshot: snapshot.Bytes(), + } + return err + } + + errorBody.Seek(0, io.SeekStart) + if typ, ok := resolveProtocolErrorType(headerCode, bodyInfo); ok { + errorCode = restjson.SanitizeErrorCode(typ) + } + if len(bodyInfo.Message) != 0 { + errorMessage = bodyInfo.Message + } + switch { + case strings.EqualFold("ConflictException", errorCode): + return awsAwsjson11_deserializeErrorConflictException(response, errorBody) + + case strings.EqualFold("DependencyTimeoutException", errorCode): + return awsAwsjson11_deserializeErrorDependencyTimeoutException(response, errorBody) + + case strings.EqualFold("DisabledException", errorCode): + return awsAwsjson11_deserializeErrorDisabledException(response, errorBody) + + case strings.EqualFold("InvalidArnException", errorCode): + return awsAwsjson11_deserializeErrorInvalidArnException(response, errorBody) + + case strings.EqualFold("KMSInternalException", errorCode): + return awsAwsjson11_deserializeErrorKMSInternalException(response, errorBody) + + case strings.EqualFold("KMSInvalidStateException", errorCode): + return awsAwsjson11_deserializeErrorKMSInvalidStateException(response, errorBody) + + case strings.EqualFold("LimitExceededException", errorCode): + return awsAwsjson11_deserializeErrorLimitExceededException(response, errorBody) + + case strings.EqualFold("NotFoundException", errorCode): + return awsAwsjson11_deserializeErrorNotFoundException(response, errorBody) + + case strings.EqualFold("UnsupportedOperationException", errorCode): + return awsAwsjson11_deserializeErrorUnsupportedOperationException(response, errorBody) + + default: + genericError := &smithy.GenericAPIError{ + Code: errorCode, + Message: errorMessage, + } + return genericError + + } +} + type awsAwsjson11_deserializeOpScheduleKeyDeletion struct { } @@ -6190,6 +6452,41 @@ func awsAwsjson11_deserializeErrorCloudHsmClusterNotRelatedException(response *s return output } +func awsAwsjson11_deserializeErrorConflictException(response *smithyhttp.Response, errorBody *bytes.Reader) error { + var buff [1024]byte + ringBuffer := smithyio.NewRingBuffer(buff[:]) + + body := io.TeeReader(errorBody, ringBuffer) + decoder := json.NewDecoder(body) + decoder.UseNumber() + var shape interface{} + if err := decoder.Decode(&shape); err != nil && err != io.EOF { + var snapshot bytes.Buffer + io.Copy(&snapshot, ringBuffer) + err = &smithy.DeserializationError{ + Err: fmt.Errorf("failed to decode response body, %w", err), + Snapshot: snapshot.Bytes(), + } + return err + } + + output := &types.ConflictException{} + err := awsAwsjson11_deserializeDocumentConflictException(&output, shape) + + if err != nil { + var snapshot bytes.Buffer + io.Copy(&snapshot, ringBuffer) + err = &smithy.DeserializationError{ + Err: fmt.Errorf("failed to decode response body, %w", err), + Snapshot: snapshot.Bytes(), + } + return err + } + + errorBody.Seek(0, io.SeekStart) + return output +} + func awsAwsjson11_deserializeErrorCustomKeyStoreHasCMKsException(response *smithyhttp.Response, errorBody *bytes.Reader) error { var buff [1024]byte ringBuffer := smithyio.NewRingBuffer(buff[:]) @@ -7989,6 +8286,46 @@ func awsAwsjson11_deserializeDocumentCloudHsmClusterNotRelatedException(v **type return nil } +func awsAwsjson11_deserializeDocumentConflictException(v **types.ConflictException, value interface{}) error { + if v == nil { + return fmt.Errorf("unexpected nil of type %T", v) + } + if value == nil { + return nil + } + + shape, ok := value.(map[string]interface{}) + if !ok { + return fmt.Errorf("unexpected JSON type %v", value) + } + + var sv *types.ConflictException + if *v == nil { + sv = &types.ConflictException{} + } else { + sv = *v + } + + for key, value := range shape { + switch key { + case "message": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected ErrorMessageType to be of type string, got %T instead", value) + } + sv.Message = ptr.String(jtv) + } + + default: + _, _ = key, value + + } + } + *v = sv + return nil +} + func awsAwsjson11_deserializeDocumentCustomKeyStoreHasCMKsException(v **types.CustomKeyStoreHasCMKsException, value interface{}) error { if v == nil { return fmt.Errorf("unexpected nil of type %T", v) @@ -10052,6 +10389,105 @@ func awsAwsjson11_deserializeDocumentPolicyNameList(v *[]string, value interface return nil } +func awsAwsjson11_deserializeDocumentRotationsList(v *[]types.RotationsListEntry, value interface{}) error { + if v == nil { + return fmt.Errorf("unexpected nil of type %T", v) + } + if value == nil { + return nil + } + + shape, ok := value.([]interface{}) + if !ok { + return fmt.Errorf("unexpected JSON type %v", value) + } + + var cv []types.RotationsListEntry + if *v == nil { + cv = []types.RotationsListEntry{} + } else { + cv = *v + } + + for _, value := range shape { + var col types.RotationsListEntry + destAddr := &col + if err := awsAwsjson11_deserializeDocumentRotationsListEntry(&destAddr, value); err != nil { + return err + } + col = *destAddr + cv = append(cv, col) + + } + *v = cv + return nil +} + +func awsAwsjson11_deserializeDocumentRotationsListEntry(v **types.RotationsListEntry, value interface{}) error { + if v == nil { + return fmt.Errorf("unexpected nil of type %T", v) + } + if value == nil { + return nil + } + + shape, ok := value.(map[string]interface{}) + if !ok { + return fmt.Errorf("unexpected JSON type %v", value) + } + + var sv *types.RotationsListEntry + if *v == nil { + sv = &types.RotationsListEntry{} + } else { + sv = *v + } + + for key, value := range shape { + switch key { + case "KeyId": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected KeyIdType to be of type string, got %T instead", value) + } + sv.KeyId = ptr.String(jtv) + } + + case "RotationDate": + if value != nil { + switch jtv := value.(type) { + case json.Number: + f64, err := jtv.Float64() + if err != nil { + return err + } + sv.RotationDate = ptr.Time(smithytime.ParseEpochSeconds(f64)) + + default: + return fmt.Errorf("expected DateType to be a JSON Number, got %T instead", value) + + } + } + + case "RotationType": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected RotationType to be of type string, got %T instead", value) + } + sv.RotationType = types.RotationType(jtv) + } + + default: + _, _ = key, value + + } + } + *v = sv + return nil +} + func awsAwsjson11_deserializeDocumentSigningAlgorithmSpecList(v *[]types.SigningAlgorithmSpec, value interface{}) error { if v == nil { return fmt.Errorf("unexpected nil of type %T", v) @@ -11830,6 +12266,15 @@ func awsAwsjson11_deserializeOpDocumentGetKeyRotationStatusOutput(v **GetKeyRota for key, value := range shape { switch key { + case "KeyId": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected KeyIdType to be of type string, got %T instead", value) + } + sv.KeyId = ptr.String(jtv) + } + case "KeyRotationEnabled": if value != nil { jtv, ok := value.(bool) @@ -11839,6 +12284,51 @@ func awsAwsjson11_deserializeOpDocumentGetKeyRotationStatusOutput(v **GetKeyRota sv.KeyRotationEnabled = jtv } + case "NextRotationDate": + if value != nil { + switch jtv := value.(type) { + case json.Number: + f64, err := jtv.Float64() + if err != nil { + return err + } + sv.NextRotationDate = ptr.Time(smithytime.ParseEpochSeconds(f64)) + + default: + return fmt.Errorf("expected DateType to be a JSON Number, got %T instead", value) + + } + } + + case "OnDemandRotationStartDate": + if value != nil { + switch jtv := value.(type) { + case json.Number: + f64, err := jtv.Float64() + if err != nil { + return err + } + sv.OnDemandRotationStartDate = ptr.Time(smithytime.ParseEpochSeconds(f64)) + + default: + return fmt.Errorf("expected DateType to be a JSON Number, got %T instead", value) + + } + } + + case "RotationPeriodInDays": + if value != nil { + jtv, ok := value.(json.Number) + if !ok { + return fmt.Errorf("expected RotationPeriodInDaysType to be json.Number, got %T instead", value) + } + i64, err := jtv.Int64() + if err != nil { + return err + } + sv.RotationPeriodInDays = ptr.Int32(int32(i64)) + } + default: _, _ = key, value @@ -12213,6 +12703,60 @@ func awsAwsjson11_deserializeOpDocumentListKeyPoliciesOutput(v **ListKeyPolicies return nil } +func awsAwsjson11_deserializeOpDocumentListKeyRotationsOutput(v **ListKeyRotationsOutput, value interface{}) error { + if v == nil { + return fmt.Errorf("unexpected nil of type %T", v) + } + if value == nil { + return nil + } + + shape, ok := value.(map[string]interface{}) + if !ok { + return fmt.Errorf("unexpected JSON type %v", value) + } + + var sv *ListKeyRotationsOutput + if *v == nil { + sv = &ListKeyRotationsOutput{} + } else { + sv = *v + } + + for key, value := range shape { + switch key { + case "NextMarker": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected MarkerType to be of type string, got %T instead", value) + } + sv.NextMarker = ptr.String(jtv) + } + + case "Rotations": + if err := awsAwsjson11_deserializeDocumentRotationsList(&sv.Rotations, value); err != nil { + return err + } + + case "Truncated": + if value != nil { + jtv, ok := value.(bool) + if !ok { + return fmt.Errorf("expected BooleanType to be of type *bool, got %T instead", value) + } + sv.Truncated = jtv + } + + default: + _, _ = key, value + + } + } + *v = sv + return nil +} + func awsAwsjson11_deserializeOpDocumentListKeysOutput(v **ListKeysOutput, value interface{}) error { if v == nil { return fmt.Errorf("unexpected nil of type %T", v) @@ -12505,6 +13049,46 @@ func awsAwsjson11_deserializeOpDocumentReplicateKeyOutput(v **ReplicateKeyOutput return nil } +func awsAwsjson11_deserializeOpDocumentRotateKeyOnDemandOutput(v **RotateKeyOnDemandOutput, value interface{}) error { + if v == nil { + return fmt.Errorf("unexpected nil of type %T", v) + } + if value == nil { + return nil + } + + shape, ok := value.(map[string]interface{}) + if !ok { + return fmt.Errorf("unexpected JSON type %v", value) + } + + var sv *RotateKeyOnDemandOutput + if *v == nil { + sv = &RotateKeyOnDemandOutput{} + } else { + sv = *v + } + + for key, value := range shape { + switch key { + case "KeyId": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected KeyIdType to be of type string, got %T instead", value) + } + sv.KeyId = ptr.String(jtv) + } + + default: + _, _ = key, value + + } + } + *v = sv + return nil +} + func awsAwsjson11_deserializeOpDocumentScheduleKeyDeletionOutput(v **ScheduleKeyDeletionOutput, value interface{}) error { if v == nil { return fmt.Errorf("unexpected nil of type %T", v) diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/doc.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/doc.go index 266b4e11176..f989361a183 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/doc.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/doc.go @@ -3,62 +3,95 @@ // Package kms provides the API client, operations, and parameter types for AWS // Key Management Service. // -// Key Management Service Key Management Service (KMS) is an encryption and key -// management web service. This guide describes the KMS operations that you can -// call programmatically. For general information about KMS, see the Key -// Management Service Developer Guide (https://docs.aws.amazon.com/kms/latest/developerguide/) -// . KMS has replaced the term customer master key (CMK) with KMS key and KMS key. +// # Key Management Service +// +// Key Management Service (KMS) is an encryption and key management web service. +// This guide describes the KMS operations that you can call programmatically. For +// general information about KMS, see the [Key Management Service Developer Guide]. +// +// KMS has replaced the term customer master key (CMK) with KMS key and KMS key. // The concept has not changed. To prevent breaking changes, KMS is keeping some -// variations of this term. Amazon Web Services provides SDKs that consist of -// libraries and sample code for various programming languages and platforms (Java, -// Ruby, .Net, macOS, Android, etc.). The SDKs provide a convenient way to create -// programmatic access to KMS and other Amazon Web Services services. For example, -// the SDKs take care of tasks such as signing requests (see below), managing -// errors, and retrying requests automatically. For more information about the -// Amazon Web Services SDKs, including how to download and install them, see Tools -// for Amazon Web Services (http://aws.amazon.com/tools/) . We recommend that you -// use the Amazon Web Services SDKs to make programmatic API calls to KMS. If you -// need to use FIPS 140-2 validated cryptographic modules when communicating with -// Amazon Web Services, use the FIPS endpoint in your preferred Amazon Web Services -// Region. For more information about the available FIPS endpoints, see Service -// endpoints (https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region) in -// the Key Management Service topic of the Amazon Web Services General Reference. +// variations of this term. +// +// Amazon Web Services provides SDKs that consist of libraries and sample code for +// various programming languages and platforms (Java, Ruby, .Net, macOS, Android, +// etc.). The SDKs provide a convenient way to create programmatic access to KMS +// and other Amazon Web Services services. For example, the SDKs take care of tasks +// such as signing requests (see below), managing errors, and retrying requests +// automatically. For more information about the Amazon Web Services SDKs, +// including how to download and install them, see [Tools for Amazon Web Services]. +// +// We recommend that you use the Amazon Web Services SDKs to make programmatic API +// calls to KMS. +// +// If you need to use FIPS 140-2 validated cryptographic modules when +// communicating with Amazon Web Services, use the FIPS endpoint in your preferred +// Amazon Web Services Region. For more information about the available FIPS +// endpoints, see [Service endpoints]in the Key Management Service topic of the Amazon Web Services +// General Reference. +// // All KMS API calls must be signed and be transmitted using Transport Layer // Security (TLS). KMS recommends you always use the latest supported TLS version. // Clients must also support cipher suites with Perfect Forward Secrecy (PFS) such // as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman // (ECDHE). Most modern systems such as Java 7 and later support these modes. -// Signing Requests Requests must be signed using an access key ID and a secret -// access key. We strongly recommend that you do not use your Amazon Web Services -// account root access key ID and secret access key for everyday work. You can use -// the access key ID and secret access key for an IAM user or you can use the -// Security Token Service (STS) to generate temporary security credentials and use -// those to sign requests. All KMS requests must be signed with Signature Version 4 (https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) -// . Logging API Requests KMS supports CloudTrail, a service that logs Amazon Web -// Services API calls and related events for your Amazon Web Services account and -// delivers them to an Amazon S3 bucket that you specify. By using the information -// collected by CloudTrail, you can determine what requests were made to KMS, who -// made the request, when it was made, and so on. To learn more about CloudTrail, -// including how to turn it on and find your log files, see the CloudTrail User -// Guide (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/) . Additional -// Resources For more information about credentials and request signing, see the -// following: -// - Amazon Web Services Security Credentials (https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html) -// - This topic provides general information about the types of credentials used to -// access Amazon Web Services. -// - Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) -// - This section of the IAM User Guide describes how to create and use temporary -// security credentials. -// - Signature Version 4 Signing Process (https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) -// - This set of topics walks you through the process of signing a request using an -// access key ID and a secret access key. -// -// Commonly Used API Operations Of the API operations discussed in this guide, the -// following will prove the most useful for most applications. You will likely -// perform operations other than these, such as creating keys and assigning -// policies, by using the console. -// - Encrypt -// - Decrypt -// - GenerateDataKey -// - GenerateDataKeyWithoutPlaintext +// +// # Signing Requests +// +// Requests must be signed using an access key ID and a secret access key. We +// strongly recommend that you do not use your Amazon Web Services account root +// access key ID and secret access key for everyday work. You can use the access +// key ID and secret access key for an IAM user or you can use the Security Token +// Service (STS) to generate temporary security credentials and use those to sign +// requests. +// +// All KMS requests must be signed with [Signature Version 4]. +// +// # Logging API Requests +// +// KMS supports CloudTrail, a service that logs Amazon Web Services API calls and +// related events for your Amazon Web Services account and delivers them to an +// Amazon S3 bucket that you specify. By using the information collected by +// CloudTrail, you can determine what requests were made to KMS, who made the +// request, when it was made, and so on. To learn more about CloudTrail, including +// how to turn it on and find your log files, see the [CloudTrail User Guide]. +// +// # Additional Resources +// +// For more information about credentials and request signing, see the following: +// +// [Amazon Web Services Security Credentials] +// - - This topic provides general information about the types of credentials +// used to access Amazon Web Services. +// +// [Temporary Security Credentials] +// - - This section of the IAM User Guide describes how to create and use +// temporary security credentials. +// +// [Signature Version 4 Signing Process] +// - - This set of topics walks you through the process of signing a request +// using an access key ID and a secret access key. +// +// # Commonly Used API Operations +// +// Of the API operations discussed in this guide, the following will prove the +// most useful for most applications. You will likely perform operations other than +// these, such as creating keys and assigning policies, by using the console. +// +// # Encrypt +// +// # Decrypt +// +// # GenerateDataKey +// +// # GenerateDataKeyWithoutPlaintext +// +// [Signature Version 4]: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html +// [Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html +// [Tools for Amazon Web Services]: http://aws.amazon.com/tools/ +// [Amazon Web Services Security Credentials]: https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html +// [Key Management Service Developer Guide]: https://docs.aws.amazon.com/kms/latest/developerguide/ +// [Service endpoints]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region +// [CloudTrail User Guide]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/ +// [Signature Version 4 Signing Process]: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html package kms diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/generated.json b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/generated.json index 0a713e7f403..ab000facbdf 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/generated.json +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/generated.json @@ -40,6 +40,7 @@ "api_op_ListAliases.go", "api_op_ListGrants.go", "api_op_ListKeyPolicies.go", + "api_op_ListKeyRotations.go", "api_op_ListKeys.go", "api_op_ListResourceTags.go", "api_op_ListRetirableGrants.go", @@ -48,6 +49,7 @@ "api_op_ReplicateKey.go", "api_op_RetireGrant.go", "api_op_RevokeGrant.go", + "api_op_RotateKeyOnDemand.go", "api_op_ScheduleKeyDeletion.go", "api_op_Sign.go", "api_op_TagResource.go", diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/go_module_metadata.go index 9e5cd17e5ba..9e459d38e97 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/go_module_metadata.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/go_module_metadata.go @@ -3,4 +3,4 @@ package kms // goModuleVersion is the tagged release for this module -const goModuleVersion = "1.30.0" +const goModuleVersion = "1.32.1" diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/options.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/options.go index b24e2565947..11be534415f 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/options.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/options.go @@ -50,8 +50,10 @@ type Options struct { // Deprecated: Deprecated: EndpointResolver and WithEndpointResolver. Providing a // value for this field will likely prevent you from using any endpoint-related // service features released after the introduction of EndpointResolverV2 and - // BaseEndpoint. To migrate an EndpointResolver implementation that uses a custom - // endpoint, set the client option BaseEndpoint instead. + // BaseEndpoint. + // + // To migrate an EndpointResolver implementation that uses a custom endpoint, set + // the client option BaseEndpoint instead. EndpointResolver EndpointResolver // Resolves the endpoint used for a particular service operation. This should be @@ -70,17 +72,20 @@ type Options struct { // RetryMaxAttempts specifies the maximum number attempts an API client will call // an operation that fails with a retryable error. A value of 0 is ignored, and // will not be used to configure the API client created default retryer, or modify - // per operation call's retry max attempts. If specified in an operation call's - // functional options with a value that is different than the constructed client's - // Options, the Client's Retryer will be wrapped to use the operation's specific - // RetryMaxAttempts value. + // per operation call's retry max attempts. + // + // If specified in an operation call's functional options with a value that is + // different than the constructed client's Options, the Client's Retryer will be + // wrapped to use the operation's specific RetryMaxAttempts value. RetryMaxAttempts int // RetryMode specifies the retry mode the API client will be created with, if - // Retryer option is not also specified. When creating a new API Clients this - // member will only be used if the Retryer Options member is nil. This value will - // be ignored if Retryer is not nil. Currently does not support per operation call - // overrides, may in the future. + // Retryer option is not also specified. + // + // When creating a new API Clients this member will only be used if the Retryer + // Options member is nil. This value will be ignored if Retryer is not nil. + // + // Currently does not support per operation call overrides, may in the future. RetryMode aws.RetryMode // Retryer guides how HTTP requests should be retried in case of recoverable @@ -97,8 +102,9 @@ type Options struct { // The initial DefaultsMode used when the client options were constructed. If the // DefaultsMode was set to aws.DefaultsModeAuto this will store what the resolved - // value was at that point in time. Currently does not support per operation call - // overrides, may in the future. + // value was at that point in time. + // + // Currently does not support per operation call overrides, may in the future. resolvedDefaultsMode aws.DefaultsMode // The HTTP client to invoke API calls with. Defaults to client's default HTTP @@ -143,6 +149,7 @@ func WithAPIOptions(optFns ...func(*middleware.Stack) error) func(*Options) { // Deprecated: EndpointResolver and WithEndpointResolver. Providing a value for // this field will likely prevent you from using any endpoint-related service // features released after the introduction of EndpointResolverV2 and BaseEndpoint. +// // To migrate an EndpointResolver implementation that uses a custom endpoint, set // the client option BaseEndpoint instead. func WithEndpointResolver(v EndpointResolver) func(*Options) { diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/serializers.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/serializers.go index e477fe0ab61..da221755ba4 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/serializers.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/serializers.go @@ -1776,6 +1776,61 @@ func (m *awsAwsjson11_serializeOpListKeyPolicies) HandleSerialize(ctx context.Co return next.HandleSerialize(ctx, in) } +type awsAwsjson11_serializeOpListKeyRotations struct { +} + +func (*awsAwsjson11_serializeOpListKeyRotations) ID() string { + return "OperationSerializer" +} + +func (m *awsAwsjson11_serializeOpListKeyRotations) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) ( + out middleware.SerializeOutput, metadata middleware.Metadata, err error, +) { + request, ok := in.Request.(*smithyhttp.Request) + if !ok { + return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)} + } + + input, ok := in.Parameters.(*ListKeyRotationsInput) + _ = input + if !ok { + return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown input parameters type %T", in.Parameters)} + } + + operationPath := "/" + if len(request.Request.URL.Path) == 0 { + request.Request.URL.Path = operationPath + } else { + request.Request.URL.Path = path.Join(request.Request.URL.Path, operationPath) + if request.Request.URL.Path != "/" && operationPath[len(operationPath)-1] == '/' { + request.Request.URL.Path += "/" + } + } + request.Request.Method = "POST" + httpBindingEncoder, err := httpbinding.NewEncoder(request.URL.Path, request.URL.RawQuery, request.Header) + if err != nil { + return out, metadata, &smithy.SerializationError{Err: err} + } + httpBindingEncoder.SetHeader("Content-Type").String("application/x-amz-json-1.1") + httpBindingEncoder.SetHeader("X-Amz-Target").String("TrentService.ListKeyRotations") + + jsonEncoder := smithyjson.NewEncoder() + if err := awsAwsjson11_serializeOpDocumentListKeyRotationsInput(input, jsonEncoder.Value); err != nil { + return out, metadata, &smithy.SerializationError{Err: err} + } + + if request, err = request.SetStream(bytes.NewReader(jsonEncoder.Bytes())); err != nil { + return out, metadata, &smithy.SerializationError{Err: err} + } + + if request.Request, err = httpBindingEncoder.Encode(request.Request); err != nil { + return out, metadata, &smithy.SerializationError{Err: err} + } + in.Request = request + + return next.HandleSerialize(ctx, in) +} + type awsAwsjson11_serializeOpListKeys struct { } @@ -2216,6 +2271,61 @@ func (m *awsAwsjson11_serializeOpRevokeGrant) HandleSerialize(ctx context.Contex return next.HandleSerialize(ctx, in) } +type awsAwsjson11_serializeOpRotateKeyOnDemand struct { +} + +func (*awsAwsjson11_serializeOpRotateKeyOnDemand) ID() string { + return "OperationSerializer" +} + +func (m *awsAwsjson11_serializeOpRotateKeyOnDemand) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) ( + out middleware.SerializeOutput, metadata middleware.Metadata, err error, +) { + request, ok := in.Request.(*smithyhttp.Request) + if !ok { + return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)} + } + + input, ok := in.Parameters.(*RotateKeyOnDemandInput) + _ = input + if !ok { + return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown input parameters type %T", in.Parameters)} + } + + operationPath := "/" + if len(request.Request.URL.Path) == 0 { + request.Request.URL.Path = operationPath + } else { + request.Request.URL.Path = path.Join(request.Request.URL.Path, operationPath) + if request.Request.URL.Path != "/" && operationPath[len(operationPath)-1] == '/' { + request.Request.URL.Path += "/" + } + } + request.Request.Method = "POST" + httpBindingEncoder, err := httpbinding.NewEncoder(request.URL.Path, request.URL.RawQuery, request.Header) + if err != nil { + return out, metadata, &smithy.SerializationError{Err: err} + } + httpBindingEncoder.SetHeader("Content-Type").String("application/x-amz-json-1.1") + httpBindingEncoder.SetHeader("X-Amz-Target").String("TrentService.RotateKeyOnDemand") + + jsonEncoder := smithyjson.NewEncoder() + if err := awsAwsjson11_serializeOpDocumentRotateKeyOnDemandInput(input, jsonEncoder.Value); err != nil { + return out, metadata, &smithy.SerializationError{Err: err} + } + + if request, err = request.SetStream(bytes.NewReader(jsonEncoder.Bytes())); err != nil { + return out, metadata, &smithy.SerializationError{Err: err} + } + + if request.Request, err = httpBindingEncoder.Encode(request.Request); err != nil { + return out, metadata, &smithy.SerializationError{Err: err} + } + in.Request = request + + return next.HandleSerialize(ctx, in) +} + type awsAwsjson11_serializeOpScheduleKeyDeletion struct { } @@ -3298,6 +3408,11 @@ func awsAwsjson11_serializeOpDocumentEnableKeyRotationInput(v *EnableKeyRotation ok.String(*v.KeyId) } + if v.RotationPeriodInDays != nil { + ok := object.Key("RotationPeriodInDays") + ok.Integer(*v.RotationPeriodInDays) + } + return nil } @@ -3746,6 +3861,28 @@ func awsAwsjson11_serializeOpDocumentListKeyPoliciesInput(v *ListKeyPoliciesInpu return nil } +func awsAwsjson11_serializeOpDocumentListKeyRotationsInput(v *ListKeyRotationsInput, value smithyjson.Value) error { + object := value.Object() + defer object.Close() + + if v.KeyId != nil { + ok := object.Key("KeyId") + ok.String(*v.KeyId) + } + + if v.Limit != nil { + ok := object.Key("Limit") + ok.Integer(*v.Limit) + } + + if v.Marker != nil { + ok := object.Key("Marker") + ok.String(*v.Marker) + } + + return nil +} + func awsAwsjson11_serializeOpDocumentListKeysInput(v *ListKeysInput, value smithyjson.Value) error { object := value.Object() defer object.Close() @@ -3980,6 +4117,18 @@ func awsAwsjson11_serializeOpDocumentRevokeGrantInput(v *RevokeGrantInput, value return nil } +func awsAwsjson11_serializeOpDocumentRotateKeyOnDemandInput(v *RotateKeyOnDemandInput, value smithyjson.Value) error { + object := value.Object() + defer object.Close() + + if v.KeyId != nil { + ok := object.Key("KeyId") + ok.String(*v.KeyId) + } + + return nil +} + func awsAwsjson11_serializeOpDocumentScheduleKeyDeletionInput(v *ScheduleKeyDeletionInput, value smithyjson.Value) error { object := value.Object() defer object.Close() diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/types/enums.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/types/enums.go index f5da8f5b920..f7882c6bc4b 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/types/enums.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/types/enums.go @@ -11,11 +11,13 @@ const ( AlgorithmSpecRsaesOaepSha256 AlgorithmSpec = "RSAES_OAEP_SHA_256" AlgorithmSpecRsaAesKeyWrapSha1 AlgorithmSpec = "RSA_AES_KEY_WRAP_SHA_1" AlgorithmSpecRsaAesKeyWrapSha256 AlgorithmSpec = "RSA_AES_KEY_WRAP_SHA_256" + AlgorithmSpecSm2pke AlgorithmSpec = "SM2PKE" ) // Values returns all known values for AlgorithmSpec. Note that this can be -// expanded in the future, and so it is only as up to date as the client. The -// ordering of this slice is not guaranteed to be stable across updates. +// expanded in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (AlgorithmSpec) Values() []AlgorithmSpec { return []AlgorithmSpec{ "RSAES_PKCS1_V1_5", @@ -23,6 +25,7 @@ func (AlgorithmSpec) Values() []AlgorithmSpec { "RSAES_OAEP_SHA_256", "RSA_AES_KEY_WRAP_SHA_1", "RSA_AES_KEY_WRAP_SHA_256", + "SM2PKE", } } @@ -51,8 +54,9 @@ const ( ) // Values returns all known values for ConnectionErrorCodeType. Note that this can -// be expanded in the future, and so it is only as up to date as the client. The -// ordering of this slice is not guaranteed to be stable across updates. +// be expanded in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (ConnectionErrorCodeType) Values() []ConnectionErrorCodeType { return []ConnectionErrorCodeType{ "INVALID_CREDENTIALS", @@ -88,8 +92,9 @@ const ( ) // Values returns all known values for ConnectionStateType. Note that this can be -// expanded in the future, and so it is only as up to date as the client. The -// ordering of this slice is not guaranteed to be stable across updates. +// expanded in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (ConnectionStateType) Values() []ConnectionStateType { return []ConnectionStateType{ "CONNECTED", @@ -120,8 +125,9 @@ const ( ) // Values returns all known values for CustomerMasterKeySpec. Note that this can -// be expanded in the future, and so it is only as up to date as the client. The -// ordering of this slice is not guaranteed to be stable across updates. +// be expanded in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (CustomerMasterKeySpec) Values() []CustomerMasterKeySpec { return []CustomerMasterKeySpec{ "RSA_2048", @@ -149,8 +155,9 @@ const ( ) // Values returns all known values for CustomKeyStoreType. Note that this can be -// expanded in the future, and so it is only as up to date as the client. The -// ordering of this slice is not guaranteed to be stable across updates. +// expanded in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (CustomKeyStoreType) Values() []CustomKeyStoreType { return []CustomKeyStoreType{ "AWS_CLOUDHSM", @@ -173,8 +180,9 @@ const ( ) // Values returns all known values for DataKeyPairSpec. Note that this can be -// expanded in the future, and so it is only as up to date as the client. The -// ordering of this slice is not guaranteed to be stable across updates. +// expanded in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (DataKeyPairSpec) Values() []DataKeyPairSpec { return []DataKeyPairSpec{ "RSA_2048", @@ -197,8 +205,9 @@ const ( ) // Values returns all known values for DataKeySpec. Note that this can be expanded -// in the future, and so it is only as up to date as the client. The ordering of -// this slice is not guaranteed to be stable across updates. +// in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (DataKeySpec) Values() []DataKeySpec { return []DataKeySpec{ "AES_256", @@ -217,8 +226,9 @@ const ( ) // Values returns all known values for EncryptionAlgorithmSpec. Note that this can -// be expanded in the future, and so it is only as up to date as the client. The -// ordering of this slice is not guaranteed to be stable across updates. +// be expanded in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (EncryptionAlgorithmSpec) Values() []EncryptionAlgorithmSpec { return []EncryptionAlgorithmSpec{ "SYMMETRIC_DEFAULT", @@ -237,8 +247,9 @@ const ( ) // Values returns all known values for ExpirationModelType. Note that this can be -// expanded in the future, and so it is only as up to date as the client. The -// ordering of this slice is not guaranteed to be stable across updates. +// expanded in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (ExpirationModelType) Values() []ExpirationModelType { return []ExpirationModelType{ "KEY_MATERIAL_EXPIRES", @@ -269,8 +280,9 @@ const ( ) // Values returns all known values for GrantOperation. Note that this can be -// expanded in the future, and so it is only as up to date as the client. The -// ordering of this slice is not guaranteed to be stable across updates. +// expanded in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (GrantOperation) Values() []GrantOperation { return []GrantOperation{ "Decrypt", @@ -300,8 +312,9 @@ const ( ) // Values returns all known values for KeyEncryptionMechanism. Note that this can -// be expanded in the future, and so it is only as up to date as the client. The -// ordering of this slice is not guaranteed to be stable across updates. +// be expanded in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (KeyEncryptionMechanism) Values() []KeyEncryptionMechanism { return []KeyEncryptionMechanism{ "RSAES_OAEP_SHA_256", @@ -317,8 +330,9 @@ const ( ) // Values returns all known values for KeyManagerType. Note that this can be -// expanded in the future, and so it is only as up to date as the client. The -// ordering of this slice is not guaranteed to be stable across updates. +// expanded in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (KeyManagerType) Values() []KeyManagerType { return []KeyManagerType{ "AWS", @@ -346,8 +360,9 @@ const ( ) // Values returns all known values for KeySpec. Note that this can be expanded in -// the future, and so it is only as up to date as the client. The ordering of this -// slice is not guaranteed to be stable across updates. +// the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (KeySpec) Values() []KeySpec { return []KeySpec{ "RSA_2048", @@ -381,8 +396,9 @@ const ( ) // Values returns all known values for KeyState. Note that this can be expanded in -// the future, and so it is only as up to date as the client. The ordering of this -// slice is not guaranteed to be stable across updates. +// the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (KeyState) Values() []KeyState { return []KeyState{ "Creating", @@ -406,8 +422,9 @@ const ( ) // Values returns all known values for KeyUsageType. Note that this can be -// expanded in the future, and so it is only as up to date as the client. The -// ordering of this slice is not guaranteed to be stable across updates. +// expanded in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (KeyUsageType) Values() []KeyUsageType { return []KeyUsageType{ "SIGN_VERIFY", @@ -427,8 +444,9 @@ const ( ) // Values returns all known values for MacAlgorithmSpec. Note that this can be -// expanded in the future, and so it is only as up to date as the client. The -// ordering of this slice is not guaranteed to be stable across updates. +// expanded in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (MacAlgorithmSpec) Values() []MacAlgorithmSpec { return []MacAlgorithmSpec{ "HMAC_SHA_224", @@ -447,8 +465,9 @@ const ( ) // Values returns all known values for MessageType. Note that this can be expanded -// in the future, and so it is only as up to date as the client. The ordering of -// this slice is not guaranteed to be stable across updates. +// in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (MessageType) Values() []MessageType { return []MessageType{ "RAW", @@ -465,8 +484,9 @@ const ( ) // Values returns all known values for MultiRegionKeyType. Note that this can be -// expanded in the future, and so it is only as up to date as the client. The -// ordering of this slice is not guaranteed to be stable across updates. +// expanded in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (MultiRegionKeyType) Values() []MultiRegionKeyType { return []MultiRegionKeyType{ "PRIMARY", @@ -485,8 +505,9 @@ const ( ) // Values returns all known values for OriginType. Note that this can be expanded -// in the future, and so it is only as up to date as the client. The ordering of -// this slice is not guaranteed to be stable across updates. +// in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (OriginType) Values() []OriginType { return []OriginType{ "AWS_KMS", @@ -496,6 +517,25 @@ func (OriginType) Values() []OriginType { } } +type RotationType string + +// Enum values for RotationType +const ( + RotationTypeAutomatic RotationType = "AUTOMATIC" + RotationTypeOnDemand RotationType = "ON_DEMAND" +) + +// Values returns all known values for RotationType. Note that this can be +// expanded in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. +func (RotationType) Values() []RotationType { + return []RotationType{ + "AUTOMATIC", + "ON_DEMAND", + } +} + type SigningAlgorithmSpec string // Enum values for SigningAlgorithmSpec @@ -513,8 +553,9 @@ const ( ) // Values returns all known values for SigningAlgorithmSpec. Note that this can be -// expanded in the future, and so it is only as up to date as the client. The -// ordering of this slice is not guaranteed to be stable across updates. +// expanded in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (SigningAlgorithmSpec) Values() []SigningAlgorithmSpec { return []SigningAlgorithmSpec{ "RSASSA_PSS_SHA_256", @@ -537,16 +578,19 @@ const ( WrappingKeySpecRsa2048 WrappingKeySpec = "RSA_2048" WrappingKeySpecRsa3072 WrappingKeySpec = "RSA_3072" WrappingKeySpecRsa4096 WrappingKeySpec = "RSA_4096" + WrappingKeySpecSm2 WrappingKeySpec = "SM2" ) // Values returns all known values for WrappingKeySpec. Note that this can be -// expanded in the future, and so it is only as up to date as the client. The -// ordering of this slice is not guaranteed to be stable across updates. +// expanded in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. func (WrappingKeySpec) Values() []WrappingKeySpec { return []WrappingKeySpec{ "RSA_2048", "RSA_3072", "RSA_4096", + "SM2", } } @@ -560,6 +604,7 @@ const ( // Values returns all known values for XksProxyConnectivityType. Note that this // can be expanded in the future, and so it is only as up to date as the client. +// // The ordering of this slice is not guaranteed to be stable across updates. func (XksProxyConnectivityType) Values() []XksProxyConnectivityType { return []XksProxyConnectivityType{ diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/types/errors.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/types/errors.go index 3421fe7cb64..2221044e458 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/types/errors.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/types/errors.go @@ -37,10 +37,13 @@ func (e *AlreadyExistsException) ErrorFault() smithy.ErrorFault { return smithy. // The request was rejected because the specified CloudHSM cluster is already // associated with an CloudHSM key store in the account, or it shares a backup // history with an CloudHSM key store in the account. Each CloudHSM key store in -// the account must be associated with a different CloudHSM cluster. CloudHSM -// clusters that share a backup history have the same cluster certificate. To view -// the cluster certificate of an CloudHSM cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) +// the account must be associated with a different CloudHSM cluster. +// +// CloudHSM clusters that share a backup history have the same cluster +// certificate. To view the cluster certificate of an CloudHSM cluster, use the [DescribeClusters] // operation. +// +// [DescribeClusters]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html type CloudHsmClusterInUseException struct { Message *string @@ -68,30 +71,37 @@ func (e *CloudHsmClusterInUseException) ErrorFault() smithy.ErrorFault { return // The request was rejected because the associated CloudHSM cluster did not meet // the configuration requirements for an CloudHSM key store. +// // - The CloudHSM cluster must be configured with private subnets in at least // two different Availability Zones in the Region. -// - The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) -// (cloudhsm-cluster--sg) must include inbound rules and outbound rules that allow -// TCP traffic on ports 2223-2225. The Source in the inbound rules and the -// Destination in the outbound rules must match the security group ID. These rules -// are set by default when you create the CloudHSM cluster. Do not delete or change -// them. To get information about a particular security group, use the -// DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) +// +// - The [security group for the cluster](cloudhsm-cluster--sg) must include inbound rules and outbound rules +// that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and +// the Destination in the outbound rules must match the security group ID. These +// rules are set by default when you create the CloudHSM cluster. Do not delete or +// change them. To get information about a particular security group, use the [DescribeSecurityGroups] // operation. +// // - The CloudHSM cluster must contain at least as many HSMs as the operation -// requires. To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) -// operation. For the CreateCustomKeyStore , UpdateCustomKeyStore , and CreateKey -// operations, the CloudHSM cluster must have at least two active HSMs, each in a -// different Availability Zone. For the ConnectCustomKeyStore operation, the -// CloudHSM must contain at least one active HSM. +// requires. To add HSMs, use the CloudHSM [CreateHsm]operation. +// +// For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKeyoperations, the CloudHSM cluster must have at least two active +// +// HSMs, each in a different Availability Zone. For the ConnectCustomKeyStoreoperation, the CloudHSM +// must contain at least one active HSM. // // For information about the requirements for an CloudHSM cluster that is -// associated with an CloudHSM key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) -// in the Key Management Service Developer Guide. For information about creating a -// private subnet for an CloudHSM cluster, see Create a Private Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) -// in the CloudHSM User Guide. For information about cluster security groups, see -// Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) -// in the CloudHSM User Guide . +// associated with an CloudHSM key store, see [Assemble the Prerequisites]in the Key Management Service +// Developer Guide. For information about creating a private subnet for an CloudHSM +// cluster, see [Create a Private Subnet]in the CloudHSM User Guide. For information about cluster security +// groups, see [Configure a Default Security Group]in the CloudHSM User Guide . +// +// [Assemble the Prerequisites]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore +// [Create a Private Subnet]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html +// [Configure a Default Security Group]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html +// [DescribeSecurityGroups]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html +// [CreateHsm]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html +// [security group for the cluster]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html type CloudHsmClusterInvalidConfigurationException struct { Message *string @@ -121,8 +131,9 @@ func (e *CloudHsmClusterInvalidConfigurationException) ErrorFault() smithy.Error // The request was rejected because the CloudHSM cluster associated with the // CloudHSM key store is not active. Initialize and activate the cluster and try -// the command again. For detailed instructions, see Getting Started (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) -// in the CloudHSM User Guide. +// the command again. For detailed instructions, see [Getting Started]in the CloudHSM User Guide. +// +// [Getting Started]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html type CloudHsmClusterNotActiveException struct { Message *string @@ -177,13 +188,18 @@ func (e *CloudHsmClusterNotFoundException) ErrorFault() smithy.ErrorFault { retu // The request was rejected because the specified CloudHSM cluster has a different // cluster certificate than the original cluster. You cannot use the operation to -// specify an unrelated cluster for an CloudHSM key store. Specify an CloudHSM -// cluster that shares a backup history with the original cluster. This includes -// clusters that were created from a backup of the current cluster, and clusters -// that were created from the same backup that produced the current cluster. -// CloudHSM clusters that share a backup history have the same cluster certificate. -// To view the cluster certificate of an CloudHSM cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) +// specify an unrelated cluster for an CloudHSM key store. +// +// Specify an CloudHSM cluster that shares a backup history with the original +// cluster. This includes clusters that were created from a backup of the current +// cluster, and clusters that were created from the same backup that produced the +// current cluster. +// +// CloudHSM clusters that share a backup history have the same cluster +// certificate. To view the cluster certificate of an CloudHSM cluster, use the [DescribeClusters] // operation. +// +// [DescribeClusters]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html type CloudHsmClusterNotRelatedException struct { Message *string @@ -211,10 +227,36 @@ func (e *CloudHsmClusterNotRelatedException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient } +// The request was rejected because an automatic rotation of this key is currently +// in progress or scheduled to begin within the next 20 minutes. +type ConflictException struct { + Message *string + + ErrorCodeOverride *string + + noSmithyDocumentSerde +} + +func (e *ConflictException) Error() string { + return fmt.Sprintf("%s: %s", e.ErrorCode(), e.ErrorMessage()) +} +func (e *ConflictException) ErrorMessage() string { + if e.Message == nil { + return "" + } + return *e.Message +} +func (e *ConflictException) ErrorCode() string { + if e == nil || e.ErrorCodeOverride == nil { + return "ConflictException" + } + return *e.ErrorCodeOverride +} +func (e *ConflictException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient } + // The request was rejected because the custom key store contains KMS keys. After -// verifying that you do not need to use the KMS keys, use the ScheduleKeyDeletion -// operation to delete the KMS keys. After they are deleted, you can delete the -// custom key store. +// verifying that you do not need to use the KMS keys, use the ScheduleKeyDeletionoperation to delete +// the KMS keys. After they are deleted, you can delete the custom key store. type CustomKeyStoreHasCMKsException struct { Message *string @@ -241,26 +283,30 @@ func (e *CustomKeyStoreHasCMKsException) ErrorCode() string { func (e *CustomKeyStoreHasCMKsException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient } // The request was rejected because of the ConnectionState of the custom key -// store. To get the ConnectionState of a custom key store, use the -// DescribeCustomKeyStores operation. This exception is thrown under the following -// conditions: -// - You requested the ConnectCustomKeyStore operation on a custom key store with -// a ConnectionState of DISCONNECTING or FAILED . This operation is valid for all -// other ConnectionState values. To reconnect a custom key store in a FAILED -// state, disconnect it ( DisconnectCustomKeyStore ), then connect it ( -// ConnectCustomKeyStore ). -// - You requested the CreateKey operation in a custom key store that is not -// connected. This operations is valid only when the custom key store -// ConnectionState is CONNECTED . -// - You requested the DisconnectCustomKeyStore operation on a custom key store -// with a ConnectionState of DISCONNECTING or DISCONNECTED . This operation is -// valid for all other ConnectionState values. -// - You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on -// a custom key store that is not disconnected. This operation is valid only when -// the custom key store ConnectionState is DISCONNECTED . -// - You requested the GenerateRandom operation in an CloudHSM key store that is -// not connected. This operation is valid only when the CloudHSM key store -// ConnectionState is CONNECTED . +// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores operation. +// +// This exception is thrown under the following conditions: +// +// - You requested the ConnectCustomKeyStoreoperation on a custom key store with a ConnectionState of +// DISCONNECTING or FAILED . This operation is valid for all other +// ConnectionState values. To reconnect a custom key store in a FAILED state, +// disconnect it (DisconnectCustomKeyStore ), then connect it ( ConnectCustomKeyStore ). +// +// - You requested the CreateKeyoperation in a custom key store that is not connected. +// This operations is valid only when the custom key store ConnectionState is +// CONNECTED . +// +// - You requested the DisconnectCustomKeyStoreoperation on a custom key store with a ConnectionState of +// DISCONNECTING or DISCONNECTED . This operation is valid for all other +// ConnectionState values. +// +// - You requested the UpdateCustomKeyStoreor DeleteCustomKeyStoreoperation on a custom key store that is not +// disconnected. This operation is valid only when the custom key store +// ConnectionState is DISCONNECTED . +// +// - You requested the GenerateRandomoperation in an CloudHSM key store that is not connected. +// This operation is valid only when the CloudHSM key store ConnectionState is +// CONNECTED . type CustomKeyStoreInvalidStateException struct { Message *string @@ -422,9 +468,9 @@ func (e *DryRunOperationException) ErrorCode() string { } func (e *DryRunOperationException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient } -// The request was rejected because the specified import token is expired. Use -// GetParametersForImport to get a new import token and public key, use the new -// public key to encrypt the key material, and then try the request again. +// The request was rejected because the specified import token is expired. Use GetParametersForImport to +// get a new import token and public key, use the new public key to encrypt the key +// material, and then try the request again. type ExpiredImportTokenException struct { Message *string @@ -451,8 +497,8 @@ func (e *ExpiredImportTokenException) ErrorCode() string { func (e *ExpiredImportTokenException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient } // The request was rejected because the specified KMS key cannot decrypt the data. -// The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request must -// identify the same KMS key that was used to encrypt the ciphertext. +// The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request must identify the +// same KMS key that was used to encrypt the ciphertext. type IncorrectKeyException struct { Message *string @@ -508,9 +554,12 @@ func (e *IncorrectKeyMaterialException) ErrorFault() smithy.ErrorFault { return // The request was rejected because the trust anchor certificate in the request to // create an CloudHSM key store is not the trust anchor certificate for the -// specified CloudHSM cluster. When you initialize the CloudHSM cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr) -// , you create the trust anchor certificate and save it in the customerCA.crt -// file. +// specified CloudHSM cluster. +// +// When you [initialize the CloudHSM cluster], you create the trust anchor certificate and save it in the +// customerCA.crt file. +// +// [initialize the CloudHSM cluster]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr type IncorrectTrustAnchorException struct { Message *string @@ -589,11 +638,12 @@ func (e *InvalidArnException) ErrorCode() string { } func (e *InvalidArnException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient } -// From the Decrypt or ReEncrypt operation, the request was rejected because the -// specified ciphertext, or additional authenticated data incorporated into the -// ciphertext, such as the encryption context, is corrupted, missing, or otherwise -// invalid. From the ImportKeyMaterial operation, the request was rejected because -// KMS could not decrypt the encrypted (wrapped) key material. +// From the Decrypt or ReEncrypt operation, the request was rejected because the specified +// ciphertext, or additional authenticated data incorporated into the ciphertext, +// such as the encryption context, is corrupted, missing, or otherwise invalid. +// +// From the ImportKeyMaterial operation, the request was rejected because KMS could not decrypt the +// encrypted (wrapped) key material. type InvalidCiphertextException struct { Message *string @@ -699,7 +749,9 @@ func (e *InvalidImportTokenException) ErrorCode() string { func (e *InvalidImportTokenException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient } // The request was rejected for one of the following reasons: +// // - The KeyUsage value of the KMS key is incompatible with the API operation. +// // - The encryption algorithm or signing algorithm specified for the operation // is incompatible with the type of key material in the KMS key (KeySpec ). // @@ -707,9 +759,10 @@ func (e *InvalidImportTokenException) ErrorFault() smithy.ErrorFault { return sm // KeyUsage must be ENCRYPT_DECRYPT . For signing and verifying messages, the // KeyUsage must be SIGN_VERIFY . For generating and verifying message // authentication codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC . To find -// the KeyUsage of a KMS key, use the DescribeKey operation. To find the -// encryption or signing algorithms supported for a particular KMS key, use the -// DescribeKey operation. +// the KeyUsage of a KMS key, use the DescribeKey operation. +// +// To find the encryption or signing algorithms supported for a particular KMS +// key, use the DescribeKeyoperation. type InvalidKeyUsageException struct { Message *string @@ -873,14 +926,22 @@ func (e *KMSInvalidSignatureException) ErrorCode() string { func (e *KMSInvalidSignatureException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient } // The request was rejected because the state of the specified resource is not -// valid for this request. This exceptions means one of the following: -// - The key state of the KMS key is not compatible with the operation. To find -// the key state, use the DescribeKey operation. For more information about which -// key states are compatible with each KMS operation, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the Key Management Service Developer Guide . -// - For cryptographic operations on KMS keys in custom key stores, this -// exception represents a general failure with many possible causes. To identify -// the cause, see the error message that accompanies the exception. +// valid for this request. +// +// This exceptions means one of the following: +// +// - The key state of the KMS key is not compatible with the operation. +// +// To find the key state, use the DescribeKeyoperation. For more information about which key +// +// states are compatible with each KMS operation, see [Key states of KMS keys]in the Key Management +// Service Developer Guide . +// +// - For cryptographic operations on KMS keys in custom key stores, this +// exception represents a general failure with many possible causes. To identify +// the cause, see the error message that accompanies the exception. +// +// [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html type KMSInvalidStateException struct { Message *string @@ -907,8 +968,9 @@ func (e *KMSInvalidStateException) ErrorCode() string { func (e *KMSInvalidStateException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient } // The request was rejected because a quota was exceeded. For more information, -// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) -// in the Key Management Service Developer Guide. +// see [Quotas]in the Key Management Service Developer Guide. +// +// [Quotas]: https://docs.aws.amazon.com/kms/latest/developerguide/limits.html type LimitExceededException struct { Message *string @@ -1071,6 +1133,7 @@ func (e *XksKeyAlreadyInUseException) ErrorFault() smithy.ErrorFault { return sm // The request was rejected because the external key specified by the XksKeyId // parameter did not meet the configuration requirements for an external key store. +// // The external key must be an AES-256 symmetric key that is enabled and performs // encryption and decryption. type XksKeyInvalidConfigurationException struct { @@ -1103,10 +1166,12 @@ func (e *XksKeyInvalidConfigurationException) ErrorFault() smithy.ErrorFault { // The request was rejected because the external key store proxy could not find // the external key. This exception is thrown when the value of the XksKeyId // parameter doesn't identify a key in the external key manager associated with the -// external key proxy. Verify that the XksKeyId represents an existing key in the -// external key manager. Use the key identifier that the external key store proxy -// uses to identify the key. For details, see the documentation provided with your -// external key store proxy or key manager. +// external key proxy. +// +// Verify that the XksKeyId represents an existing key in the external key +// manager. Use the key identifier that the external key store proxy uses to +// identify the key. For details, see the documentation provided with your external +// key store proxy or key manager. type XksKeyNotFoundException struct { Message *string @@ -1281,8 +1346,9 @@ func (e *XksProxyUriInUseException) ErrorCode() string { func (e *XksProxyUriInUseException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient } // KMS was unable to reach the specified XksProxyUriPath . The path must be -// reachable before you create the external key store or update its settings. This -// exception is also thrown when the external key store proxy response to a +// reachable before you create the external key store or update its settings. +// +// This exception is also thrown when the external key store proxy response to a // GetHealthStatus request indicates that all external key manager instances are // unavailable. type XksProxyUriUnreachableException struct { @@ -1343,9 +1409,10 @@ func (e *XksProxyVpcEndpointServiceInUseException) ErrorFault() smithy.ErrorFaul // The request was rejected because the Amazon VPC endpoint service configuration // does not fulfill the requirements for an external key store. To identify the -// cause, see the error message that accompanies the exception and review the -// requirements (https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements) -// for Amazon VPC endpoint service connectivity for an external key store. +// cause, see the error message that accompanies the exception and [review the requirements]for Amazon VPC +// endpoint service connectivity for an external key store. +// +// [review the requirements]: https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements type XksProxyVpcEndpointServiceInvalidConfigurationException struct { Message *string @@ -1374,10 +1441,10 @@ func (e *XksProxyVpcEndpointServiceInvalidConfigurationException) ErrorFault() s } // The request was rejected because KMS could not find the specified VPC endpoint -// service. Use DescribeCustomKeyStores to verify the VPC endpoint service name -// for the external key store. Also, confirm that the Allow principals list for -// the VPC endpoint service includes the KMS service principal for the Region, such -// as cks.kms.us-east-1.amazonaws.com . +// service. Use DescribeCustomKeyStoresto verify the VPC endpoint service name for the external key +// store. Also, confirm that the Allow principals list for the VPC endpoint +// service includes the KMS service principal for the Region, such as +// cks.kms.us-east-1.amazonaws.com . type XksProxyVpcEndpointServiceNotFoundException struct { Message *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/types/types.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/types/types.go index a5ec972e3e9..a0b3f0bf8ac 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/types/types.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/types/types.go @@ -40,77 +40,93 @@ type CustomKeyStoresListEntry struct { CloudHsmClusterId *string // Describes the connection error. This field appears in the response only when - // the ConnectionState is FAILED . Many failures can be resolved by updating the - // properties of the custom key store. To update a custom key store, disconnect it - // ( DisconnectCustomKeyStore ), correct the errors ( UpdateCustomKeyStore ), and - // try to connect again ( ConnectCustomKeyStore ). For additional help resolving - // these errors, see How to Fix a Connection Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed) - // in Key Management Service Developer Guide. All custom key stores: + // the ConnectionState is FAILED . + // + // Many failures can be resolved by updating the properties of the custom key + // store. To update a custom key store, disconnect it (DisconnectCustomKeyStore ), correct the errors (UpdateCustomKeyStore ), + // and try to connect again (ConnectCustomKeyStore ). For additional help resolving these errors, see [How to Fix a Connection Failure] + // in Key Management Service Developer Guide. + // + // All custom key stores: + // // - INTERNAL_ERROR — KMS could not complete the request due to an internal // error. Retry the request. For ConnectCustomKeyStore requests, disconnect the // custom key store before trying to connect again. + // // - NETWORK_ERRORS — Network errors are preventing KMS from connecting the // custom key store to its backing key store. + // // CloudHSM key stores: + // // - CLUSTER_NOT_FOUND — KMS cannot find the CloudHSM cluster with the specified // cluster ID. + // // - INSUFFICIENT_CLOUDHSM_HSMS — The associated CloudHSM cluster does not // contain any active HSMs. To connect a custom key store to its CloudHSM cluster, // the cluster must contain at least one active HSM. + // // - INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET — At least one private subnet // associated with the CloudHSM cluster doesn't have any available IP addresses. A // CloudHSM key store connection requires one free IP address in each of the - // associated private subnets, although two are preferable. For details, see How - // to Fix a Connection Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed) - // in the Key Management Service Developer Guide. + // associated private subnets, although two are preferable. For details, see [How to Fix a Connection Failure]in + // the Key Management Service Developer Guide. + // // - INVALID_CREDENTIALS — The KeyStorePassword for the custom key store doesn't // match the current password of the kmsuser crypto user in the CloudHSM cluster. // Before you can connect your custom key store to its CloudHSM cluster, you must // change the kmsuser account password and update the KeyStorePassword value for // the custom key store. + // // - SUBNET_NOT_FOUND — A subnet in the CloudHSM cluster configuration was // deleted. If KMS cannot find all of the subnets in the cluster configuration, // attempts to connect the custom key store to the CloudHSM cluster fail. To fix // this error, create a cluster from a recent backup and associate it with your // custom key store. (This process creates a new cluster configuration with a VPC - // and private subnets.) For details, see How to Fix a Connection Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed) - // in the Key Management Service Developer Guide. + // and private subnets.) For details, see [How to Fix a Connection Failure]in the Key Management Service + // Developer Guide. + // // - USER_LOCKED_OUT — The kmsuser CU account is locked out of the associated // CloudHSM cluster due to too many failed password attempts. Before you can // connect your custom key store to its CloudHSM cluster, you must change the // kmsuser account password and update the key store password value for the // custom key store. + // // - USER_LOGGED_IN — The kmsuser CU account is logged into the associated // CloudHSM cluster. This prevents KMS from rotating the kmsuser account password // and logging into the cluster. Before you can connect your custom key store to // its CloudHSM cluster, you must log the kmsuser CU out of the cluster. If you // changed the kmsuser password to log into the cluster, you must also and update - // the key store password value for the custom key store. For help, see How to - // Log Out and Reconnect (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2) - // in the Key Management Service Developer Guide. + // the key store password value for the custom key store. For help, see [How to Log Out and Reconnect]in the + // Key Management Service Developer Guide. + // // - USER_NOT_FOUND — KMS cannot find a kmsuser CU account in the associated // CloudHSM cluster. Before you can connect your custom key store to its CloudHSM // cluster, you must create a kmsuser CU account in the cluster, and then update // the key store password value for the custom key store. + // // External key stores: + // // - INVALID_CREDENTIALS — One or both of the XksProxyAuthenticationCredential // values is not valid on the specified external key store proxy. + // // - XKS_PROXY_ACCESS_DENIED — KMS requests are denied access to the external key // store proxy. If the external key store proxy has authorization rules, verify // that they permit KMS to communicate with the proxy on your behalf. + // // - XKS_PROXY_INVALID_CONFIGURATION — A configuration error is preventing the // external key store from connecting to its proxy. Verify the value of the // XksProxyUriPath . + // // - XKS_PROXY_INVALID_RESPONSE — KMS cannot interpret the response from the // external key store proxy. If you see this connection error code repeatedly, // notify your external key store proxy vendor. + // // - XKS_PROXY_INVALID_TLS_CONFIGURATION — KMS cannot connect to the external key // store proxy because the TLS configuration is invalid. Verify that the XKS proxy // supports TLS 1.2 or 1.3. Also, verify that the TLS certificate is not expired, // and that it matches the hostname in the XksProxyUriEndpoint value, and that it - // is signed by a certificate authority included in the Trusted Certificate - // Authorities (https://github.com/aws/aws-kms-xksproxy-api-spec/blob/main/TrustedCertificateAuthorities) - // list. + // is signed by a certificate authority included in the [Trusted Certificate Authorities]list. + // // - XKS_PROXY_NOT_REACHABLE — KMS can't communicate with your external key store // proxy. Verify that the XksProxyUriEndpoint and XksProxyUriPath are correct. // Use the tools for your external key store proxy to verify that the proxy is @@ -118,50 +134,70 @@ type CustomKeyStoresListEntry struct { // instances are operating properly. Connection attempts fail with this connection // error code if the proxy reports that all external key manager instances are // unavailable. + // // - XKS_PROXY_TIMED_OUT — KMS can connect to the external key store proxy, but // the proxy does not respond to KMS in the time allotted. If you see this // connection error code repeatedly, notify your external key store proxy vendor. + // // - XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATION — The Amazon VPC endpoint // service configuration doesn't conform to the requirements for an KMS external // key store. + // // - The VPC endpoint service must be an endpoint service for interface // endpoints in the caller's Amazon Web Services account. + // // - It must have a network load balancer (NLB) connected to at least two // subnets, each in a different Availability Zone. + // // - The Allow principals list must include the KMS service principal for the // Region, cks.kms..amazonaws.com , such as cks.kms.us-east-1.amazonaws.com . - // - It must not require acceptance (https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html) - // of connection requests. + // + // - It must not require [acceptance]of connection requests. + // // - It must have a private DNS name. The private DNS name for an external key // store with VPC_ENDPOINT_SERVICE connectivity must be unique in its Amazon Web // Services Region. - // - The domain of the private DNS name must have a verification status (https://docs.aws.amazon.com/vpc/latest/privatelink/verify-domains.html) - // of verified . - // - The TLS certificate (https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html) - // specifies the private DNS hostname at which the endpoint is reachable. + // + // - The domain of the private DNS name must have a [verification status]of verified . + // + // - The [TLS certificate]specifies the private DNS hostname at which the endpoint is reachable. + // // - XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND — KMS can't find the VPC endpoint service // that it uses to communicate with the external key store proxy. Verify that the // XksProxyVpcEndpointServiceName is correct and the KMS service principal has // service consumer permissions on the Amazon VPC endpoint service. + // + // [acceptance]: https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html + // [verification status]: https://docs.aws.amazon.com/vpc/latest/privatelink/verify-domains.html + // [How to Log Out and Reconnect]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2 + // [TLS certificate]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html + // [Trusted Certificate Authorities]: https://github.com/aws/aws-kms-xksproxy-api-spec/blob/main/TrustedCertificateAuthorities + // [How to Fix a Connection Failure]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed ConnectionErrorCode ConnectionErrorCodeType // Indicates whether the custom key store is connected to its backing key store. // For an CloudHSM key store, the ConnectionState indicates whether it is // connected to its CloudHSM cluster. For an external key store, the // ConnectionState indicates whether it is connected to the external key store - // proxy that communicates with your external key manager. You can create and use - // KMS keys in your custom key stores only when its ConnectionState is CONNECTED . + // proxy that communicates with your external key manager. + // + // You can create and use KMS keys in your custom key stores only when its + // ConnectionState is CONNECTED . + // // The ConnectionState value is DISCONNECTED only if the key store has never been - // connected or you use the DisconnectCustomKeyStore operation to disconnect it. - // If the value is CONNECTED but you are having trouble using the custom key - // store, make sure that the backing key store is reachable and active. For an - // CloudHSM key store, verify that its associated CloudHSM cluster is active and - // contains at least one active HSM. For an external key store, verify that the - // external key store proxy and external key manager are connected and enabled. A - // value of FAILED indicates that an attempt to connect was unsuccessful. The + // connected or you use the DisconnectCustomKeyStoreoperation to disconnect it. If the value is CONNECTED + // but you are having trouble using the custom key store, make sure that the + // backing key store is reachable and active. For an CloudHSM key store, verify + // that its associated CloudHSM cluster is active and contains at least one active + // HSM. For an external key store, verify that the external key store proxy and + // external key manager are connected and enabled. + // + // A value of FAILED indicates that an attempt to connect was unsuccessful. The // ConnectionErrorCode field in the response indicates the cause of the failure. - // For help resolving a connection failure, see Troubleshooting a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) - // in the Key Management Service Developer Guide. + // For help resolving a connection failure, see [Troubleshooting a custom key store]in the Key Management Service + // Developer Guide. + // + // [Troubleshooting a custom key store]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html ConnectionState ConnectionStateType // The date and time when the custom key store was created. @@ -180,53 +216,66 @@ type CustomKeyStoresListEntry struct { CustomKeyStoreType CustomKeyStoreType // The trust anchor certificate of the CloudHSM cluster associated with an - // CloudHSM key store. When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr) - // , you create this certificate and save it in the customerCA.crt file. This - // field appears only when the CustomKeyStoreType is AWS_CLOUDHSM . + // CloudHSM key store. When you [initialize the cluster], you create this certificate and save it in the + // customerCA.crt file. + // + // This field appears only when the CustomKeyStoreType is AWS_CLOUDHSM . + // + // [initialize the cluster]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr TrustAnchorCertificate *string // Configuration settings for the external key store proxy (XKS proxy). The // external key store proxy translates KMS requests into a format that your // external key manager can understand. The proxy configuration includes connection - // information that KMS requires. This field appears only when the - // CustomKeyStoreType is EXTERNAL_KEY_STORE . + // information that KMS requires. + // + // This field appears only when the CustomKeyStoreType is EXTERNAL_KEY_STORE . XksProxyConfiguration *XksProxyConfigurationType noSmithyDocumentSerde } -// Use this structure to allow cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) -// in the grant only when the operation request includes the specified encryption -// context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) -// . KMS applies the grant constraints only to cryptographic operations that -// support an encryption context, that is, all cryptographic operations with a -// symmetric KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks) -// . Grant constraints are not applied to operations that do not support an -// encryption context, such as cryptographic operations with asymmetric KMS keys -// and management operations, such as DescribeKey or RetireGrant . In a -// cryptographic operation, the encryption context in the decryption operation must -// be an exact, case-sensitive match for the keys and values in the encryption -// context of the encryption operation. Only the order of the pairs can vary. +// Use this structure to allow [cryptographic operations] in the grant only when the operation request +// includes the specified [encryption context]. +// +// KMS applies the grant constraints only to cryptographic operations that support +// an encryption context, that is, all cryptographic operations with a [symmetric KMS key]. Grant +// constraints are not applied to operations that do not support an encryption +// context, such as cryptographic operations with asymmetric KMS keys and +// management operations, such as DescribeKeyor RetireGrant. +// +// In a cryptographic operation, the encryption context in the decryption +// operation must be an exact, case-sensitive match for the keys and values in the +// encryption context of the encryption operation. Only the order of the pairs can +// vary. +// // However, in a grant constraint, the key in each key-value pair is not case -// sensitive, but the value is case sensitive. To avoid confusion, do not use -// multiple encryption context pairs that differ only by case. To require a fully -// case-sensitive encryption context, use the kms:EncryptionContext: and -// kms:EncryptionContextKeys conditions in an IAM or key policy. For details, see -// kms:EncryptionContext: (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context) -// in the Key Management Service Developer Guide . +// sensitive, but the value is case sensitive. +// +// To avoid confusion, do not use multiple encryption context pairs that differ +// only by case. To require a fully case-sensitive encryption context, use the +// kms:EncryptionContext: and kms:EncryptionContextKeys conditions in an IAM or +// key policy. For details, see [kms:EncryptionContext:]in the Key Management Service Developer Guide . +// +// [cryptographic operations]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations +// [kms:EncryptionContext:]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context +// [encryption context]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context +// [symmetric KMS key]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks type GrantConstraints struct { - // A list of key-value pairs that must match the encryption context in the - // cryptographic operation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) + // A list of key-value pairs that must match the encryption context in the [cryptographic operation] // request. The grant allows the operation only when the encryption context in the // request is the same as the encryption context specified in this constraint. + // + // [cryptographic operation]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations EncryptionContextEquals map[string]string // A list of key-value pairs that must be included in the encryption context of - // the cryptographic operation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) - // request. The grant allows the cryptographic operation only when the encryption - // context in the request includes the key-value pairs specified in this + // the [cryptographic operation]request. The grant allows the cryptographic operation only when the + // encryption context in the request includes the key-value pairs specified in this // constraint, although it can include additional key-value pairs. + // + // [cryptographic operation]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations EncryptionContextSubset map[string]string noSmithyDocumentSerde @@ -245,12 +294,15 @@ type GrantListEntry struct { // The unique identifier for the grant. GrantId *string - // The identity that gets the permissions in the grant. The GranteePrincipal field - // in the ListGrants response usually contains the user or role designated as the - // grantee principal in the grant. However, when the grantee principal in the grant - // is an Amazon Web Services service, the GranteePrincipal field contains the - // service principal (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) - // , which might represent several different grantee principals. + // The identity that gets the permissions in the grant. + // + // The GranteePrincipal field in the ListGrants response usually contains the user + // or role designated as the grantee principal in the grant. However, when the + // grantee principal in the grant is an Amazon Web Services service, the + // GranteePrincipal field contains the [service principal], which might represent several different + // grantee principals. + // + // [service principal]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services GranteePrincipal *string // The Amazon Web Services account under which the grant was issued. @@ -259,8 +311,8 @@ type GrantListEntry struct { // The unique identifier for the KMS key to which the grant applies. KeyId *string - // The friendly name that identifies the grant. If a name was provided in the - // CreateGrant request, that name is returned. Otherwise this value is null. + // The friendly name that identifies the grant. If a name was provided in the CreateGrant + // request, that name is returned. Otherwise this value is null. Name *string // The list of operations permitted by the grant. @@ -284,8 +336,9 @@ type KeyListEntry struct { noSmithyDocumentSerde } -// Contains metadata about a KMS key. This data type is used as a response element -// for the CreateKey , DescribeKey , and ReplicateKey operations. +// Contains metadata about a KMS key. +// +// This data type is used as a response element for the CreateKey, DescribeKey, and ReplicateKey operations. type KeyMetadata struct { // The globally unique identifier for the KMS key. @@ -297,39 +350,45 @@ type KeyMetadata struct { // KMS key. AWSAccountId *string - // The Amazon Resource Name (ARN) of the KMS key. For examples, see Key Management - // Service (KMS) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms) - // in the Example ARNs section of the Amazon Web Services General Reference. + // The Amazon Resource Name (ARN) of the KMS key. For examples, see [Key Management Service (KMS)] in the + // Example ARNs section of the Amazon Web Services General Reference. + // + // [Key Management Service (KMS)]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms Arn *string // The cluster ID of the CloudHSM cluster that contains the key material for the - // KMS key. When you create a KMS key in an CloudHSM custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) - // , KMS creates the key material for the KMS key in the associated CloudHSM - // cluster. This field is present only when the KMS key is created in an CloudHSM - // key store. + // KMS key. When you create a KMS key in an CloudHSM [custom key store], KMS creates the key + // material for the KMS key in the associated CloudHSM cluster. This field is + // present only when the KMS key is created in an CloudHSM key store. + // + // [custom key store]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html CloudHsmClusterId *string // The date and time when the KMS key was created. CreationDate *time.Time - // A unique identifier for the custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) - // that contains the KMS key. This field is present only when the KMS key is - // created in a custom key store. + // A unique identifier for the [custom key store] that contains the KMS key. This field is present + // only when the KMS key is created in a custom key store. + // + // [custom key store]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html CustomKeyStoreId *string - // Instead, use the KeySpec field. The KeySpec and CustomerMasterKeySpec fields - // have the same value. We recommend that you use the KeySpec field in your code. - // However, to avoid breaking changes, KMS supports both fields. + // Instead, use the KeySpec field. + // + // The KeySpec and CustomerMasterKeySpec fields have the same value. We recommend + // that you use the KeySpec field in your code. However, to avoid breaking + // changes, KMS supports both fields. // // Deprecated: This field has been deprecated. Instead, use the KeySpec field. CustomerMasterKeySpec CustomerMasterKeySpec // The date and time after which KMS deletes this KMS key. This value is present // only when the KMS key is scheduled for deletion, that is, when its KeyState is - // PendingDeletion . When the primary key in a multi-Region key is scheduled for - // deletion but still has replica keys, its key state is PendingReplicaDeletion - // and the length of its waiting period is displayed in the - // PendingDeletionWindowInDays field. + // PendingDeletion . + // + // When the primary key in a multi-Region key is scheduled for deletion but still + // has replica keys, its key state is PendingReplicaDeletion and the length of its + // waiting period is displayed in the PendingDeletionWindowInDays field. DeletionDate *time.Time // The description of the KMS key. @@ -340,8 +399,9 @@ type KeyMetadata struct { Enabled bool // The encryption algorithms that the KMS key supports. You cannot use the KMS key - // with other encryption algorithms within KMS. This value is present only when the - // KeyUsage of the KMS key is ENCRYPT_DECRYPT . + // with other encryption algorithms within KMS. + // + // This value is present only when the KeyUsage of the KMS key is ENCRYPT_DECRYPT . EncryptionAlgorithms []EncryptionAlgorithmSpec // Specifies whether the KMS key's key material expires. This value is present @@ -350,41 +410,53 @@ type KeyMetadata struct { // The manager of the KMS key. KMS keys in your Amazon Web Services account are // either customer managed or Amazon Web Services managed. For more information - // about the difference, see KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys) - // in the Key Management Service Developer Guide. + // about the difference, see [KMS keys]in the Key Management Service Developer Guide. + // + // [KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys KeyManager KeyManagerType // Describes the type of key material in the KMS key. KeySpec KeySpec - // The current status of the KMS key. For more information about how key state - // affects the use of a KMS key, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) - // in the Key Management Service Developer Guide. + // The current status of the KMS key. + // + // For more information about how key state affects the use of a KMS key, see [Key states of KMS keys] in + // the Key Management Service Developer Guide. + // + // [Key states of KMS keys]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html KeyState KeyState - // The cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) - // for which you can use the KMS key. + // The [cryptographic operations] for which you can use the KMS key. + // + // [cryptographic operations]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations KeyUsage KeyUsageType // The message authentication code (MAC) algorithm that the HMAC KMS key supports. + // // This value is present only when the KeyUsage of the KMS key is // GENERATE_VERIFY_MAC . MacAlgorithms []MacAlgorithmSpec // Indicates whether the KMS key is a multi-Region ( True ) or regional ( False ) // key. This value is True for multi-Region primary and replica keys and False for - // regional KMS keys. For more information about multi-Region keys, see - // Multi-Region keys in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) - // in the Key Management Service Developer Guide. + // regional KMS keys. + // + // For more information about multi-Region keys, see [Multi-Region keys in KMS] in the Key Management + // Service Developer Guide. + // + // [Multi-Region keys in KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html MultiRegion *bool // Lists the primary and replica keys in same multi-Region key. This field is - // present only when the value of the MultiRegion field is True . For more - // information about any listed KMS key, use the DescribeKey operation. - // - MultiRegionKeyType indicates whether the KMS key is a PRIMARY or REPLICA - // key. + // present only when the value of the MultiRegion field is True . + // + // For more information about any listed KMS key, use the DescribeKey operation. + // + // - MultiRegionKeyType indicates whether the KMS key is a PRIMARY or REPLICA key. + // // - PrimaryKey displays the key ARN and Region of the primary key. This field // displays the current KMS key if it is the primary key. + // // - ReplicaKeys displays the key ARNs and Regions of all replica keys. This // field includes the current KMS key if it is a replica key. MultiRegionConfiguration *MultiRegionConfiguration @@ -400,20 +472,22 @@ type KeyMetadata struct { // This waiting period begins when the last of its replica keys is deleted. This // value is present only when the KeyState of the KMS key is PendingReplicaDeletion // . That indicates that the KMS key is the primary key in a multi-Region key, it - // is scheduled for deletion, and it still has existing replica keys. When a - // single-Region KMS key or a multi-Region replica key is scheduled for deletion, - // its deletion date is displayed in the DeletionDate field. However, when the - // primary key in a multi-Region key is scheduled for deletion, its waiting period - // doesn't begin until all of its replica keys are deleted. This value displays - // that waiting period. When the last replica key in the multi-Region key is - // deleted, the KeyState of the scheduled primary key changes from - // PendingReplicaDeletion to PendingDeletion and the deletion date appears in the - // DeletionDate field. + // is scheduled for deletion, and it still has existing replica keys. + // + // When a single-Region KMS key or a multi-Region replica key is scheduled for + // deletion, its deletion date is displayed in the DeletionDate field. However, + // when the primary key in a multi-Region key is scheduled for deletion, its + // waiting period doesn't begin until all of its replica keys are deleted. This + // value displays that waiting period. When the last replica key in the + // multi-Region key is deleted, the KeyState of the scheduled primary key changes + // from PendingReplicaDeletion to PendingDeletion and the deletion date appears in + // the DeletionDate field. PendingDeletionWindowInDays *int32 // The signing algorithms that the KMS key supports. You cannot use the KMS key - // with other signing algorithms within KMS. This field appears only when the - // KeyUsage of the KMS key is SIGN_VERIFY . + // with other signing algorithms within KMS. + // + // This field appears only when the KeyUsage of the KMS key is SIGN_VERIFY . SigningAlgorithms []SigningAlgorithmSpec // The time at which the imported key material expires. When the key material @@ -423,16 +497,20 @@ type KeyMetadata struct { ValidTo *time.Time // Information about the external key that is associated with a KMS key in an - // external key store. For more information, see External key (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key) - // in the Key Management Service Developer Guide. + // external key store. + // + // For more information, see [External key] in the Key Management Service Developer Guide. + // + // [External key]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key XksKeyConfiguration *XksKeyConfigurationType noSmithyDocumentSerde } // Describes the configuration of this multi-Region key. This field appears only -// when the KMS key is a primary or replica of a multi-Region key. For more -// information about any listed KMS key, use the DescribeKey operation. +// when the KMS key is a primary or replica of a multi-Region key. +// +// For more information about any listed KMS key, use the DescribeKey operation. type MultiRegionConfiguration struct { // Indicates whether the KMS key is a PRIMARY or REPLICA key. @@ -463,11 +541,14 @@ type MultiRegionKey struct { } // Contains information about the party that receives the response from the API -// operation. This data type is designed to support Amazon Web Services Nitro -// Enclaves, which lets you create an isolated compute environment in Amazon EC2. -// For information about the interaction between KMS and Amazon Web Services Nitro -// Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html) +// operation. +// +// This data type is designed to support Amazon Web Services Nitro Enclaves, which +// lets you create an isolated compute environment in Amazon EC2. For information +// about the interaction between KMS and Amazon Web Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves uses KMS] // in the Key Management Service Developer Guide. +// +// [How Amazon Web Services Nitro Enclaves uses KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html type RecipientInfo struct { // The attestation document for an Amazon Web Services Nitro Enclave. This @@ -482,13 +563,34 @@ type RecipientInfo struct { noSmithyDocumentSerde } +// Contains information about completed key material rotations. +type RotationsListEntry struct { + + // Unique identifier of the key. + KeyId *string + + // Date and time that the key material rotation completed. Formatted as Unix time. + RotationDate *time.Time + + // Identifies whether the key material rotation was a scheduled [automatic rotation] or an [on-demand rotation]. + // + // [automatic rotation]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-enable-disable + // [on-demand rotation]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-on-demand + RotationType RotationType + + noSmithyDocumentSerde +} + // A key-value pair. A tag consists of a tag key and a tag value. Tag keys and tag -// values are both required, but tag values can be empty (null) strings. Do not -// include confidential or sensitive information in this field. This field may be -// displayed in plaintext in CloudTrail logs and other output. For information -// about the rules that apply to tag keys and tag values, see User-Defined Tag -// Restrictions (https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html) -// in the Amazon Web Services Billing and Cost Management User Guide. +// values are both required, but tag values can be empty (null) strings. +// +// Do not include confidential or sensitive information in this field. This field +// may be displayed in plaintext in CloudTrail logs and other output. +// +// For information about the rules that apply to tag keys and tag values, see [User-Defined Tag Restrictions] in +// the Amazon Web Services Billing and Cost Management User Guide. +// +// [User-Defined Tag Restrictions]: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html type Tag struct { // The key of the tag. @@ -504,15 +606,20 @@ type Tag struct { noSmithyDocumentSerde } -// Information about the external key (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key) -// that is associated with a KMS key in an external key store. This element appears -// in a CreateKey or DescribeKey response only for a KMS key in an external key -// store. The external key is a symmetric encryption key that is hosted by an -// external key manager outside of Amazon Web Services. When you use the KMS key in -// an external key store in a cryptographic operation, the cryptographic operation -// is performed in the external key manager using the specified external key. For -// more information, see External key (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key) -// in the Key Management Service Developer Guide. +// Information about the [external key]that is associated with a KMS key in an external key +// store. +// +// This element appears in a CreateKey or DescribeKey response only for a KMS key in an external key +// store. +// +// The external key is a symmetric encryption key that is hosted by an external +// key manager outside of Amazon Web Services. When you use the KMS key in an +// external key store in a cryptographic operation, the cryptographic operation is +// performed in the external key manager using the specified external key. For more +// information, see [External key]in the Key Management Service Developer Guide. +// +// [External key]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key +// [external key]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key type XksKeyConfigurationType struct { // The ID of the external key in its external key manager. This is the ID that the @@ -524,8 +631,9 @@ type XksKeyConfigurationType struct { // KMS uses the authentication credential to sign requests that it sends to the // external key store proxy (XKS proxy) on your behalf. You establish these -// credentials on your external key store proxy and report them to KMS. The -// XksProxyAuthenticationCredential includes two required elements. +// credentials on your external key store proxy and report them to KMS. +// +// The XksProxyAuthenticationCredential includes two required elements. type XksProxyAuthenticationCredentialType struct { // A unique identifier for the raw secret access key. @@ -544,23 +652,26 @@ type XksProxyAuthenticationCredentialType struct { // Detailed information about the external key store proxy (XKS proxy). Your // external key store proxy translates KMS requests into a format that your -// external key manager can understand. These fields appear in a -// DescribeCustomKeyStores response only when the CustomKeyStoreType is -// EXTERNAL_KEY_STORE . +// external key manager can understand. These fields appear in a DescribeCustomKeyStoresresponse only +// when the CustomKeyStoreType is EXTERNAL_KEY_STORE . type XksProxyConfigurationType struct { - // The part of the external key store proxy authentication credential (https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html#KMS-CreateCustomKeyStore-request-XksProxyAuthenticationCredential) - // that uniquely identifies the secret access key. + // The part of the external key store [proxy authentication credential] that uniquely identifies the secret access + // key. + // + // [proxy authentication credential]: https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html#KMS-CreateCustomKeyStore-request-XksProxyAuthenticationCredential AccessKeyId *string // Indicates whether the external key store proxy uses a public endpoint or an // Amazon VPC endpoint service to communicate with KMS. Connectivity XksProxyConnectivityType - // The URI endpoint for the external key store proxy. If the external key store - // proxy has a public endpoint, it is displayed here. If the external key store - // proxy uses an Amazon VPC endpoint service name, this field displays the private - // DNS name associated with the VPC endpoint service. + // The URI endpoint for the external key store proxy. + // + // If the external key store proxy has a public endpoint, it is displayed here. + // + // If the external key store proxy uses an Amazon VPC endpoint service name, this + // field displays the private DNS name associated with the VPC endpoint service. UriEndpoint *string // The path to the external key store proxy APIs. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/validators.go b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/validators.go index 9ca3bd5824a..c4bb2702097 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/kms/validators.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/kms/validators.go @@ -590,6 +590,26 @@ func (m *validateOpListKeyPolicies) HandleInitialize(ctx context.Context, in mid return next.HandleInitialize(ctx, in) } +type validateOpListKeyRotations struct { +} + +func (*validateOpListKeyRotations) ID() string { + return "OperationInputValidation" +} + +func (m *validateOpListKeyRotations) HandleInitialize(ctx context.Context, in middleware.InitializeInput, next middleware.InitializeHandler) ( + out middleware.InitializeOutput, metadata middleware.Metadata, err error, +) { + input, ok := in.Parameters.(*ListKeyRotationsInput) + if !ok { + return out, metadata, fmt.Errorf("unknown input parameters type %T", in.Parameters) + } + if err := validateOpListKeyRotationsInput(input); err != nil { + return out, metadata, err + } + return next.HandleInitialize(ctx, in) +} + type validateOpListResourceTags struct { } @@ -710,6 +730,26 @@ func (m *validateOpRevokeGrant) HandleInitialize(ctx context.Context, in middlew return next.HandleInitialize(ctx, in) } +type validateOpRotateKeyOnDemand struct { +} + +func (*validateOpRotateKeyOnDemand) ID() string { + return "OperationInputValidation" +} + +func (m *validateOpRotateKeyOnDemand) HandleInitialize(ctx context.Context, in middleware.InitializeInput, next middleware.InitializeHandler) ( + out middleware.InitializeOutput, metadata middleware.Metadata, err error, +) { + input, ok := in.Parameters.(*RotateKeyOnDemandInput) + if !ok { + return out, metadata, fmt.Errorf("unknown input parameters type %T", in.Parameters) + } + if err := validateOpRotateKeyOnDemandInput(input); err != nil { + return out, metadata, err + } + return next.HandleInitialize(ctx, in) +} + type validateOpScheduleKeyDeletion struct { } @@ -1026,6 +1066,10 @@ func addOpListKeyPoliciesValidationMiddleware(stack *middleware.Stack) error { return stack.Initialize.Add(&validateOpListKeyPolicies{}, middleware.After) } +func addOpListKeyRotationsValidationMiddleware(stack *middleware.Stack) error { + return stack.Initialize.Add(&validateOpListKeyRotations{}, middleware.After) +} + func addOpListResourceTagsValidationMiddleware(stack *middleware.Stack) error { return stack.Initialize.Add(&validateOpListResourceTags{}, middleware.After) } @@ -1050,6 +1094,10 @@ func addOpRevokeGrantValidationMiddleware(stack *middleware.Stack) error { return stack.Initialize.Add(&validateOpRevokeGrant{}, middleware.After) } +func addOpRotateKeyOnDemandValidationMiddleware(stack *middleware.Stack) error { + return stack.Initialize.Add(&validateOpRotateKeyOnDemand{}, middleware.After) +} + func addOpScheduleKeyDeletionValidationMiddleware(stack *middleware.Stack) error { return stack.Initialize.Add(&validateOpScheduleKeyDeletion{}, middleware.After) } @@ -1621,6 +1669,21 @@ func validateOpListKeyPoliciesInput(v *ListKeyPoliciesInput) error { } } +func validateOpListKeyRotationsInput(v *ListKeyRotationsInput) error { + if v == nil { + return nil + } + invalidParams := smithy.InvalidParamsError{Context: "ListKeyRotationsInput"} + if v.KeyId == nil { + invalidParams.Add(smithy.NewErrParamRequired("KeyId")) + } + if invalidParams.Len() > 0 { + return invalidParams + } else { + return nil + } +} + func validateOpListResourceTagsInput(v *ListResourceTagsInput) error { if v == nil { return nil @@ -1728,6 +1791,21 @@ func validateOpRevokeGrantInput(v *RevokeGrantInput) error { } } +func validateOpRotateKeyOnDemandInput(v *RotateKeyOnDemandInput) error { + if v == nil { + return nil + } + invalidParams := smithy.InvalidParamsError{Context: "RotateKeyOnDemandInput"} + if v.KeyId == nil { + invalidParams.Add(smithy.NewErrParamRequired("KeyId")) + } + if invalidParams.Len() > 0 { + return invalidParams + } else { + return nil + } +} + func validateOpScheduleKeyDeletionInput(v *ScheduleKeyDeletionInput) error { if v == nil { return nil diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md index 5a5083094b5..d477f4212fc 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md @@ -1,3 +1,27 @@ +# v1.20.9 (2024-05-23) + +* No change notes available for this release. + +# v1.20.8 (2024-05-16) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.20.7 (2024-05-15) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.20.6 (2024-05-08) + +* **Bug Fix**: GoDoc improvement + +# v1.20.5 (2024-04-05) + +* No change notes available for this release. + +# v1.20.4 (2024-03-29) + +* **Dependency Update**: Updated to the latest SDK module versions + # v1.20.3 (2024-03-18) * **Dependency Update**: Updated to the latest SDK module versions diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_GetRoleCredentials.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_GetRoleCredentials.go index 4b21e8b00a9..44ad9ff1d23 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_GetRoleCredentials.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_GetRoleCredentials.go @@ -30,9 +30,10 @@ func (c *Client) GetRoleCredentials(ctx context.Context, params *GetRoleCredenti type GetRoleCredentialsInput struct { - // The token issued by the CreateToken API call. For more information, see - // CreateToken (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html) - // in the IAM Identity Center OIDC API Reference Guide. + // The token issued by the CreateToken API call. For more information, see [CreateToken] in the + // IAM Identity Center OIDC API Reference Guide. + // + // [CreateToken]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html // // This member is required. AccessToken *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccountRoles.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccountRoles.go index e44da697c55..5861c9bbccb 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccountRoles.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccountRoles.go @@ -29,9 +29,10 @@ func (c *Client) ListAccountRoles(ctx context.Context, params *ListAccountRolesI type ListAccountRolesInput struct { - // The token issued by the CreateToken API call. For more information, see - // CreateToken (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html) - // in the IAM Identity Center OIDC API Reference Guide. + // The token issued by the CreateToken API call. For more information, see [CreateToken] in the + // IAM Identity Center OIDC API Reference Guide. + // + // [CreateToken]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html // // This member is required. AccessToken *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccounts.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccounts.go index 2d7add067fa..7f2b2397879 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccounts.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccounts.go @@ -12,9 +12,10 @@ import ( ) // Lists all AWS accounts assigned to the user. These AWS accounts are assigned by -// the administrator of the account. For more information, see Assign User Access (https://docs.aws.amazon.com/singlesignon/latest/userguide/useraccess.html#assignusers) -// in the IAM Identity Center User Guide. This operation returns a paginated -// response. +// the administrator of the account. For more information, see [Assign User Access]in the IAM Identity +// Center User Guide. This operation returns a paginated response. +// +// [Assign User Access]: https://docs.aws.amazon.com/singlesignon/latest/userguide/useraccess.html#assignusers func (c *Client) ListAccounts(ctx context.Context, params *ListAccountsInput, optFns ...func(*Options)) (*ListAccountsOutput, error) { if params == nil { params = &ListAccountsInput{} @@ -32,9 +33,10 @@ func (c *Client) ListAccounts(ctx context.Context, params *ListAccountsInput, op type ListAccountsInput struct { - // The token issued by the CreateToken API call. For more information, see - // CreateToken (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html) - // in the IAM Identity Center OIDC API Reference Guide. + // The token issued by the CreateToken API call. For more information, see [CreateToken] in the + // IAM Identity Center OIDC API Reference Guide. + // + // [CreateToken]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html // // This member is required. AccessToken *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_Logout.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_Logout.go index 3ee682d19e0..65f582a8747 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_Logout.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_Logout.go @@ -12,16 +12,20 @@ import ( // Removes the locally stored SSO tokens from the client-side cache and sends an // API call to the IAM Identity Center service to invalidate the corresponding -// server-side IAM Identity Center sign in session. If a user uses IAM Identity -// Center to access the AWS CLI, the user’s IAM Identity Center sign in session is -// used to obtain an IAM session, as specified in the corresponding IAM Identity -// Center permission set. More specifically, IAM Identity Center assumes an IAM -// role in the target account on behalf of the user, and the corresponding -// temporary AWS credentials are returned to the client. After user logout, any -// existing IAM role sessions that were created by using IAM Identity Center -// permission sets continue based on the duration configured in the permission set. -// For more information, see User authentications (https://docs.aws.amazon.com/singlesignon/latest/userguide/authconcept.html) -// in the IAM Identity Center User Guide. +// server-side IAM Identity Center sign in session. +// +// If a user uses IAM Identity Center to access the AWS CLI, the user’s IAM +// Identity Center sign in session is used to obtain an IAM session, as specified +// in the corresponding IAM Identity Center permission set. More specifically, IAM +// Identity Center assumes an IAM role in the target account on behalf of the user, +// and the corresponding temporary AWS credentials are returned to the client. +// +// After user logout, any existing IAM role sessions that were created by using +// IAM Identity Center permission sets continue based on the duration configured in +// the permission set. For more information, see [User authentications]in the IAM Identity Center User +// Guide. +// +// [User authentications]: https://docs.aws.amazon.com/singlesignon/latest/userguide/authconcept.html func (c *Client) Logout(ctx context.Context, params *LogoutInput, optFns ...func(*Options)) (*LogoutOutput, error) { if params == nil { params = &LogoutInput{} @@ -39,9 +43,10 @@ func (c *Client) Logout(ctx context.Context, params *LogoutInput, optFns ...func type LogoutInput struct { - // The token issued by the CreateToken API call. For more information, see - // CreateToken (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html) - // in the IAM Identity Center OIDC API Reference Guide. + // The token issued by the CreateToken API call. For more information, see [CreateToken] in the + // IAM Identity Center OIDC API Reference Guide. + // + // [CreateToken]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html // // This member is required. AccessToken *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/deserializers.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/deserializers.go index 8bba205f435..d6297fa6a15 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/deserializers.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/deserializers.go @@ -13,12 +13,22 @@ import ( smithyio "github.com/aws/smithy-go/io" "github.com/aws/smithy-go/middleware" "github.com/aws/smithy-go/ptr" + smithytime "github.com/aws/smithy-go/time" smithyhttp "github.com/aws/smithy-go/transport/http" "io" "io/ioutil" "strings" + "time" ) +func deserializeS3Expires(v string) (*time.Time, error) { + t, err := smithytime.ParseHTTPDate(v) + if err != nil { + return nil, nil + } + return &t, nil +} + type awsRestjson1_deserializeOpGetRoleCredentials struct { } diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/doc.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/doc.go index 59456d5dc27..7f6e429fda8 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/doc.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/doc.go @@ -6,16 +6,22 @@ // AWS IAM Identity Center (successor to AWS Single Sign-On) Portal is a web // service that makes it easy for you to assign user access to IAM Identity Center // resources such as the AWS access portal. Users can get AWS account applications -// and roles assigned to them and get federated into the application. Although AWS -// Single Sign-On was renamed, the sso and identitystore API namespaces will -// continue to retain their original name for backward compatibility purposes. For -// more information, see IAM Identity Center rename (https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html#renamed) -// . This reference guide describes the IAM Identity Center Portal operations that +// and roles assigned to them and get federated into the application. +// +// Although AWS Single Sign-On was renamed, the sso and identitystore API +// namespaces will continue to retain their original name for backward +// compatibility purposes. For more information, see [IAM Identity Center rename]. +// +// This reference guide describes the IAM Identity Center Portal operations that // you can call programatically and includes detailed information on data types and -// errors. AWS provides SDKs that consist of libraries and sample code for various +// errors. +// +// AWS provides SDKs that consist of libraries and sample code for various // programming languages and platforms, such as Java, Ruby, .Net, iOS, or Android. // The SDKs provide a convenient way to create programmatic access to IAM Identity // Center and other AWS services. For more information about the AWS SDKs, -// including how to download and install them, see Tools for Amazon Web Services (http://aws.amazon.com/tools/) -// . +// including how to download and install them, see [Tools for Amazon Web Services]. +// +// [Tools for Amazon Web Services]: http://aws.amazon.com/tools/ +// [IAM Identity Center rename]: https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html#renamed package sso diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go index e98c0f328e5..e9adaf46aa4 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go @@ -3,4 +3,4 @@ package sso // goModuleVersion is the tagged release for this module -const goModuleVersion = "1.20.3" +const goModuleVersion = "1.20.9" diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints/endpoints.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints/endpoints.go index 0a00b256e10..2c3a77ce306 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints/endpoints.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints/endpoints.go @@ -187,6 +187,14 @@ var defaultPartitions = endpoints.Partitions{ Region: "ap-south-1", }, }, + endpoints.EndpointKey{ + Region: "ap-south-2", + }: endpoints.Endpoint{ + Hostname: "portal.sso.ap-south-2.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "ap-south-2", + }, + }, endpoints.EndpointKey{ Region: "ap-southeast-1", }: endpoints.Endpoint{ @@ -259,6 +267,14 @@ var defaultPartitions = endpoints.Partitions{ Region: "eu-south-1", }, }, + endpoints.EndpointKey{ + Region: "eu-south-2", + }: endpoints.Endpoint{ + Hostname: "portal.sso.eu-south-2.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "eu-south-2", + }, + }, endpoints.EndpointKey{ Region: "eu-west-1", }: endpoints.Endpoint{ diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/options.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/options.go index 5dee7e53f47..3561c443086 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/options.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/options.go @@ -50,8 +50,10 @@ type Options struct { // Deprecated: Deprecated: EndpointResolver and WithEndpointResolver. Providing a // value for this field will likely prevent you from using any endpoint-related // service features released after the introduction of EndpointResolverV2 and - // BaseEndpoint. To migrate an EndpointResolver implementation that uses a custom - // endpoint, set the client option BaseEndpoint instead. + // BaseEndpoint. + // + // To migrate an EndpointResolver implementation that uses a custom endpoint, set + // the client option BaseEndpoint instead. EndpointResolver EndpointResolver // Resolves the endpoint used for a particular service operation. This should be @@ -70,17 +72,20 @@ type Options struct { // RetryMaxAttempts specifies the maximum number attempts an API client will call // an operation that fails with a retryable error. A value of 0 is ignored, and // will not be used to configure the API client created default retryer, or modify - // per operation call's retry max attempts. If specified in an operation call's - // functional options with a value that is different than the constructed client's - // Options, the Client's Retryer will be wrapped to use the operation's specific - // RetryMaxAttempts value. + // per operation call's retry max attempts. + // + // If specified in an operation call's functional options with a value that is + // different than the constructed client's Options, the Client's Retryer will be + // wrapped to use the operation's specific RetryMaxAttempts value. RetryMaxAttempts int // RetryMode specifies the retry mode the API client will be created with, if - // Retryer option is not also specified. When creating a new API Clients this - // member will only be used if the Retryer Options member is nil. This value will - // be ignored if Retryer is not nil. Currently does not support per operation call - // overrides, may in the future. + // Retryer option is not also specified. + // + // When creating a new API Clients this member will only be used if the Retryer + // Options member is nil. This value will be ignored if Retryer is not nil. + // + // Currently does not support per operation call overrides, may in the future. RetryMode aws.RetryMode // Retryer guides how HTTP requests should be retried in case of recoverable @@ -97,8 +102,9 @@ type Options struct { // The initial DefaultsMode used when the client options were constructed. If the // DefaultsMode was set to aws.DefaultsModeAuto this will store what the resolved - // value was at that point in time. Currently does not support per operation call - // overrides, may in the future. + // value was at that point in time. + // + // Currently does not support per operation call overrides, may in the future. resolvedDefaultsMode aws.DefaultsMode // The HTTP client to invoke API calls with. Defaults to client's default HTTP @@ -143,6 +149,7 @@ func WithAPIOptions(optFns ...func(*middleware.Stack) error) func(*Options) { // Deprecated: EndpointResolver and WithEndpointResolver. Providing a value for // this field will likely prevent you from using any endpoint-related service // features released after the introduction of EndpointResolverV2 and BaseEndpoint. +// // To migrate an EndpointResolver implementation that uses a custom endpoint, set // the client option BaseEndpoint instead. func WithEndpointResolver(v EndpointResolver) func(*Options) { diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/types/types.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/types/types.go index 8dc02296b11..07ac468e318 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/types/types.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/types/types.go @@ -25,22 +25,24 @@ type AccountInfo struct { type RoleCredentials struct { // The identifier used for the temporary security credentials. For more - // information, see Using Temporary Security Credentials to Request Access to AWS - // Resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) - // in the AWS IAM User Guide. + // information, see [Using Temporary Security Credentials to Request Access to AWS Resources]in the AWS IAM User Guide. + // + // [Using Temporary Security Credentials to Request Access to AWS Resources]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html AccessKeyId *string // The date on which temporary security credentials expire. Expiration int64 - // The key that is used to sign the request. For more information, see Using - // Temporary Security Credentials to Request Access to AWS Resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) - // in the AWS IAM User Guide. + // The key that is used to sign the request. For more information, see [Using Temporary Security Credentials to Request Access to AWS Resources] in the AWS + // IAM User Guide. + // + // [Using Temporary Security Credentials to Request Access to AWS Resources]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html SecretAccessKey *string - // The token used for temporary credentials. For more information, see Using - // Temporary Security Credentials to Request Access to AWS Resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) - // in the AWS IAM User Guide. + // The token used for temporary credentials. For more information, see [Using Temporary Security Credentials to Request Access to AWS Resources] in the AWS + // IAM User Guide. + // + // [Using Temporary Security Credentials to Request Access to AWS Resources]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html SessionToken *string noSmithyDocumentSerde diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md index c6d5ae92e37..b70701a5287 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md @@ -1,3 +1,27 @@ +# v1.24.3 (2024-05-23) + +* No change notes available for this release. + +# v1.24.2 (2024-05-16) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.24.1 (2024-05-15) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.24.0 (2024-05-10) + +* **Feature**: Updated request parameters for PKCE support. + +# v1.23.5 (2024-05-08) + +* **Bug Fix**: GoDoc improvement + +# v1.23.4 (2024-03-29) + +* **Dependency Update**: Updated to the latest SDK module versions + # v1.23.3 (2024-03-18) * **Dependency Update**: Updated to the latest SDK module versions diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateToken.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateToken.go index 63f1eeb1312..393ab84b043 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateToken.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateToken.go @@ -32,34 +32,43 @@ func (c *Client) CreateToken(ctx context.Context, params *CreateTokenInput, optF type CreateTokenInput struct { // The unique identifier string for the client or application. This value comes - // from the result of the RegisterClient API. + // from the result of the RegisterClientAPI. // // This member is required. ClientId *string // A secret string generated for the client. This value should come from the - // persisted result of the RegisterClient API. + // persisted result of the RegisterClientAPI. // // This member is required. ClientSecret *string // Supports the following OAuth grant types: Device Code and Refresh Token. // Specify either of the following values, depending on the grant type that you - // want: * Device Code - urn:ietf:params:oauth:grant-type:device_code * Refresh - // Token - refresh_token For information about how to obtain the device code, see - // the StartDeviceAuthorization topic. + // want: + // + // * Device Code - urn:ietf:params:oauth:grant-type:device_code + // + // * Refresh Token - refresh_token + // + // For information about how to obtain the device code, see the StartDeviceAuthorization topic. // // This member is required. GrantType *string // Used only when calling this API for the Authorization Code grant type. The // short-term code is used to identify this authorization request. This grant type - // is currently unsupported for the CreateToken API. + // is currently unsupported for the CreateTokenAPI. Code *string + // Used only when calling this API for the Authorization Code grant type. This + // value is generated by the client and presented to validate the original code + // challenge value the client passed at authorization time. + CodeVerifier *string + // Used only when calling this API for the Device Code grant type. This short-term // code is used to identify this authorization request. This comes from the result - // of the StartDeviceAuthorization API. + // of the StartDeviceAuthorizationAPI. DeviceCode *string // Used only when calling this API for the Authorization Code grant type. This @@ -69,16 +78,18 @@ type CreateTokenInput struct { // Used only when calling this API for the Refresh Token grant type. This token is // used to refresh short-term tokens, such as the access token, that might expire. + // // For more information about the features and limitations of the current IAM // Identity Center OIDC implementation, see Considerations for Using this Guide in - // the IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html) - // . + // the [IAM Identity Center OIDC API Reference]. + // + // [IAM Identity Center OIDC API Reference]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html RefreshToken *string // The list of scopes for which authorization is requested. The access token that // is issued is limited to the scopes that are granted. If this value is not // specified, IAM Identity Center authorizes all scopes that are configured for the - // client during the call to RegisterClient . + // client during the call to RegisterClient. Scope []string noSmithyDocumentSerde @@ -86,7 +97,8 @@ type CreateTokenInput struct { type CreateTokenOutput struct { - // A bearer token to access AWS accounts and applications assigned to a user. + // A bearer token to access Amazon Web Services accounts and applications assigned + // to a user. AccessToken *string // Indicates the time in seconds when an access token will expire. @@ -94,18 +106,22 @@ type CreateTokenOutput struct { // The idToken is not implemented or supported. For more information about the // features and limitations of the current IAM Identity Center OIDC implementation, - // see Considerations for Using this Guide in the IAM Identity Center OIDC API - // Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html) - // . A JSON Web Token (JWT) that identifies who is associated with the issued - // access token. + // see Considerations for Using this Guide in the [IAM Identity Center OIDC API Reference]. + // + // A JSON Web Token (JWT) that identifies who is associated with the issued access + // token. + // + // [IAM Identity Center OIDC API Reference]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html IdToken *string // A token that, if present, can be used to refresh a previously issued access - // token that might have expired. For more information about the features and - // limitations of the current IAM Identity Center OIDC implementation, see - // Considerations for Using this Guide in the IAM Identity Center OIDC API - // Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html) - // . + // token that might have expired. + // + // For more information about the features and limitations of the current IAM + // Identity Center OIDC implementation, see Considerations for Using this Guide in + // the [IAM Identity Center OIDC API Reference]. + // + // [IAM Identity Center OIDC API Reference]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html RefreshToken *string // Used to notify the client that the returned token is an access token. The diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateTokenWithIAM.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateTokenWithIAM.go index 63409538940..1d54f14d804 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateTokenWithIAM.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateTokenWithIAM.go @@ -12,8 +12,8 @@ import ( // Creates and returns access and refresh tokens for clients and applications that // are authenticated using IAM entities. The access token can be used to fetch -// short-term credentials for the assigned AWS accounts or to access application -// APIs using bearer authentication. +// short-term credentials for the assigned Amazon Web Services accounts or to +// access application APIs using bearer authentication. func (c *Client) CreateTokenWithIAM(ctx context.Context, params *CreateTokenWithIAMInput, optFns ...func(*Options)) (*CreateTokenWithIAMOutput, error) { if params == nil { params = &CreateTokenWithIAMInput{} @@ -39,10 +39,15 @@ type CreateTokenWithIAMInput struct { // Supports the following OAuth grant types: Authorization Code, Refresh Token, // JWT Bearer, and Token Exchange. Specify one of the following values, depending - // on the grant type that you want: * Authorization Code - authorization_code * - // Refresh Token - refresh_token * JWT Bearer - - // urn:ietf:params:oauth:grant-type:jwt-bearer * Token Exchange - - // urn:ietf:params:oauth:grant-type:token-exchange + // on the grant type that you want: + // + // * Authorization Code - authorization_code + // + // * Refresh Token - refresh_token + // + // * JWT Bearer - urn:ietf:params:oauth:grant-type:jwt-bearer + // + // * Token Exchange - urn:ietf:params:oauth:grant-type:token-exchange // // This member is required. GrantType *string @@ -59,6 +64,11 @@ type CreateTokenWithIAMInput struct { // in the Authorization Code GrantOptions for the application. Code *string + // Used only when calling this API for the Authorization Code grant type. This + // value is generated by the client and presented to validate the original code + // challenge value the client passed at authorization time. + CodeVerifier *string + // Used only when calling this API for the Authorization Code grant type. This // value specifies the location of the client or application that has registered to // receive the authorization code. @@ -66,16 +76,21 @@ type CreateTokenWithIAMInput struct { // Used only when calling this API for the Refresh Token grant type. This token is // used to refresh short-term tokens, such as the access token, that might expire. + // // For more information about the features and limitations of the current IAM // Identity Center OIDC implementation, see Considerations for Using this Guide in - // the IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html) - // . + // the [IAM Identity Center OIDC API Reference]. + // + // [IAM Identity Center OIDC API Reference]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html RefreshToken *string // Used only when calling this API for the Token Exchange grant type. This value // specifies the type of token that the requester can receive. The following values - // are supported: * Access Token - urn:ietf:params:oauth:token-type:access_token * - // Refresh Token - urn:ietf:params:oauth:token-type:refresh_token + // are supported: + // + // * Access Token - urn:ietf:params:oauth:token-type:access_token + // + // * Refresh Token - urn:ietf:params:oauth:token-type:refresh_token RequestedTokenType *string // The list of scopes for which authorization is requested. The access token that @@ -94,8 +109,9 @@ type CreateTokenWithIAMInput struct { // Used only when calling this API for the Token Exchange grant type. This value // specifies the type of token that is passed as the subject of the exchange. The - // following value is supported: * Access Token - - // urn:ietf:params:oauth:token-type:access_token + // following value is supported: + // + // * Access Token - urn:ietf:params:oauth:token-type:access_token SubjectTokenType *string noSmithyDocumentSerde @@ -103,7 +119,8 @@ type CreateTokenWithIAMInput struct { type CreateTokenWithIAMOutput struct { - // A bearer token to access AWS accounts and applications assigned to a user. + // A bearer token to access Amazon Web Services accounts and applications assigned + // to a user. AccessToken *string // Indicates the time in seconds when an access token will expire. @@ -114,17 +131,21 @@ type CreateTokenWithIAMOutput struct { IdToken *string // Indicates the type of tokens that are issued by IAM Identity Center. The - // following values are supported: * Access Token - - // urn:ietf:params:oauth:token-type:access_token * Refresh Token - - // urn:ietf:params:oauth:token-type:refresh_token + // following values are supported: + // + // * Access Token - urn:ietf:params:oauth:token-type:access_token + // + // * Refresh Token - urn:ietf:params:oauth:token-type:refresh_token IssuedTokenType *string // A token that, if present, can be used to refresh a previously issued access - // token that might have expired. For more information about the features and - // limitations of the current IAM Identity Center OIDC implementation, see - // Considerations for Using this Guide in the IAM Identity Center OIDC API - // Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html) - // . + // token that might have expired. + // + // For more information about the features and limitations of the current IAM + // Identity Center OIDC implementation, see Considerations for Using this Guide in + // the [IAM Identity Center OIDC API Reference]. + // + // [IAM Identity Center OIDC API Reference]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html RefreshToken *string // The list of scopes for which authorization is granted. The access token that is diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_RegisterClient.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_RegisterClient.go index 09f016ec1ef..9daccf79b8c 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_RegisterClient.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_RegisterClient.go @@ -41,6 +41,25 @@ type RegisterClientInput struct { // This member is required. ClientType *string + // This IAM Identity Center application ARN is used to define + // administrator-managed configuration for public client access to resources. At + // authorization, the scopes, grants, and redirect URI available to this client + // will be restricted by this application resource. + EntitledApplicationArn *string + + // The list of OAuth 2.0 grant types that are defined by the client. This list is + // used to restrict the token granting flows available to the client. + GrantTypes []string + + // The IAM Identity Center Issuer URL associated with an instance of IAM Identity + // Center. This value is needed for user access to resources through the client. + IssuerUrl *string + + // The list of redirect URI that are defined by the client. At completion of + // authorization, this list is used to restrict what locations the user agent can + // be redirected back to. + RedirectUris []string + // The list of scopes that are defined by the client. Upon authorization, this // list is used to restrict permissions when granting an access token. Scopes []string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_StartDeviceAuthorization.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_StartDeviceAuthorization.go index c568805b226..0b727e38b96 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_StartDeviceAuthorization.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_StartDeviceAuthorization.go @@ -30,22 +30,23 @@ func (c *Client) StartDeviceAuthorization(ctx context.Context, params *StartDevi type StartDeviceAuthorizationInput struct { // The unique identifier string for the client that is registered with IAM - // Identity Center. This value should come from the persisted result of the - // RegisterClient API operation. + // Identity Center. This value should come from the persisted result of the RegisterClientAPI + // operation. // // This member is required. ClientId *string // A secret string that is generated for the client. This value should come from - // the persisted result of the RegisterClient API operation. + // the persisted result of the RegisterClientAPI operation. // // This member is required. ClientSecret *string - // The URL for the Amazon Web Services access portal. For more information, see - // Using the Amazon Web Services access portal (https://docs.aws.amazon.com/singlesignon/latest/userguide/using-the-portal.html) + // The URL for the Amazon Web Services access portal. For more information, see [Using the Amazon Web Services access portal] // in the IAM Identity Center User Guide. // + // [Using the Amazon Web Services access portal]: https://docs.aws.amazon.com/singlesignon/latest/userguide/using-the-portal.html + // // This member is required. StartUrl *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/deserializers.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/deserializers.go index 76a1160eceb..05e8c6b7e5f 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/deserializers.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/deserializers.go @@ -13,11 +13,21 @@ import ( smithyio "github.com/aws/smithy-go/io" "github.com/aws/smithy-go/middleware" "github.com/aws/smithy-go/ptr" + smithytime "github.com/aws/smithy-go/time" smithyhttp "github.com/aws/smithy-go/transport/http" "io" "strings" + "time" ) +func deserializeS3Expires(v string) (*time.Time, error) { + t, err := smithytime.ParseHTTPDate(v) + if err != nil { + return nil, nil + } + return &t, nil +} + type awsRestjson1_deserializeOpCreateToken struct { } @@ -581,12 +591,18 @@ func awsRestjson1_deserializeOpErrorRegisterClient(response *smithyhttp.Response case strings.EqualFold("InvalidClientMetadataException", errorCode): return awsRestjson1_deserializeErrorInvalidClientMetadataException(response, errorBody) + case strings.EqualFold("InvalidRedirectUriException", errorCode): + return awsRestjson1_deserializeErrorInvalidRedirectUriException(response, errorBody) + case strings.EqualFold("InvalidRequestException", errorCode): return awsRestjson1_deserializeErrorInvalidRequestException(response, errorBody) case strings.EqualFold("InvalidScopeException", errorCode): return awsRestjson1_deserializeErrorInvalidScopeException(response, errorBody) + case strings.EqualFold("UnsupportedGrantTypeException", errorCode): + return awsRestjson1_deserializeErrorUnsupportedGrantTypeException(response, errorBody) + default: genericError := &smithy.GenericAPIError{ Code: errorCode, @@ -1158,6 +1174,42 @@ func awsRestjson1_deserializeErrorInvalidGrantException(response *smithyhttp.Res return output } +func awsRestjson1_deserializeErrorInvalidRedirectUriException(response *smithyhttp.Response, errorBody *bytes.Reader) error { + output := &types.InvalidRedirectUriException{} + var buff [1024]byte + ringBuffer := smithyio.NewRingBuffer(buff[:]) + + body := io.TeeReader(errorBody, ringBuffer) + decoder := json.NewDecoder(body) + decoder.UseNumber() + var shape interface{} + if err := decoder.Decode(&shape); err != nil && err != io.EOF { + var snapshot bytes.Buffer + io.Copy(&snapshot, ringBuffer) + err = &smithy.DeserializationError{ + Err: fmt.Errorf("failed to decode response body, %w", err), + Snapshot: snapshot.Bytes(), + } + return err + } + + err := awsRestjson1_deserializeDocumentInvalidRedirectUriException(&output, shape) + + if err != nil { + var snapshot bytes.Buffer + io.Copy(&snapshot, ringBuffer) + err = &smithy.DeserializationError{ + Err: fmt.Errorf("failed to decode response body, %w", err), + Snapshot: snapshot.Bytes(), + } + return err + } + + errorBody.Seek(0, io.SeekStart) + + return output +} + func awsRestjson1_deserializeErrorInvalidRequestException(response *smithyhttp.Response, errorBody *bytes.Reader) error { output := &types.InvalidRequestException{} var buff [1024]byte @@ -1717,6 +1769,55 @@ func awsRestjson1_deserializeDocumentInvalidGrantException(v **types.InvalidGran return nil } +func awsRestjson1_deserializeDocumentInvalidRedirectUriException(v **types.InvalidRedirectUriException, value interface{}) error { + if v == nil { + return fmt.Errorf("unexpected nil of type %T", v) + } + if value == nil { + return nil + } + + shape, ok := value.(map[string]interface{}) + if !ok { + return fmt.Errorf("unexpected JSON type %v", value) + } + + var sv *types.InvalidRedirectUriException + if *v == nil { + sv = &types.InvalidRedirectUriException{} + } else { + sv = *v + } + + for key, value := range shape { + switch key { + case "error": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected Error to be of type string, got %T instead", value) + } + sv.Error_ = ptr.String(jtv) + } + + case "error_description": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected ErrorDescription to be of type string, got %T instead", value) + } + sv.Error_description = ptr.String(jtv) + } + + default: + _, _ = key, value + + } + } + *v = sv + return nil +} + func awsRestjson1_deserializeDocumentInvalidRequestException(v **types.InvalidRequestException, value interface{}) error { if v == nil { return fmt.Errorf("unexpected nil of type %T", v) diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/doc.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/doc.go index 53cd4f55a03..1d258e5677b 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/doc.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/doc.go @@ -6,33 +6,41 @@ // IAM Identity Center OpenID Connect (OIDC) is a web service that enables a // client (such as CLI or a native application) to register with IAM Identity // Center. The service also enables the client to fetch the user’s access token -// upon successful authentication and authorization with IAM Identity Center. IAM -// Identity Center uses the sso and identitystore API namespaces. Considerations -// for Using This Guide Before you begin using this guide, we recommend that you -// first review the following important information about how the IAM Identity -// Center OIDC service works. +// upon successful authentication and authorization with IAM Identity Center. +// +// IAM Identity Center uses the sso and identitystore API namespaces. +// +// # Considerations for Using This Guide +// +// Before you begin using this guide, we recommend that you first review the +// following important information about how the IAM Identity Center OIDC service +// works. +// // - The IAM Identity Center OIDC service currently implements only the portions -// of the OAuth 2.0 Device Authorization Grant standard ( -// https://tools.ietf.org/html/rfc8628 (https://tools.ietf.org/html/rfc8628) ) -// that are necessary to enable single sign-on authentication with the CLI. +// of the OAuth 2.0 Device Authorization Grant standard ([https://tools.ietf.org/html/rfc8628] ) that are necessary to +// enable single sign-on authentication with the CLI. +// // - With older versions of the CLI, the service only emits OIDC access tokens, // so to obtain a new token, users must explicitly re-authenticate. To access the // OIDC flow that supports token refresh and doesn’t require re-authentication, // update to the latest CLI version (1.27.10 for CLI V1 and 2.9.0 for CLI V2) with // support for OIDC token refresh and configurable IAM Identity Center session -// durations. For more information, see Configure Amazon Web Services access -// portal session duration (https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html) -// . +// durations. For more information, see [Configure Amazon Web Services access portal session duration]. +// // - The access tokens provided by this service grant access to all Amazon Web // Services account entitlements assigned to an IAM Identity Center user, not just // a particular application. +// // - The documentation in this guide does not describe the mechanism to convert // the access token into Amazon Web Services Auth (“sigv4”) credentials for use // with IAM-protected Amazon Web Services service endpoints. For more information, -// see GetRoleCredentials (https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html) -// in the IAM Identity Center Portal API Reference Guide. +// see [GetRoleCredentials]in the IAM Identity Center Portal API Reference Guide. +// +// For general information about IAM Identity Center, see [What is IAM Identity Center?] in the IAM Identity +// Center User Guide. // -// For general information about IAM Identity Center, see What is IAM Identity -// Center? (https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) -// in the IAM Identity Center User Guide. +// [Configure Amazon Web Services access portal session duration]: https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html +// [GetRoleCredentials]: https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html +// [https://tools.ietf.org/html/rfc8628]: https://tools.ietf.org/html/rfc8628 +// [What is IAM Identity Center?]: https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html package ssooidc diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go index e81f202fd82..80189fbfbc6 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go @@ -3,4 +3,4 @@ package ssooidc // goModuleVersion is the tagged release for this module -const goModuleVersion = "1.23.3" +const goModuleVersion = "1.24.3" diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints/endpoints.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints/endpoints.go index aa207253432..843edb07428 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints/endpoints.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints/endpoints.go @@ -187,6 +187,14 @@ var defaultPartitions = endpoints.Partitions{ Region: "ap-south-1", }, }, + endpoints.EndpointKey{ + Region: "ap-south-2", + }: endpoints.Endpoint{ + Hostname: "oidc.ap-south-2.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "ap-south-2", + }, + }, endpoints.EndpointKey{ Region: "ap-southeast-1", }: endpoints.Endpoint{ @@ -259,6 +267,14 @@ var defaultPartitions = endpoints.Partitions{ Region: "eu-south-1", }, }, + endpoints.EndpointKey{ + Region: "eu-south-2", + }: endpoints.Endpoint{ + Hostname: "oidc.eu-south-2.amazonaws.com", + CredentialScope: endpoints.CredentialScope{ + Region: "eu-south-2", + }, + }, endpoints.EndpointKey{ Region: "eu-west-1", }: endpoints.Endpoint{ diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/options.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/options.go index b964e7e1090..69ded47c74c 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/options.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/options.go @@ -50,8 +50,10 @@ type Options struct { // Deprecated: Deprecated: EndpointResolver and WithEndpointResolver. Providing a // value for this field will likely prevent you from using any endpoint-related // service features released after the introduction of EndpointResolverV2 and - // BaseEndpoint. To migrate an EndpointResolver implementation that uses a custom - // endpoint, set the client option BaseEndpoint instead. + // BaseEndpoint. + // + // To migrate an EndpointResolver implementation that uses a custom endpoint, set + // the client option BaseEndpoint instead. EndpointResolver EndpointResolver // Resolves the endpoint used for a particular service operation. This should be @@ -70,17 +72,20 @@ type Options struct { // RetryMaxAttempts specifies the maximum number attempts an API client will call // an operation that fails with a retryable error. A value of 0 is ignored, and // will not be used to configure the API client created default retryer, or modify - // per operation call's retry max attempts. If specified in an operation call's - // functional options with a value that is different than the constructed client's - // Options, the Client's Retryer will be wrapped to use the operation's specific - // RetryMaxAttempts value. + // per operation call's retry max attempts. + // + // If specified in an operation call's functional options with a value that is + // different than the constructed client's Options, the Client's Retryer will be + // wrapped to use the operation's specific RetryMaxAttempts value. RetryMaxAttempts int // RetryMode specifies the retry mode the API client will be created with, if - // Retryer option is not also specified. When creating a new API Clients this - // member will only be used if the Retryer Options member is nil. This value will - // be ignored if Retryer is not nil. Currently does not support per operation call - // overrides, may in the future. + // Retryer option is not also specified. + // + // When creating a new API Clients this member will only be used if the Retryer + // Options member is nil. This value will be ignored if Retryer is not nil. + // + // Currently does not support per operation call overrides, may in the future. RetryMode aws.RetryMode // Retryer guides how HTTP requests should be retried in case of recoverable @@ -97,8 +102,9 @@ type Options struct { // The initial DefaultsMode used when the client options were constructed. If the // DefaultsMode was set to aws.DefaultsModeAuto this will store what the resolved - // value was at that point in time. Currently does not support per operation call - // overrides, may in the future. + // value was at that point in time. + // + // Currently does not support per operation call overrides, may in the future. resolvedDefaultsMode aws.DefaultsMode // The HTTP client to invoke API calls with. Defaults to client's default HTTP @@ -143,6 +149,7 @@ func WithAPIOptions(optFns ...func(*middleware.Stack) error) func(*Options) { // Deprecated: EndpointResolver and WithEndpointResolver. Providing a value for // this field will likely prevent you from using any endpoint-related service // features released after the introduction of EndpointResolverV2 and BaseEndpoint. +// // To migrate an EndpointResolver implementation that uses a custom endpoint, set // the client option BaseEndpoint instead. func WithEndpointResolver(v EndpointResolver) func(*Options) { diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/serializers.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/serializers.go index 754218b78e2..04411bd6167 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/serializers.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/serializers.go @@ -95,6 +95,11 @@ func awsRestjson1_serializeOpDocumentCreateTokenInput(v *CreateTokenInput, value ok.String(*v.Code) } + if v.CodeVerifier != nil { + ok := object.Key("codeVerifier") + ok.String(*v.CodeVerifier) + } + if v.DeviceCode != nil { ok := object.Key("deviceCode") ok.String(*v.DeviceCode) @@ -207,6 +212,11 @@ func awsRestjson1_serializeOpDocumentCreateTokenWithIAMInput(v *CreateTokenWithI ok.String(*v.Code) } + if v.CodeVerifier != nil { + ok := object.Key("codeVerifier") + ok.String(*v.CodeVerifier) + } + if v.GrantType != nil { ok := object.Key("grantType") ok.String(*v.GrantType) @@ -324,6 +334,30 @@ func awsRestjson1_serializeOpDocumentRegisterClientInput(v *RegisterClientInput, ok.String(*v.ClientType) } + if v.EntitledApplicationArn != nil { + ok := object.Key("entitledApplicationArn") + ok.String(*v.EntitledApplicationArn) + } + + if v.GrantTypes != nil { + ok := object.Key("grantTypes") + if err := awsRestjson1_serializeDocumentGrantTypes(v.GrantTypes, ok); err != nil { + return err + } + } + + if v.IssuerUrl != nil { + ok := object.Key("issuerUrl") + ok.String(*v.IssuerUrl) + } + + if v.RedirectUris != nil { + ok := object.Key("redirectUris") + if err := awsRestjson1_serializeDocumentRedirectUris(v.RedirectUris, ok); err != nil { + return err + } + } + if v.Scopes != nil { ok := object.Key("scopes") if err := awsRestjson1_serializeDocumentScopes(v.Scopes, ok); err != nil { @@ -419,6 +453,28 @@ func awsRestjson1_serializeOpDocumentStartDeviceAuthorizationInput(v *StartDevic return nil } +func awsRestjson1_serializeDocumentGrantTypes(v []string, value smithyjson.Value) error { + array := value.Array() + defer array.Close() + + for i := range v { + av := array.Value() + av.String(v[i]) + } + return nil +} + +func awsRestjson1_serializeDocumentRedirectUris(v []string, value smithyjson.Value) error { + array := value.Array() + defer array.Close() + + for i := range v { + av := array.Value() + av.String(v[i]) + } + return nil +} + func awsRestjson1_serializeDocumentScopes(v []string, value smithyjson.Value) error { array := value.Array() defer array.Close() diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/types/errors.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/types/errors.go index 86b62049fd9..2cfe7b48fed 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/types/errors.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/types/errors.go @@ -188,7 +188,7 @@ func (e *InvalidClientMetadataException) ErrorCode() string { func (e *InvalidClientMetadataException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient } // Indicates that a request contains an invalid grant. This can occur if a client -// makes a CreateToken request with an invalid grant type. +// makes a CreateTokenrequest with an invalid grant type. type InvalidGrantException struct { Message *string @@ -217,6 +217,36 @@ func (e *InvalidGrantException) ErrorCode() string { } func (e *InvalidGrantException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient } +// Indicates that one or more redirect URI in the request is not supported for +// this operation. +type InvalidRedirectUriException struct { + Message *string + + ErrorCodeOverride *string + + Error_ *string + Error_description *string + + noSmithyDocumentSerde +} + +func (e *InvalidRedirectUriException) Error() string { + return fmt.Sprintf("%s: %s", e.ErrorCode(), e.ErrorMessage()) +} +func (e *InvalidRedirectUriException) ErrorMessage() string { + if e.Message == nil { + return "" + } + return *e.Message +} +func (e *InvalidRedirectUriException) ErrorCode() string { + if e == nil || e.ErrorCodeOverride == nil { + return "InvalidRedirectUriException" + } + return *e.ErrorCodeOverride +} +func (e *InvalidRedirectUriException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient } + // Indicates that something is wrong with the input to the request. For example, a // required parameter might be missing or out of range. type InvalidRequestException struct { diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md index 1c503194557..77cd6034609 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md @@ -1,3 +1,23 @@ +# v1.28.10 (2024-05-23) + +* No change notes available for this release. + +# v1.28.9 (2024-05-16) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.28.8 (2024-05-15) + +* **Dependency Update**: Updated to the latest SDK module versions + +# v1.28.7 (2024-05-08) + +* **Bug Fix**: GoDoc improvement + +# v1.28.6 (2024-03-29) + +* **Dependency Update**: Updated to the latest SDK module versions + # v1.28.5 (2024-03-18) * **Dependency Update**: Updated to the latest SDK module versions diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go index e0e2c9c2e8d..936f917bfd2 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go @@ -16,69 +16,99 @@ import ( // Amazon Web Services resources. These temporary credentials consist of an access // key ID, a secret access key, and a security token. Typically, you use AssumeRole // within your account or for cross-account access. For a comparison of AssumeRole -// with other API operations that produce temporary credentials, see Requesting -// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) -// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) -// in the IAM User Guide. Permissions The temporary security credentials created by -// AssumeRole can be used to make API calls to any Amazon Web Services service -// with the following exception: You cannot call the Amazon Web Services STS -// GetFederationToken or GetSessionToken API operations. (Optional) You can pass -// inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) -// to this operation. You can pass a single JSON policy document to use as an -// inline session policy. You can also specify up to 10 managed policy Amazon -// Resource Names (ARNs) to use as managed session policies. The plaintext that you -// use for both inline and managed session policies can't exceed 2,048 characters. -// Passing policies to this operation returns new temporary credentials. The -// resulting session's permissions are the intersection of the role's -// identity-based policy and the session policies. You can use the role's temporary -// credentials in subsequent Amazon Web Services API calls to access resources in -// the account that owns the role. You cannot use session policies to grant more -// permissions than those allowed by the identity-based policy of the role that is -// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) -// in the IAM User Guide. When you create a role, you create two policies: a role -// trust policy that specifies who can assume the role, and a permissions policy -// that specifies what can be done with the role. You specify the trusted principal -// that is allowed to assume the role in the role trust policy. To assume a role -// from a different account, your Amazon Web Services account must be trusted by -// the role. The trust relationship is defined in the role's trust policy when the -// role is created. That trust policy states which accounts are allowed to delegate -// that access to users in the account. A user who wants to access a role in a -// different account must also have permissions that are delegated from the account -// administrator. The administrator must attach a policy that allows the user to -// call AssumeRole for the ARN of the role in the other account. To allow a user -// to assume a role in the same account, you can do either of the following: +// with other API operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the +// IAM User Guide. +// +// # Permissions +// +// The temporary security credentials created by AssumeRole can be used to make +// API calls to any Amazon Web Services service with the following exception: You +// cannot call the Amazon Web Services STS GetFederationToken or GetSessionToken +// API operations. +// +// (Optional) You can pass inline or managed [session policies] to this operation. You can pass a +// single JSON policy document to use as an inline session policy. You can also +// specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed +// session policies. The plaintext that you use for both inline and managed session +// policies can't exceed 2,048 characters. Passing policies to this operation +// returns new temporary credentials. The resulting session's permissions are the +// intersection of the role's identity-based policy and the session policies. You +// can use the role's temporary credentials in subsequent Amazon Web Services API +// calls to access resources in the account that owns the role. You cannot use +// session policies to grant more permissions than those allowed by the +// identity-based policy of the role that is being assumed. For more information, +// see [Session Policies]in the IAM User Guide. +// +// When you create a role, you create two policies: a role trust policy that +// specifies who can assume the role, and a permissions policy that specifies what +// can be done with the role. You specify the trusted principal that is allowed to +// assume the role in the role trust policy. +// +// To assume a role from a different account, your Amazon Web Services account +// must be trusted by the role. The trust relationship is defined in the role's +// trust policy when the role is created. That trust policy states which accounts +// are allowed to delegate that access to users in the account. +// +// A user who wants to access a role in a different account must also have +// permissions that are delegated from the account administrator. The administrator +// must attach a policy that allows the user to call AssumeRole for the ARN of the +// role in the other account. +// +// To allow a user to assume a role in the same account, you can do either of the +// following: +// // - Attach a policy to the user that allows the user to call AssumeRole (as long // as the role's trust policy trusts the account). +// // - Add the user as a principal directly in the role's trust policy. // // You can do either because the role’s trust policy acts as an IAM resource-based // policy. When a resource-based policy grants access to a principal in the same // account, no additional identity-based policy is required. For more information -// about trust policies and resource-based policies, see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) -// in the IAM User Guide. Tags (Optional) You can pass tag key-value pairs to your -// session. These tags are called session tags. For more information about session -// tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) -// in the IAM User Guide. An administrator must grant you the permissions necessary -// to pass session tags. The administrator can also create granular permissions to -// allow you to pass only specific session tags. For more information, see -// Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) -// in the IAM User Guide. You can set the session tags as transitive. Transitive -// tags persist during role chaining. For more information, see Chaining Roles -// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) -// in the IAM User Guide. Using MFA with AssumeRole (Optional) You can include -// multi-factor authentication (MFA) information when you call AssumeRole . This is -// useful for cross-account scenarios to ensure that the user that assumes the role -// has been authenticated with an Amazon Web Services MFA device. In that scenario, -// the trust policy of the role being assumed includes a condition that tests for -// MFA authentication. If the caller does not include valid MFA information, the -// request to assume the role is denied. The condition in a trust policy that tests -// for MFA authentication might look like the following example. "Condition": -// {"Bool": {"aws:MultiFactorAuthPresent": true}} For more information, see -// Configuring MFA-Protected API Access (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html) -// in the IAM User Guide guide. To use MFA with AssumeRole , you pass values for -// the SerialNumber and TokenCode parameters. The SerialNumber value identifies -// the user's hardware or virtual MFA device. The TokenCode is the time-based -// one-time password (TOTP) that the MFA device produces. +// about trust policies and resource-based policies, see [IAM Policies]in the IAM User Guide. +// +// # Tags +// +// (Optional) You can pass tag key-value pairs to your session. These tags are +// called session tags. For more information about session tags, see [Passing Session Tags in STS]in the IAM +// User Guide. +// +// An administrator must grant you the permissions necessary to pass session tags. +// The administrator can also create granular permissions to allow you to pass only +// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide. +// +// You can set the session tags as transitive. Transitive tags persist during role +// chaining. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide. +// +// # Using MFA with AssumeRole +// +// (Optional) You can include multi-factor authentication (MFA) information when +// you call AssumeRole . This is useful for cross-account scenarios to ensure that +// the user that assumes the role has been authenticated with an Amazon Web +// Services MFA device. In that scenario, the trust policy of the role being +// assumed includes a condition that tests for MFA authentication. If the caller +// does not include valid MFA information, the request to assume the role is +// denied. The condition in a trust policy that tests for MFA authentication might +// look like the following example. +// +// "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}} +// +// For more information, see [Configuring MFA-Protected API Access] in the IAM User Guide guide. +// +// To use MFA with AssumeRole , you pass values for the SerialNumber and TokenCode +// parameters. The SerialNumber value identifies the user's hardware or virtual +// MFA device. The TokenCode is the time-based one-time password (TOTP) that the +// MFA device produces. +// +// [Configuring MFA-Protected API Access]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html +// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session +// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html +// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining +// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison +// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session +// [IAM Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html +// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html +// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html func (c *Client) AssumeRole(ctx context.Context, params *AssumeRoleInput, optFns ...func(*Options)) (*AssumeRoleOutput, error) { if params == nil { params = &AssumeRoleInput{} @@ -101,17 +131,19 @@ type AssumeRoleInput struct { // This member is required. RoleArn *string - // An identifier for the assumed role session. Use the role session name to - // uniquely identify a session when the same role is assumed by different - // principals or for different reasons. In cross-account scenarios, the role - // session name is visible to, and can be logged by the account that owns the role. - // The role session name is also used in the ARN of the assumed role principal. - // This means that subsequent cross-account API requests that use the temporary - // security credentials will expose the role session name to the external account - // in their CloudTrail logs. The regex used to validate this parameter is a string - // of characters consisting of upper- and lower-case alphanumeric characters with - // no spaces. You can also include underscores or any of the following characters: - // =,.@- + // An identifier for the assumed role session. + // + // Use the role session name to uniquely identify a session when the same role is + // assumed by different principals or for different reasons. In cross-account + // scenarios, the role session name is visible to, and can be logged by the account + // that owns the role. The role session name is also used in the ARN of the assumed + // role principal. This means that subsequent cross-account API requests that use + // the temporary security credentials will expose the role session name to the + // external account in their CloudTrail logs. + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can also + // include underscores or any of the following characters: =,.@- // // This member is required. RoleSessionName *string @@ -122,23 +154,27 @@ type AssumeRoleInput struct { // hours. If you specify a value higher than this setting or the administrator // setting (whichever is lower), the operation fails. For example, if you specify a // session duration of 12 hours, but your administrator set the maximum session - // duration to 6 hours, your operation fails. Role chaining limits your Amazon Web - // Services CLI or Amazon Web Services API role session to a maximum of one hour. - // When you use the AssumeRole API operation to assume a role, you can specify the - // duration of your role session with the DurationSeconds parameter. You can - // specify a parameter value of up to 43200 seconds (12 hours), depending on the - // maximum session duration setting for your role. However, if you assume a role - // using role chaining and provide a DurationSeconds parameter value greater than - // one hour, the operation fails. To learn how to view the maximum value for your - // role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) - // in the IAM User Guide. By default, the value is set to 3600 seconds. The - // DurationSeconds parameter is separate from the duration of a console session - // that you might request using the returned credentials. The request to the - // federation endpoint for a console sign-in token takes a SessionDuration + // duration to 6 hours, your operation fails. + // + // Role chaining limits your Amazon Web Services CLI or Amazon Web Services API + // role session to a maximum of one hour. When you use the AssumeRole API + // operation to assume a role, you can specify the duration of your role session + // with the DurationSeconds parameter. You can specify a parameter value of up to + // 43200 seconds (12 hours), depending on the maximum session duration setting for + // your role. However, if you assume a role using role chaining and provide a + // DurationSeconds parameter value greater than one hour, the operation fails. To + // learn how to view the maximum value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide. + // + // By default, the value is set to 3600 seconds. + // + // The DurationSeconds parameter is separate from the duration of a console + // session that you might request using the returned credentials. The request to + // the federation endpoint for a console sign-in token takes a SessionDuration // parameter that specifies the maximum length of the console session. For more - // information, see Creating a URL that Enables Federated Users to Access the - // Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) - // in the IAM User Guide. + // information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide. + // + // [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session + // [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html DurationSeconds *int32 // A unique identifier that might be required when you assume a role in another @@ -149,63 +185,79 @@ type AssumeRoleInput struct { // the administrator of the trusting account might send an external ID to the // administrator of the trusted account. That way, only someone with the ID can // assume the role, rather than everyone in the account. For more information about - // the external ID, see How to Use an External ID When Granting Access to Your - // Amazon Web Services Resources to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) - // in the IAM User Guide. The regex used to validate this parameter is a string of - // characters consisting of upper- and lower-case alphanumeric characters with no - // spaces. You can also include underscores or any of the following characters: - // =,.@:/- + // the external ID, see [How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party]in the IAM User Guide. + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can also + // include underscores or any of the following characters: =,.@:/- + // + // [How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html ExternalId *string // An IAM policy in JSON format that you want to use as an inline session policy. + // // This parameter is optional. Passing policies to this operation returns new // temporary credentials. The resulting session's permissions are the intersection // of the role's identity-based policy and the session policies. You can use the // role's temporary credentials in subsequent Amazon Web Services API calls to // access resources in the account that owns the role. You cannot use session // policies to grant more permissions than those allowed by the identity-based - // policy of the role that is being assumed. For more information, see Session - // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) - // in the IAM User Guide. The plaintext that you use for both inline and managed - // session policies can't exceed 2,048 characters. The JSON policy characters can - // be any ASCII character from the space character to the end of the valid - // character list (\u0020 through \u00FF). It can also include the tab (\u0009), - // linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web - // Services conversion compresses the passed inline session policy, managed policy - // ARNs, and session tags into a packed binary format that has a separate limit. - // Your request can fail for this limit even if your plaintext meets the other - // requirements. The PackedPolicySize response element indicates by percentage how - // close the policies and tags for your request are to the upper size limit. + // policy of the role that is being assumed. For more information, see [Session Policies]in the IAM + // User Guide. + // + // The plaintext that you use for both inline and managed session policies can't + // exceed 2,048 characters. The JSON policy characters can be any ASCII character + // from the space character to the end of the valid character list (\u0020 through + // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage + // return (\u000D) characters. + // + // An Amazon Web Services conversion compresses the passed inline session policy, + // managed policy ARNs, and session tags into a packed binary format that has a + // separate limit. Your request can fail for this limit even if your plaintext + // meets the other requirements. The PackedPolicySize response element indicates + // by percentage how close the policies and tags for your request are to the upper + // size limit. + // + // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Policy *string // The Amazon Resource Names (ARNs) of the IAM managed policies that you want to // use as managed session policies. The policies must exist in the same account as - // the role. This parameter is optional. You can provide up to 10 managed policy - // ARNs. However, the plaintext that you use for both inline and managed session - // policies can't exceed 2,048 characters. For more information about ARNs, see - // Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - // in the Amazon Web Services General Reference. An Amazon Web Services conversion - // compresses the passed inline session policy, managed policy ARNs, and session - // tags into a packed binary format that has a separate limit. Your request can - // fail for this limit even if your plaintext meets the other requirements. The - // PackedPolicySize response element indicates by percentage how close the policies - // and tags for your request are to the upper size limit. Passing policies to this - // operation returns new temporary credentials. The resulting session's permissions - // are the intersection of the role's identity-based policy and the session - // policies. You can use the role's temporary credentials in subsequent Amazon Web - // Services API calls to access resources in the account that owns the role. You - // cannot use session policies to grant more permissions than those allowed by the - // identity-based policy of the role that is being assumed. For more information, - // see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) - // in the IAM User Guide. + // the role. + // + // This parameter is optional. You can provide up to 10 managed policy ARNs. + // However, the plaintext that you use for both inline and managed session policies + // can't exceed 2,048 characters. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the + // Amazon Web Services General Reference. + // + // An Amazon Web Services conversion compresses the passed inline session policy, + // managed policy ARNs, and session tags into a packed binary format that has a + // separate limit. Your request can fail for this limit even if your plaintext + // meets the other requirements. The PackedPolicySize response element indicates + // by percentage how close the policies and tags for your request are to the upper + // size limit. + // + // Passing policies to this operation returns new temporary credentials. The + // resulting session's permissions are the intersection of the role's + // identity-based policy and the session policies. You can use the role's temporary + // credentials in subsequent Amazon Web Services API calls to access resources in + // the account that owns the role. You cannot use session policies to grant more + // permissions than those allowed by the identity-based policy of the role that is + // being assumed. For more information, see [Session Policies]in the IAM User Guide. + // + // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session + // [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html PolicyArns []types.PolicyDescriptorType // A list of previously acquired trusted context assertions in the format of a // JSON array. The trusted context assertion is signed and encrypted by Amazon Web - // Services STS. The following is an example of a ProvidedContext value that - // includes a single trusted context assertion and the ARN of the context provider - // from which the trusted context assertion was generated. - // [{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}] + // Services STS. + // + // The following is an example of a ProvidedContext value that includes a single + // trusted context assertion and the ARN of the context provider from which the + // trusted context assertion was generated. + // + // [{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}] ProvidedContexts []types.ProvidedContext // The identification number of the MFA device that is associated with the user @@ -213,79 +265,97 @@ type AssumeRoleInput struct { // the role being assumed includes a condition that requires MFA authentication. // The value is either the serial number for a hardware device (such as // GAHT12345678 ) or an Amazon Resource Name (ARN) for a virtual device (such as - // arn:aws:iam::123456789012:mfa/user ). The regex used to validate this parameter - // is a string of characters consisting of upper- and lower-case alphanumeric - // characters with no spaces. You can also include underscores or any of the - // following characters: =,.@- + // arn:aws:iam::123456789012:mfa/user ). + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can also + // include underscores or any of the following characters: =,.@- SerialNumber *string // The source identity specified by the principal that is calling the AssumeRole - // operation. You can require users to specify a source identity when they assume a - // role. You do this by using the sts:SourceIdentity condition key in a role trust - // policy. You can use source identity information in CloudTrail logs to determine - // who took actions with a role. You can use the aws:SourceIdentity condition key - // to further control access to Amazon Web Services resources based on the value of - // source identity. For more information about using source identity, see Monitor - // and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) - // in the IAM User Guide. The regex used to validate this parameter is a string of - // characters consisting of upper- and lower-case alphanumeric characters with no - // spaces. You can also include underscores or any of the following characters: - // =,.@-. You cannot use a value that begins with the text aws: . This prefix is - // reserved for Amazon Web Services internal use. + // operation. + // + // You can require users to specify a source identity when they assume a role. You + // do this by using the sts:SourceIdentity condition key in a role trust policy. + // You can use source identity information in CloudTrail logs to determine who took + // actions with a role. You can use the aws:SourceIdentity condition key to + // further control access to Amazon Web Services resources based on the value of + // source identity. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in the + // IAM User Guide. + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can also + // include underscores or any of the following characters: =,.@-. You cannot use a + // value that begins with the text aws: . This prefix is reserved for Amazon Web + // Services internal use. + // + // [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html SourceIdentity *string // A list of session tags that you want to pass. Each session tag consists of a - // key name and an associated value. For more information about session tags, see - // Tagging Amazon Web Services STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) - // in the IAM User Guide. This parameter is optional. You can pass up to 50 session - // tags. The plaintext session tag keys can’t exceed 128 characters, and the values - // can’t exceed 256 characters. For these and additional limits, see IAM and STS - // Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) - // in the IAM User Guide. An Amazon Web Services conversion compresses the passed - // inline session policy, managed policy ARNs, and session tags into a packed - // binary format that has a separate limit. Your request can fail for this limit - // even if your plaintext meets the other requirements. The PackedPolicySize - // response element indicates by percentage how close the policies and tags for - // your request are to the upper size limit. You can pass a session tag with the - // same key as a tag that is already attached to the role. When you do, session - // tags override a role tag with the same key. Tag key–value pairs are not case - // sensitive, but case is preserved. This means that you cannot have separate - // Department and department tag keys. Assume that the role has the Department = - // Marketing tag and you pass the department = engineering session tag. Department - // and department are not saved as separate tags, and the session tag passed in - // the request takes precedence over the role tag. Additionally, if you used - // temporary credentials to perform this operation, the new session inherits any - // transitive session tags from the calling session. If you pass a session tag with - // the same key as an inherited tag, the operation fails. To view the inherited - // tags for a session, see the CloudTrail logs. For more information, see Viewing - // Session Tags in CloudTrail (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs) + // key name and an associated value. For more information about session tags, see [Tagging Amazon Web Services STS Sessions] // in the IAM User Guide. + // + // This parameter is optional. You can pass up to 50 session tags. The plaintext + // session tag keys can’t exceed 128 characters, and the values can’t exceed 256 + // characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User Guide. + // + // An Amazon Web Services conversion compresses the passed inline session policy, + // managed policy ARNs, and session tags into a packed binary format that has a + // separate limit. Your request can fail for this limit even if your plaintext + // meets the other requirements. The PackedPolicySize response element indicates + // by percentage how close the policies and tags for your request are to the upper + // size limit. + // + // You can pass a session tag with the same key as a tag that is already attached + // to the role. When you do, session tags override a role tag with the same key. + // + // Tag key–value pairs are not case sensitive, but case is preserved. This means + // that you cannot have separate Department and department tag keys. Assume that + // the role has the Department = Marketing tag and you pass the department = + // engineering session tag. Department and department are not saved as separate + // tags, and the session tag passed in the request takes precedence over the role + // tag. + // + // Additionally, if you used temporary credentials to perform this operation, the + // new session inherits any transitive session tags from the calling session. If + // you pass a session tag with the same key as an inherited tag, the operation + // fails. To view the inherited tags for a session, see the CloudTrail logs. For + // more information, see [Viewing Session Tags in CloudTrail]in the IAM User Guide. + // + // [Tagging Amazon Web Services STS Sessions]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html + // [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length + // [Viewing Session Tags in CloudTrail]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs Tags []types.Tag // The value provided by the MFA device, if the trust policy of the role being // assumed requires MFA. (In other words, if the policy includes a condition that // tests for MFA). If the role being assumed requires MFA and if the TokenCode // value is missing or expired, the AssumeRole call returns an "access denied" - // error. The format for this parameter, as described by its regex pattern, is a - // sequence of six numeric digits. + // error. + // + // The format for this parameter, as described by its regex pattern, is a sequence + // of six numeric digits. TokenCode *string // A list of keys for session tags that you want to set as transitive. If you set // a tag key as transitive, the corresponding key and value passes to subsequent - // sessions in a role chain. For more information, see Chaining Roles with Session - // Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) - // in the IAM User Guide. This parameter is optional. When you set session tags as - // transitive, the session policy and session tags packed binary limit is not - // affected. If you choose not to specify a transitive tag key, then no tags are - // passed from this session to any subsequent sessions. + // sessions in a role chain. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide. + // + // This parameter is optional. When you set session tags as transitive, the + // session policy and session tags packed binary limit is not affected. + // + // If you choose not to specify a transitive tag key, then no tags are passed from + // this session to any subsequent sessions. + // + // [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining TransitiveTagKeys []string noSmithyDocumentSerde } -// Contains the response to a successful AssumeRole request, including temporary -// Amazon Web Services credentials that can be used to make Amazon Web Services -// requests. +// Contains the response to a successful AssumeRole request, including temporary Amazon Web +// Services credentials that can be used to make Amazon Web Services requests. type AssumeRoleOutput struct { // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers @@ -296,9 +366,10 @@ type AssumeRoleOutput struct { AssumedRoleUser *types.AssumedRoleUser // The temporary security credentials, which include an access key ID, a secret - // access key, and a security (or session) token. The size of the security token - // that STS API operations return is not fixed. We strongly recommend that you make - // no assumptions about the maximum size. + // access key, and a security (or session) token. + // + // The size of the security token that STS API operations return is not fixed. We + // strongly recommend that you make no assumptions about the maximum size. Credentials *types.Credentials // A percentage value that indicates the packed size of the session policies and @@ -308,17 +379,21 @@ type AssumeRoleOutput struct { PackedPolicySize *int32 // The source identity specified by the principal that is calling the AssumeRole - // operation. You can require users to specify a source identity when they assume a - // role. You do this by using the sts:SourceIdentity condition key in a role trust - // policy. You can use source identity information in CloudTrail logs to determine - // who took actions with a role. You can use the aws:SourceIdentity condition key - // to further control access to Amazon Web Services resources based on the value of - // source identity. For more information about using source identity, see Monitor - // and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) - // in the IAM User Guide. The regex used to validate this parameter is a string of - // characters consisting of upper- and lower-case alphanumeric characters with no - // spaces. You can also include underscores or any of the following characters: - // =,.@- + // operation. + // + // You can require users to specify a source identity when they assume a role. You + // do this by using the sts:SourceIdentity condition key in a role trust policy. + // You can use source identity information in CloudTrail logs to determine who took + // actions with a role. You can use the aws:SourceIdentity condition key to + // further control access to Amazon Web Services resources based on the value of + // source identity. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in the + // IAM User Guide. + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can also + // include underscores or any of the following characters: =,.@- + // + // [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html SourceIdentity *string // Metadata pertaining to the operation's result. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go index 2a57b72ac99..f88ab4a22b4 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go @@ -16,92 +16,132 @@ import ( // mechanism for tying an enterprise identity store or directory to role-based // Amazon Web Services access without user-specific credentials or configuration. // For a comparison of AssumeRoleWithSAML with the other API operations that -// produce temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) -// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) -// in the IAM User Guide. The temporary security credentials returned by this -// operation consist of an access key ID, a secret access key, and a security -// token. Applications can use these temporary security credentials to sign calls -// to Amazon Web Services services. Session Duration By default, the temporary -// security credentials created by AssumeRoleWithSAML last for one hour. However, -// you can use the optional DurationSeconds parameter to specify the duration of -// your session. Your role session lasts for the duration that you specify, or -// until the time specified in the SAML authentication response's -// SessionNotOnOrAfter value, whichever is shorter. You can provide a -// DurationSeconds value from 900 seconds (15 minutes) up to the maximum session -// duration setting for the role. This setting can have a value from 1 hour to 12 -// hours. To learn how to view the maximum value for your role, see View the -// Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) -// in the IAM User Guide. The maximum session duration limit applies when you use -// the AssumeRole* API operations or the assume-role* CLI commands. However the -// limit does not apply when you use those operations to create a console URL. For -// more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) -// in the IAM User Guide. Role chaining (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining) -// limits your CLI or Amazon Web Services API role session to a maximum of one +// produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide. +// +// The temporary security credentials returned by this operation consist of an +// access key ID, a secret access key, and a security token. Applications can use +// these temporary security credentials to sign calls to Amazon Web Services +// services. +// +// # Session Duration +// +// By default, the temporary security credentials created by AssumeRoleWithSAML +// last for one hour. However, you can use the optional DurationSeconds parameter +// to specify the duration of your session. Your role session lasts for the +// duration that you specify, or until the time specified in the SAML +// authentication response's SessionNotOnOrAfter value, whichever is shorter. You +// can provide a DurationSeconds value from 900 seconds (15 minutes) up to the +// maximum session duration setting for the role. This setting can have a value +// from 1 hour to 12 hours. To learn how to view the maximum value for your role, +// see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide. The maximum session duration limit applies when you +// use the AssumeRole* API operations or the assume-role* CLI commands. However +// the limit does not apply when you use those operations to create a console URL. +// For more information, see [Using IAM Roles]in the IAM User Guide. +// +// [Role chaining]limits your CLI or Amazon Web Services API role session to a maximum of one // hour. When you use the AssumeRole API operation to assume a role, you can // specify the duration of your role session with the DurationSeconds parameter. // You can specify a parameter value of up to 43200 seconds (12 hours), depending // on the maximum session duration setting for your role. However, if you assume a // role using role chaining and provide a DurationSeconds parameter value greater -// than one hour, the operation fails. Permissions The temporary security -// credentials created by AssumeRoleWithSAML can be used to make API calls to any -// Amazon Web Services service with the following exception: you cannot call the -// STS GetFederationToken or GetSessionToken API operations. (Optional) You can -// pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) -// to this operation. You can pass a single JSON policy document to use as an -// inline session policy. You can also specify up to 10 managed policy Amazon -// Resource Names (ARNs) to use as managed session policies. The plaintext that you -// use for both inline and managed session policies can't exceed 2,048 characters. -// Passing policies to this operation returns new temporary credentials. The -// resulting session's permissions are the intersection of the role's -// identity-based policy and the session policies. You can use the role's temporary -// credentials in subsequent Amazon Web Services API calls to access resources in -// the account that owns the role. You cannot use session policies to grant more -// permissions than those allowed by the identity-based policy of the role that is -// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) -// in the IAM User Guide. Calling AssumeRoleWithSAML does not require the use of -// Amazon Web Services security credentials. The identity of the caller is -// validated by using keys in the metadata document that is uploaded for the SAML -// provider entity for your identity provider. Calling AssumeRoleWithSAML can -// result in an entry in your CloudTrail logs. The entry includes the value in the -// NameID element of the SAML assertion. We recommend that you use a NameIDType -// that is not associated with any personally identifiable information (PII). For -// example, you could instead use the persistent identifier ( -// urn:oasis:names:tc:SAML:2.0:nameid-format:persistent ). Tags (Optional) You can -// configure your IdP to pass attributes into your SAML assertion as session tags. -// Each session tag consists of a key name and an associated value. For more -// information about session tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) -// in the IAM User Guide. You can pass up to 50 session tags. The plaintext session -// tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. -// For these and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) -// in the IAM User Guide. An Amazon Web Services conversion compresses the passed -// inline session policy, managed policy ARNs, and session tags into a packed -// binary format that has a separate limit. Your request can fail for this limit -// even if your plaintext meets the other requirements. The PackedPolicySize -// response element indicates by percentage how close the policies and tags for -// your request are to the upper size limit. You can pass a session tag with the -// same key as a tag that is attached to the role. When you do, session tags -// override the role's tags with the same key. An administrator must grant you the -// permissions necessary to pass session tags. The administrator can also create -// granular permissions to allow you to pass only specific session tags. For more -// information, see Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) -// in the IAM User Guide. You can set the session tags as transitive. Transitive -// tags persist during role chaining. For more information, see Chaining Roles -// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) -// in the IAM User Guide. SAML Configuration Before your application can call -// AssumeRoleWithSAML , you must configure your SAML identity provider (IdP) to -// issue the claims required by Amazon Web Services. Additionally, you must use -// Identity and Access Management (IAM) to create a SAML provider entity in your -// Amazon Web Services account that represents your identity provider. You must -// also create an IAM role that specifies this SAML provider in its trust policy. +// than one hour, the operation fails. +// +// # Permissions +// +// The temporary security credentials created by AssumeRoleWithSAML can be used to +// make API calls to any Amazon Web Services service with the following exception: +// you cannot call the STS GetFederationToken or GetSessionToken API operations. +// +// (Optional) You can pass inline or managed [session policies] to this operation. You can pass a +// single JSON policy document to use as an inline session policy. You can also +// specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed +// session policies. The plaintext that you use for both inline and managed session +// policies can't exceed 2,048 characters. Passing policies to this operation +// returns new temporary credentials. The resulting session's permissions are the +// intersection of the role's identity-based policy and the session policies. You +// can use the role's temporary credentials in subsequent Amazon Web Services API +// calls to access resources in the account that owns the role. You cannot use +// session policies to grant more permissions than those allowed by the +// identity-based policy of the role that is being assumed. For more information, +// see [Session Policies]in the IAM User Guide. +// +// Calling AssumeRoleWithSAML does not require the use of Amazon Web Services +// security credentials. The identity of the caller is validated by using keys in +// the metadata document that is uploaded for the SAML provider entity for your +// identity provider. +// +// Calling AssumeRoleWithSAML can result in an entry in your CloudTrail logs. The +// entry includes the value in the NameID element of the SAML assertion. We +// recommend that you use a NameIDType that is not associated with any personally +// identifiable information (PII). For example, you could instead use the +// persistent identifier ( urn:oasis:names:tc:SAML:2.0:nameid-format:persistent ). +// +// # Tags +// +// (Optional) You can configure your IdP to pass attributes into your SAML +// assertion as session tags. Each session tag consists of a key name and an +// associated value. For more information about session tags, see [Passing Session Tags in STS]in the IAM User +// Guide. +// +// You can pass up to 50 session tags. The plaintext session tag keys can’t exceed +// 128 characters and the values can’t exceed 256 characters. For these and +// additional limits, see [IAM and STS Character Limits]in the IAM User Guide. +// +// An Amazon Web Services conversion compresses the passed inline session policy, +// managed policy ARNs, and session tags into a packed binary format that has a +// separate limit. Your request can fail for this limit even if your plaintext +// meets the other requirements. The PackedPolicySize response element indicates +// by percentage how close the policies and tags for your request are to the upper +// size limit. +// +// You can pass a session tag with the same key as a tag that is attached to the +// role. When you do, session tags override the role's tags with the same key. +// +// An administrator must grant you the permissions necessary to pass session tags. +// The administrator can also create granular permissions to allow you to pass only +// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide. +// +// You can set the session tags as transitive. Transitive tags persist during role +// chaining. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide. +// +// # SAML Configuration +// +// Before your application can call AssumeRoleWithSAML , you must configure your +// SAML identity provider (IdP) to issue the claims required by Amazon Web +// Services. Additionally, you must use Identity and Access Management (IAM) to +// create a SAML provider entity in your Amazon Web Services account that +// represents your identity provider. You must also create an IAM role that +// specifies this SAML provider in its trust policy. +// // For more information, see the following resources: -// - About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) -// in the IAM User Guide. -// - Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) -// in the IAM User Guide. -// - Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html) -// in the IAM User Guide. -// - Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html) -// in the IAM User Guide. +// +// [About SAML 2.0-based Federation] +// - in the IAM User Guide. +// +// [Creating SAML Identity Providers] +// - in the IAM User Guide. +// +// [Configuring a Relying Party and Claims] +// - in the IAM User Guide. +// +// [Creating a Role for SAML 2.0 Federation] +// - in the IAM User Guide. +// +// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session +// [Creating a Role for SAML 2.0 Federation]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html +// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length +// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison +// [Creating SAML Identity Providers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html +// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session +// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html +// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html +// [Configuring a Relying Party and Claims]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html +// [Role chaining]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining +// [Using IAM Roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html +// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session +// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html +// [About SAML 2.0-based Federation]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html +// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining func (c *Client) AssumeRoleWithSAML(ctx context.Context, params *AssumeRoleWithSAMLInput, optFns ...func(*Options)) (*AssumeRoleWithSAMLOutput, error) { if params == nil { params = &AssumeRoleWithSAMLInput{} @@ -130,9 +170,11 @@ type AssumeRoleWithSAMLInput struct { // This member is required. RoleArn *string - // The base64 encoded SAML authentication response provided by the IdP. For more - // information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html) - // in the IAM User Guide. + // The base64 encoded SAML authentication response provided by the IdP. + // + // For more information, see [Configuring a Relying Party and Adding Claims] in the IAM User Guide. + // + // [Configuring a Relying Party and Adding Claims]: https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html // // This member is required. SAMLAssertion *string @@ -146,92 +188,114 @@ type AssumeRoleWithSAMLInput struct { // than this setting, the operation fails. For example, if you specify a session // duration of 12 hours, but your administrator set the maximum session duration to // 6 hours, your operation fails. To learn how to view the maximum value for your - // role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) - // in the IAM User Guide. By default, the value is set to 3600 seconds. The - // DurationSeconds parameter is separate from the duration of a console session - // that you might request using the returned credentials. The request to the - // federation endpoint for a console sign-in token takes a SessionDuration + // role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide. + // + // By default, the value is set to 3600 seconds. + // + // The DurationSeconds parameter is separate from the duration of a console + // session that you might request using the returned credentials. The request to + // the federation endpoint for a console sign-in token takes a SessionDuration // parameter that specifies the maximum length of the console session. For more - // information, see Creating a URL that Enables Federated Users to Access the - // Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) - // in the IAM User Guide. + // information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide. + // + // [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session + // [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html DurationSeconds *int32 // An IAM policy in JSON format that you want to use as an inline session policy. + // // This parameter is optional. Passing policies to this operation returns new // temporary credentials. The resulting session's permissions are the intersection // of the role's identity-based policy and the session policies. You can use the // role's temporary credentials in subsequent Amazon Web Services API calls to // access resources in the account that owns the role. You cannot use session // policies to grant more permissions than those allowed by the identity-based - // policy of the role that is being assumed. For more information, see Session - // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) - // in the IAM User Guide. The plaintext that you use for both inline and managed - // session policies can't exceed 2,048 characters. The JSON policy characters can - // be any ASCII character from the space character to the end of the valid - // character list (\u0020 through \u00FF). It can also include the tab (\u0009), - // linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web - // Services conversion compresses the passed inline session policy, managed policy - // ARNs, and session tags into a packed binary format that has a separate limit. - // Your request can fail for this limit even if your plaintext meets the other - // requirements. The PackedPolicySize response element indicates by percentage how - // close the policies and tags for your request are to the upper size limit. + // policy of the role that is being assumed. For more information, see [Session Policies]in the IAM + // User Guide. + // + // The plaintext that you use for both inline and managed session policies can't + // exceed 2,048 characters. The JSON policy characters can be any ASCII character + // from the space character to the end of the valid character list (\u0020 through + // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage + // return (\u000D) characters. + // + // An Amazon Web Services conversion compresses the passed inline session policy, + // managed policy ARNs, and session tags into a packed binary format that has a + // separate limit. Your request can fail for this limit even if your plaintext + // meets the other requirements. The PackedPolicySize response element indicates + // by percentage how close the policies and tags for your request are to the upper + // size limit. + // + // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Policy *string // The Amazon Resource Names (ARNs) of the IAM managed policies that you want to // use as managed session policies. The policies must exist in the same account as - // the role. This parameter is optional. You can provide up to 10 managed policy - // ARNs. However, the plaintext that you use for both inline and managed session - // policies can't exceed 2,048 characters. For more information about ARNs, see - // Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - // in the Amazon Web Services General Reference. An Amazon Web Services conversion - // compresses the passed inline session policy, managed policy ARNs, and session - // tags into a packed binary format that has a separate limit. Your request can - // fail for this limit even if your plaintext meets the other requirements. The - // PackedPolicySize response element indicates by percentage how close the policies - // and tags for your request are to the upper size limit. Passing policies to this - // operation returns new temporary credentials. The resulting session's permissions - // are the intersection of the role's identity-based policy and the session - // policies. You can use the role's temporary credentials in subsequent Amazon Web - // Services API calls to access resources in the account that owns the role. You - // cannot use session policies to grant more permissions than those allowed by the - // identity-based policy of the role that is being assumed. For more information, - // see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) - // in the IAM User Guide. + // the role. + // + // This parameter is optional. You can provide up to 10 managed policy ARNs. + // However, the plaintext that you use for both inline and managed session policies + // can't exceed 2,048 characters. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the + // Amazon Web Services General Reference. + // + // An Amazon Web Services conversion compresses the passed inline session policy, + // managed policy ARNs, and session tags into a packed binary format that has a + // separate limit. Your request can fail for this limit even if your plaintext + // meets the other requirements. The PackedPolicySize response element indicates + // by percentage how close the policies and tags for your request are to the upper + // size limit. + // + // Passing policies to this operation returns new temporary credentials. The + // resulting session's permissions are the intersection of the role's + // identity-based policy and the session policies. You can use the role's temporary + // credentials in subsequent Amazon Web Services API calls to access resources in + // the account that owns the role. You cannot use session policies to grant more + // permissions than those allowed by the identity-based policy of the role that is + // being assumed. For more information, see [Session Policies]in the IAM User Guide. + // + // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session + // [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html PolicyArns []types.PolicyDescriptorType noSmithyDocumentSerde } -// Contains the response to a successful AssumeRoleWithSAML request, including -// temporary Amazon Web Services credentials that can be used to make Amazon Web -// Services requests. +// Contains the response to a successful AssumeRoleWithSAML request, including temporary Amazon Web +// Services credentials that can be used to make Amazon Web Services requests. type AssumeRoleWithSAMLOutput struct { // The identifiers for the temporary security credentials that the operation // returns. AssumedRoleUser *types.AssumedRoleUser - // The value of the Recipient attribute of the SubjectConfirmationData element of + // The value of the Recipient attribute of the SubjectConfirmationData element of // the SAML assertion. Audience *string // The temporary security credentials, which include an access key ID, a secret - // access key, and a security (or session) token. The size of the security token - // that STS API operations return is not fixed. We strongly recommend that you make - // no assumptions about the maximum size. + // access key, and a security (or session) token. + // + // The size of the security token that STS API operations return is not fixed. We + // strongly recommend that you make no assumptions about the maximum size. Credentials *types.Credentials // The value of the Issuer element of the SAML assertion. Issuer *string // A hash value based on the concatenation of the following: + // // - The Issuer response value. + // // - The Amazon Web Services account ID. + // // - The friendly name (the last part of the ARN) of the SAML provider in IAM. + // // The combination of NameQualifier and Subject can be used to uniquely identify a - // user. The following pseudocode shows how the hash value is calculated: BASE64 ( - // SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) ) + // user. + // + // The following pseudocode shows how the hash value is calculated: + // + // BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) ) NameQualifier *string // A percentage value that indicates the packed size of the session policies and @@ -240,31 +304,36 @@ type AssumeRoleWithSAMLOutput struct { // allowed space. PackedPolicySize *int32 - // The value in the SourceIdentity attribute in the SAML assertion. You can - // require users to set a source identity value when they assume a role. You do - // this by using the sts:SourceIdentity condition key in a role trust policy. That - // way, actions that are taken with the role are associated with that user. After - // the source identity is set, the value cannot be changed. It is present in the - // request for all actions that are taken by the role and persists across chained - // role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining) - // sessions. You can configure your SAML identity provider to use an attribute - // associated with your users, like user name or email, as the source identity when - // calling AssumeRoleWithSAML . You do this by adding an attribute to the SAML - // assertion. For more information about using source identity, see Monitor and - // control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) - // in the IAM User Guide. The regex used to validate this parameter is a string of - // characters consisting of upper- and lower-case alphanumeric characters with no - // spaces. You can also include underscores or any of the following characters: - // =,.@- + // The value in the SourceIdentity attribute in the SAML assertion. + // + // You can require users to set a source identity value when they assume a role. + // You do this by using the sts:SourceIdentity condition key in a role trust + // policy. That way, actions that are taken with the role are associated with that + // user. After the source identity is set, the value cannot be changed. It is + // present in the request for all actions that are taken by the role and persists + // across [chained role]sessions. You can configure your SAML identity provider to use an + // attribute associated with your users, like user name or email, as the source + // identity when calling AssumeRoleWithSAML . You do this by adding an attribute to + // the SAML assertion. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in + // the IAM User Guide. + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can also + // include underscores or any of the following characters: =,.@- + // + // [chained role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining + // [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html SourceIdentity *string // The value of the NameID element in the Subject element of the SAML assertion. Subject *string - // The format of the name ID, as defined by the Format attribute in the NameID + // The format of the name ID, as defined by the Format attribute in the NameID // element of the SAML assertion. Typical examples of the format are transient or - // persistent . If the format includes the prefix - // urn:oasis:names:tc:SAML:2.0:nameid-format , that prefix is removed. For example, + // persistent . + // + // If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format , + // that prefix is removed. For example, // urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned as transient . // If the format includes any other prefix, the format is returned with no // modifications. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go index 98108ce6af0..6c8cf43e534 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go @@ -14,105 +14,143 @@ import ( // Returns a set of temporary security credentials for users who have been // authenticated in a mobile or web application with a web identity provider. // Example providers include the OAuth 2.0 providers Login with Amazon and -// Facebook, or any OpenID Connect-compatible identity provider such as Google or -// Amazon Cognito federated identities (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html) -// . For mobile applications, we recommend that you use Amazon Cognito. You can use -// Amazon Cognito with the Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) -// and the Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/) -// to uniquely identify a user. You can also supply the user with a consistent -// identity throughout the lifetime of an application. To learn more about Amazon -// Cognito, see Amazon Cognito identity pools (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html) -// in Amazon Cognito Developer Guide. Calling AssumeRoleWithWebIdentity does not -// require the use of Amazon Web Services security credentials. Therefore, you can -// distribute an application (for example, on mobile devices) that requests -// temporary security credentials without including long-term Amazon Web Services -// credentials in the application. You also don't need to deploy server-based proxy -// services that use long-term Amazon Web Services credentials. Instead, the -// identity of the caller is validated by using a token from the web identity -// provider. For a comparison of AssumeRoleWithWebIdentity with the other API -// operations that produce temporary credentials, see Requesting Temporary -// Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) -// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) -// in the IAM User Guide. The temporary security credentials returned by this API -// consist of an access key ID, a secret access key, and a security token. -// Applications can use these temporary security credentials to sign calls to -// Amazon Web Services service API operations. Session Duration By default, the -// temporary security credentials created by AssumeRoleWithWebIdentity last for -// one hour. However, you can use the optional DurationSeconds parameter to -// specify the duration of your session. You can provide a value from 900 seconds -// (15 minutes) up to the maximum session duration setting for the role. This -// setting can have a value from 1 hour to 12 hours. To learn how to view the -// maximum value for your role, see View the Maximum Session Duration Setting for -// a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) -// in the IAM User Guide. The maximum session duration limit applies when you use -// the AssumeRole* API operations or the assume-role* CLI commands. However the -// limit does not apply when you use those operations to create a console URL. For -// more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) -// in the IAM User Guide. Permissions The temporary security credentials created by -// AssumeRoleWithWebIdentity can be used to make API calls to any Amazon Web -// Services service with the following exception: you cannot call the STS -// GetFederationToken or GetSessionToken API operations. (Optional) You can pass -// inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) -// to this operation. You can pass a single JSON policy document to use as an -// inline session policy. You can also specify up to 10 managed policy Amazon -// Resource Names (ARNs) to use as managed session policies. The plaintext that you -// use for both inline and managed session policies can't exceed 2,048 characters. -// Passing policies to this operation returns new temporary credentials. The -// resulting session's permissions are the intersection of the role's -// identity-based policy and the session policies. You can use the role's temporary -// credentials in subsequent Amazon Web Services API calls to access resources in -// the account that owns the role. You cannot use session policies to grant more -// permissions than those allowed by the identity-based policy of the role that is -// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) -// in the IAM User Guide. Tags (Optional) You can configure your IdP to pass -// attributes into your web identity token as session tags. Each session tag -// consists of a key name and an associated value. For more information about -// session tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) -// in the IAM User Guide. You can pass up to 50 session tags. The plaintext session -// tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. -// For these and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) -// in the IAM User Guide. An Amazon Web Services conversion compresses the passed -// inline session policy, managed policy ARNs, and session tags into a packed -// binary format that has a separate limit. Your request can fail for this limit -// even if your plaintext meets the other requirements. The PackedPolicySize -// response element indicates by percentage how close the policies and tags for -// your request are to the upper size limit. You can pass a session tag with the -// same key as a tag that is attached to the role. When you do, the session tag -// overrides the role tag with the same key. An administrator must grant you the -// permissions necessary to pass session tags. The administrator can also create -// granular permissions to allow you to pass only specific session tags. For more -// information, see Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) -// in the IAM User Guide. You can set the session tags as transitive. Transitive -// tags persist during role chaining. For more information, see Chaining Roles -// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) -// in the IAM User Guide. Identities Before your application can call -// AssumeRoleWithWebIdentity , you must have an identity token from a supported -// identity provider and create a role that the application can assume. The role -// that your application assumes must trust the identity provider that is -// associated with the identity token. In other words, the identity provider must -// be specified in the role's trust policy. Calling AssumeRoleWithWebIdentity can -// result in an entry in your CloudTrail logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims) -// of the provided web identity token. We recommend that you avoid using any -// personally identifiable information (PII) in this field. For example, you could -// instead use a GUID or a pairwise identifier, as suggested in the OIDC -// specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes) -// . For more information about how to use web identity federation and the +// Facebook, or any OpenID Connect-compatible identity provider such as Google or [Amazon Cognito federated identities]. +// +// For mobile applications, we recommend that you use Amazon Cognito. You can use +// Amazon Cognito with the [Amazon Web Services SDK for iOS Developer Guide]and the [Amazon Web Services SDK for Android Developer Guide] to uniquely identify a user. You can also +// supply the user with a consistent identity throughout the lifetime of an +// application. +// +// To learn more about Amazon Cognito, see [Amazon Cognito identity pools] in Amazon Cognito Developer Guide. +// +// Calling AssumeRoleWithWebIdentity does not require the use of Amazon Web +// Services security credentials. Therefore, you can distribute an application (for +// example, on mobile devices) that requests temporary security credentials without +// including long-term Amazon Web Services credentials in the application. You also +// don't need to deploy server-based proxy services that use long-term Amazon Web +// Services credentials. Instead, the identity of the caller is validated by using +// a token from the web identity provider. For a comparison of +// AssumeRoleWithWebIdentity with the other API operations that produce temporary +// credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide. +// +// The temporary security credentials returned by this API consist of an access +// key ID, a secret access key, and a security token. Applications can use these +// temporary security credentials to sign calls to Amazon Web Services service API +// operations. +// +// # Session Duration +// +// By default, the temporary security credentials created by +// AssumeRoleWithWebIdentity last for one hour. However, you can use the optional +// DurationSeconds parameter to specify the duration of your session. You can +// provide a value from 900 seconds (15 minutes) up to the maximum session duration +// setting for the role. This setting can have a value from 1 hour to 12 hours. To +// learn how to view the maximum value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide. +// The maximum session duration limit applies when you use the AssumeRole* API +// operations or the assume-role* CLI commands. However the limit does not apply +// when you use those operations to create a console URL. For more information, see +// [Using IAM Roles]in the IAM User Guide. +// +// # Permissions +// +// The temporary security credentials created by AssumeRoleWithWebIdentity can be +// used to make API calls to any Amazon Web Services service with the following +// exception: you cannot call the STS GetFederationToken or GetSessionToken API +// operations. +// +// (Optional) You can pass inline or managed [session policies] to this operation. You can pass a +// single JSON policy document to use as an inline session policy. You can also +// specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed +// session policies. The plaintext that you use for both inline and managed session +// policies can't exceed 2,048 characters. Passing policies to this operation +// returns new temporary credentials. The resulting session's permissions are the +// intersection of the role's identity-based policy and the session policies. You +// can use the role's temporary credentials in subsequent Amazon Web Services API +// calls to access resources in the account that owns the role. You cannot use +// session policies to grant more permissions than those allowed by the +// identity-based policy of the role that is being assumed. For more information, +// see [Session Policies]in the IAM User Guide. +// +// # Tags +// +// (Optional) You can configure your IdP to pass attributes into your web identity +// token as session tags. Each session tag consists of a key name and an associated +// value. For more information about session tags, see [Passing Session Tags in STS]in the IAM User Guide. +// +// You can pass up to 50 session tags. The plaintext session tag keys can’t exceed +// 128 characters and the values can’t exceed 256 characters. For these and +// additional limits, see [IAM and STS Character Limits]in the IAM User Guide. +// +// An Amazon Web Services conversion compresses the passed inline session policy, +// managed policy ARNs, and session tags into a packed binary format that has a +// separate limit. Your request can fail for this limit even if your plaintext +// meets the other requirements. The PackedPolicySize response element indicates +// by percentage how close the policies and tags for your request are to the upper +// size limit. +// +// You can pass a session tag with the same key as a tag that is attached to the +// role. When you do, the session tag overrides the role tag with the same key. +// +// An administrator must grant you the permissions necessary to pass session tags. +// The administrator can also create granular permissions to allow you to pass only +// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide. +// +// You can set the session tags as transitive. Transitive tags persist during role +// chaining. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide. +// +// # Identities +// +// Before your application can call AssumeRoleWithWebIdentity , you must have an +// identity token from a supported identity provider and create a role that the +// application can assume. The role that your application assumes must trust the +// identity provider that is associated with the identity token. In other words, +// the identity provider must be specified in the role's trust policy. +// +// Calling AssumeRoleWithWebIdentity can result in an entry in your CloudTrail +// logs. The entry includes the [Subject]of the provided web identity token. We recommend +// that you avoid using any personally identifiable information (PII) in this +// field. For example, you could instead use a GUID or a pairwise identifier, as [suggested in the OIDC specification]. +// +// For more information about how to use web identity federation and the // AssumeRoleWithWebIdentity API, see the following resources: -// - Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html) -// and Federation Through a Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity) -// . -// - Web Identity Federation Playground (https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/) -// . Walk through the process of authenticating through Login with Amazon, +// +// [Using Web Identity Federation API Operations for Mobile Apps] +// - and [Federation Through a Web-based Identity Provider]. +// +// [Web Identity Federation Playground] +// - . Walk through the process of authenticating through Login with Amazon, // Facebook, or Google, getting temporary security credentials, and then using // those credentials to make a request to Amazon Web Services. -// - Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) -// and Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/) -// . These toolkits contain sample apps that show how to invoke the identity -// providers. The toolkits then show how to use the information from these +// +// [Amazon Web Services SDK for iOS Developer Guide] +// - and [Amazon Web Services SDK for Android Developer Guide]. These toolkits contain sample apps that show how to invoke the +// identity providers. The toolkits then show how to use the information from these // providers to get and use temporary security credentials. -// - Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications) -// . This article discusses web identity federation and shows an example of how to -// use web identity federation to get access to content in Amazon S3. +// +// [Web Identity Federation with Mobile Applications] +// - . This article discusses web identity federation and shows an example of +// how to use web identity federation to get access to content in Amazon S3. +// +// [Amazon Web Services SDK for iOS Developer Guide]: http://aws.amazon.com/sdkforios/ +// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session +// [Web Identity Federation Playground]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/ +// [Amazon Web Services SDK for Android Developer Guide]: http://aws.amazon.com/sdkforandroid/ +// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length +// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison +// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session +// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html +// [Subject]: http://openid.net/specs/openid-connect-core-1_0.html#Claims +// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html +// [Amazon Cognito identity pools]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html +// [Federation Through a Web-based Identity Provider]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity +// [Using IAM Roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html +// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session +// [Amazon Cognito federated identities]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html +// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html +// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining +// [Web Identity Federation with Mobile Applications]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications +// [Using Web Identity Federation API Operations for Mobile Apps]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html +// [suggested in the OIDC specification]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes func (c *Client) AssumeRoleWithWebIdentity(ctx context.Context, params *AssumeRoleWithWebIdentityInput, optFns ...func(*Options)) (*AssumeRoleWithWebIdentityOutput, error) { if params == nil { params = &AssumeRoleWithWebIdentityInput{} @@ -139,10 +177,11 @@ type AssumeRoleWithWebIdentityInput struct { // identifier that is associated with the user who is using your application. That // way, the temporary security credentials that your application will use are // associated with that user. This session name is included as part of the ARN and - // assumed role ID in the AssumedRoleUser response element. The regex used to - // validate this parameter is a string of characters consisting of upper- and - // lower-case alphanumeric characters with no spaces. You can also include - // underscores or any of the following characters: =,.@- + // assumed role ID in the AssumedRoleUser response element. + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can also + // include underscores or any of the following characters: =,.@- // // This member is required. RoleSessionName *string @@ -162,73 +201,90 @@ type AssumeRoleWithWebIdentityInput struct { // higher than this setting, the operation fails. For example, if you specify a // session duration of 12 hours, but your administrator set the maximum session // duration to 6 hours, your operation fails. To learn how to view the maximum - // value for your role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) - // in the IAM User Guide. By default, the value is set to 3600 seconds. The - // DurationSeconds parameter is separate from the duration of a console session - // that you might request using the returned credentials. The request to the - // federation endpoint for a console sign-in token takes a SessionDuration + // value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide. + // + // By default, the value is set to 3600 seconds. + // + // The DurationSeconds parameter is separate from the duration of a console + // session that you might request using the returned credentials. The request to + // the federation endpoint for a console sign-in token takes a SessionDuration // parameter that specifies the maximum length of the console session. For more - // information, see Creating a URL that Enables Federated Users to Access the - // Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) - // in the IAM User Guide. + // information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide. + // + // [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session + // [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html DurationSeconds *int32 // An IAM policy in JSON format that you want to use as an inline session policy. + // // This parameter is optional. Passing policies to this operation returns new // temporary credentials. The resulting session's permissions are the intersection // of the role's identity-based policy and the session policies. You can use the // role's temporary credentials in subsequent Amazon Web Services API calls to // access resources in the account that owns the role. You cannot use session // policies to grant more permissions than those allowed by the identity-based - // policy of the role that is being assumed. For more information, see Session - // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) - // in the IAM User Guide. The plaintext that you use for both inline and managed - // session policies can't exceed 2,048 characters. The JSON policy characters can - // be any ASCII character from the space character to the end of the valid - // character list (\u0020 through \u00FF). It can also include the tab (\u0009), - // linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web - // Services conversion compresses the passed inline session policy, managed policy - // ARNs, and session tags into a packed binary format that has a separate limit. - // Your request can fail for this limit even if your plaintext meets the other - // requirements. The PackedPolicySize response element indicates by percentage how - // close the policies and tags for your request are to the upper size limit. + // policy of the role that is being assumed. For more information, see [Session Policies]in the IAM + // User Guide. + // + // The plaintext that you use for both inline and managed session policies can't + // exceed 2,048 characters. The JSON policy characters can be any ASCII character + // from the space character to the end of the valid character list (\u0020 through + // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage + // return (\u000D) characters. + // + // An Amazon Web Services conversion compresses the passed inline session policy, + // managed policy ARNs, and session tags into a packed binary format that has a + // separate limit. Your request can fail for this limit even if your plaintext + // meets the other requirements. The PackedPolicySize response element indicates + // by percentage how close the policies and tags for your request are to the upper + // size limit. + // + // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Policy *string // The Amazon Resource Names (ARNs) of the IAM managed policies that you want to // use as managed session policies. The policies must exist in the same account as - // the role. This parameter is optional. You can provide up to 10 managed policy - // ARNs. However, the plaintext that you use for both inline and managed session - // policies can't exceed 2,048 characters. For more information about ARNs, see - // Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - // in the Amazon Web Services General Reference. An Amazon Web Services conversion - // compresses the passed inline session policy, managed policy ARNs, and session - // tags into a packed binary format that has a separate limit. Your request can - // fail for this limit even if your plaintext meets the other requirements. The - // PackedPolicySize response element indicates by percentage how close the policies - // and tags for your request are to the upper size limit. Passing policies to this - // operation returns new temporary credentials. The resulting session's permissions - // are the intersection of the role's identity-based policy and the session - // policies. You can use the role's temporary credentials in subsequent Amazon Web - // Services API calls to access resources in the account that owns the role. You - // cannot use session policies to grant more permissions than those allowed by the - // identity-based policy of the role that is being assumed. For more information, - // see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) - // in the IAM User Guide. + // the role. + // + // This parameter is optional. You can provide up to 10 managed policy ARNs. + // However, the plaintext that you use for both inline and managed session policies + // can't exceed 2,048 characters. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the + // Amazon Web Services General Reference. + // + // An Amazon Web Services conversion compresses the passed inline session policy, + // managed policy ARNs, and session tags into a packed binary format that has a + // separate limit. Your request can fail for this limit even if your plaintext + // meets the other requirements. The PackedPolicySize response element indicates + // by percentage how close the policies and tags for your request are to the upper + // size limit. + // + // Passing policies to this operation returns new temporary credentials. The + // resulting session's permissions are the intersection of the role's + // identity-based policy and the session policies. You can use the role's temporary + // credentials in subsequent Amazon Web Services API calls to access resources in + // the account that owns the role. You cannot use session policies to grant more + // permissions than those allowed by the identity-based policy of the role that is + // being assumed. For more information, see [Session Policies]in the IAM User Guide. + // + // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session + // [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html PolicyArns []types.PolicyDescriptorType // The fully qualified host component of the domain name of the OAuth 2.0 identity // provider. Do not specify this value for an OpenID Connect identity provider. + // // Currently www.amazon.com and graph.facebook.com are the only supported identity // providers for OAuth 2.0 access tokens. Do not include URL schemes and port - // numbers. Do not specify this value for OpenID Connect ID tokens. + // numbers. + // + // Do not specify this value for OpenID Connect ID tokens. ProviderId *string noSmithyDocumentSerde } -// Contains the response to a successful AssumeRoleWithWebIdentity request, -// including temporary Amazon Web Services credentials that can be used to make -// Amazon Web Services requests. +// Contains the response to a successful AssumeRoleWithWebIdentity request, including temporary Amazon Web +// Services credentials that can be used to make Amazon Web Services requests. type AssumeRoleWithWebIdentityOutput struct { // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers @@ -244,9 +300,10 @@ type AssumeRoleWithWebIdentityOutput struct { Audience *string // The temporary security credentials, which include an access key ID, a secret - // access key, and a security token. The size of the security token that STS API - // operations return is not fixed. We strongly recommend that you make no - // assumptions about the maximum size. + // access key, and a security token. + // + // The size of the security token that STS API operations return is not fixed. We + // strongly recommend that you make no assumptions about the maximum size. Credentials *types.Credentials // A percentage value that indicates the packed size of the session policies and @@ -255,30 +312,34 @@ type AssumeRoleWithWebIdentityOutput struct { // allowed space. PackedPolicySize *int32 - // The issuing authority of the web identity token presented. For OpenID Connect + // The issuing authority of the web identity token presented. For OpenID Connect // ID tokens, this contains the value of the iss field. For OAuth 2.0 access // tokens, this contains the value of the ProviderId parameter that was passed in // the AssumeRoleWithWebIdentity request. Provider *string // The value of the source identity that is returned in the JSON web token (JWT) - // from the identity provider. You can require users to set a source identity value - // when they assume a role. You do this by using the sts:SourceIdentity condition - // key in a role trust policy. That way, actions that are taken with the role are - // associated with that user. After the source identity is set, the value cannot be - // changed. It is present in the request for all actions that are taken by the role - // and persists across chained role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining) - // sessions. You can configure your identity provider to use an attribute + // from the identity provider. + // + // You can require users to set a source identity value when they assume a role. + // You do this by using the sts:SourceIdentity condition key in a role trust + // policy. That way, actions that are taken with the role are associated with that + // user. After the source identity is set, the value cannot be changed. It is + // present in the request for all actions that are taken by the role and persists + // across [chained role]sessions. You can configure your identity provider to use an attribute // associated with your users, like user name or email, as the source identity when // calling AssumeRoleWithWebIdentity . You do this by adding a claim to the JSON - // web token. To learn more about OIDC tokens and claims, see Using Tokens with - // User Pools (https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html) - // in the Amazon Cognito Developer Guide. For more information about using source - // identity, see Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) - // in the IAM User Guide. The regex used to validate this parameter is a string of - // characters consisting of upper- and lower-case alphanumeric characters with no - // spaces. You can also include underscores or any of the following characters: - // =,.@- + // web token. To learn more about OIDC tokens and claims, see [Using Tokens with User Pools]in the Amazon + // Cognito Developer Guide. For more information about using source identity, see [Monitor and control actions taken with assumed roles] + // in the IAM User Guide. + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can also + // include underscores or any of the following characters: =,.@- + // + // [chained role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining + // [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html + // [Using Tokens with User Pools]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html SourceIdentity *string // The unique user identifier that is returned by the identity provider. This diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go index b4ad54ab2fa..186a8cb5838 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go @@ -11,28 +11,39 @@ import ( ) // Decodes additional information about the authorization status of a request from -// an encoded message returned in response to an Amazon Web Services request. For -// example, if a user is not authorized to perform an operation that he or she has -// requested, the request returns a Client.UnauthorizedOperation response (an HTTP -// 403 response). Some Amazon Web Services operations additionally return an -// encoded message that can provide details about this authorization failure. Only -// certain Amazon Web Services operations return an encoded authorization message. -// The documentation for an individual operation indicates whether that operation -// returns an encoded message in addition to returning an HTTP code. The message is -// encoded because the details of the authorization status can contain privileged -// information that the user who requested the operation should not see. To decode -// an authorization status message, a user must be granted permissions through an -// IAM policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) -// to request the DecodeAuthorizationMessage ( sts:DecodeAuthorizationMessage ) -// action. The decoded message includes the following type of information: +// an encoded message returned in response to an Amazon Web Services request. +// +// For example, if a user is not authorized to perform an operation that he or she +// has requested, the request returns a Client.UnauthorizedOperation response (an +// HTTP 403 response). Some Amazon Web Services operations additionally return an +// encoded message that can provide details about this authorization failure. +// +// Only certain Amazon Web Services operations return an encoded authorization +// message. The documentation for an individual operation indicates whether that +// operation returns an encoded message in addition to returning an HTTP code. +// +// The message is encoded because the details of the authorization status can +// contain privileged information that the user who requested the operation should +// not see. To decode an authorization status message, a user must be granted +// permissions through an IAM [policy]to request the DecodeAuthorizationMessage ( +// sts:DecodeAuthorizationMessage ) action. +// +// The decoded message includes the following type of information: +// // - Whether the request was denied due to an explicit deny or due to the -// absence of an explicit allow. For more information, see Determining Whether a -// Request is Allowed or Denied (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow) -// in the IAM User Guide. +// absence of an explicit allow. For more information, see [Determining Whether a Request is Allowed or Denied]in the IAM User +// Guide. +// // - The principal who made the request. +// // - The requested action. +// // - The requested resource. +// // - The values of condition keys in the context of the user's request. +// +// [Determining Whether a Request is Allowed or Denied]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow +// [policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html func (c *Client) DecodeAuthorizationMessage(ctx context.Context, params *DecodeAuthorizationMessageInput, optFns ...func(*Options)) (*DecodeAuthorizationMessageOutput, error) { if params == nil { params = &DecodeAuthorizationMessageInput{} diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go index 1f7cbcc2bbb..b6eb6401af0 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go @@ -10,23 +10,31 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Returns the account identifier for the specified access key ID. Access keys -// consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE ) and -// a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ). -// For more information about access keys, see Managing Access Keys for IAM Users (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) -// in the IAM User Guide. When you pass an access key ID to this operation, it -// returns the ID of the Amazon Web Services account to which the keys belong. -// Access key IDs beginning with AKIA are long-term credentials for an IAM user or -// the Amazon Web Services account root user. Access key IDs beginning with ASIA -// are temporary credentials that are created using STS operations. If the account -// in the response belongs to you, you can sign in as the root user and review your -// root user access keys. Then, you can pull a credentials report (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html) -// to learn which IAM user owns the keys. To learn who requested the temporary -// credentials for an ASIA access key, view the STS events in your CloudTrail logs (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html) -// in the IAM User Guide. This operation does not indicate the state of the access -// key. The key might be active, inactive, or deleted. Active keys might not have -// permissions to perform an operation. Providing a deleted access key might return -// an error that the key doesn't exist. +// Returns the account identifier for the specified access key ID. +// +// Access keys consist of two parts: an access key ID (for example, +// AKIAIOSFODNN7EXAMPLE ) and a secret access key (for example, +// wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ). For more information about access +// keys, see [Managing Access Keys for IAM Users]in the IAM User Guide. +// +// When you pass an access key ID to this operation, it returns the ID of the +// Amazon Web Services account to which the keys belong. Access key IDs beginning +// with AKIA are long-term credentials for an IAM user or the Amazon Web Services +// account root user. Access key IDs beginning with ASIA are temporary credentials +// that are created using STS operations. If the account in the response belongs to +// you, you can sign in as the root user and review your root user access keys. +// Then, you can pull a [credentials report]to learn which IAM user owns the keys. To learn who +// requested the temporary credentials for an ASIA access key, view the STS events +// in your [CloudTrail logs]in the IAM User Guide. +// +// This operation does not indicate the state of the access key. The key might be +// active, inactive, or deleted. Active keys might not have permissions to perform +// an operation. Providing a deleted access key might return an error that the key +// doesn't exist. +// +// [credentials report]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html +// [CloudTrail logs]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html +// [Managing Access Keys for IAM Users]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html func (c *Client) GetAccessKeyInfo(ctx context.Context, params *GetAccessKeyInfoInput, optFns ...func(*Options)) (*GetAccessKeyInfoOutput, error) { if params == nil { params = &GetAccessKeyInfoInput{} @@ -44,9 +52,10 @@ func (c *Client) GetAccessKeyInfo(ctx context.Context, params *GetAccessKeyInfoI type GetAccessKeyInfoInput struct { - // The identifier of an access key. This parameter allows (through its regex - // pattern) a string of characters that can consist of any upper- or lowercase - // letter or digit. + // The identifier of an access key. + // + // This parameter allows (through its regex pattern) a string of characters that + // can consist of any upper- or lowercase letter or digit. // // This member is required. AccessKeyId *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go index acb7ede44fd..ed4c82832a3 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go @@ -12,13 +12,15 @@ import ( ) // Returns details about the IAM user or role whose credentials are used to call -// the operation. No permissions are required to perform this operation. If an -// administrator attaches a policy to your identity that explicitly denies access -// to the sts:GetCallerIdentity action, you can still perform this operation. -// Permissions are not required because the same information is returned when -// access is denied. To view an example response, see I Am Not Authorized to -// Perform: iam:DeleteVirtualMFADevice (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa) -// in the IAM User Guide. +// the operation. +// +// No permissions are required to perform this operation. If an administrator +// attaches a policy to your identity that explicitly denies access to the +// sts:GetCallerIdentity action, you can still perform this operation. Permissions +// are not required because the same information is returned when access is denied. +// To view an example response, see [I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice]in the IAM User Guide. +// +// [I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa func (c *Client) GetCallerIdentity(ctx context.Context, params *GetCallerIdentityInput, optFns ...func(*Options)) (*GetCallerIdentityOutput, error) { if params == nil { params = &GetCallerIdentityInput{} @@ -38,8 +40,8 @@ type GetCallerIdentityInput struct { noSmithyDocumentSerde } -// Contains the response to a successful GetCallerIdentity request, including -// information about the entity making the request. +// Contains the response to a successful GetCallerIdentity request, including information about the +// entity making the request. type GetCallerIdentityOutput struct { // The Amazon Web Services account ID number of the account that owns or contains @@ -51,8 +53,10 @@ type GetCallerIdentityOutput struct { // The unique identifier of the calling entity. The exact value depends on the // type of entity that is making the call. The values returned are those listed in - // the aws:userid column in the Principal table (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable) - // found on the Policy Variables reference page in the IAM User Guide. + // the aws:userid column in the [Principal table]found on the Policy Variables reference page in + // the IAM User Guide. + // + // [Principal table]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable UserId *string // Metadata pertaining to the operation's result. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go index 3679618cb5a..37bde0cce6b 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go @@ -14,74 +14,100 @@ import ( // Returns a set of temporary security credentials (consisting of an access key // ID, a secret access key, and a security token) for a user. A typical use is in a // proxy application that gets temporary security credentials on behalf of -// distributed applications inside a corporate network. You must call the -// GetFederationToken operation using the long-term security credentials of an IAM -// user. As a result, this call is appropriate in contexts where those credentials -// can be safeguarded, usually in a server-based application. For a comparison of -// GetFederationToken with the other API operations that produce temporary -// credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) -// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) -// in the IAM User Guide. Although it is possible to call GetFederationToken using -// the security credentials of an Amazon Web Services account root user rather than -// an IAM user that you create for the purpose of a proxy application, we do not -// recommend it. For more information, see Safeguard your root user credentials -// and don't use them for everyday tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials) -// in the IAM User Guide. You can create a mobile-based or browser-based app that -// can authenticate users using a web identity provider like Login with Amazon, -// Facebook, Google, or an OpenID Connect-compatible identity provider. In this -// case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/) -// or AssumeRoleWithWebIdentity . For more information, see Federation Through a -// Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity) -// in the IAM User Guide. Session duration The temporary credentials are valid for -// the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 -// seconds (36 hours). The default session duration is 43,200 seconds (12 hours). -// Temporary credentials obtained by using the root user credentials have a maximum -// duration of 3,600 seconds (1 hour). Permissions You can use the temporary -// credentials created by GetFederationToken in any Amazon Web Services service -// with the following exceptions: +// distributed applications inside a corporate network. +// +// You must call the GetFederationToken operation using the long-term security +// credentials of an IAM user. As a result, this call is appropriate in contexts +// where those credentials can be safeguarded, usually in a server-based +// application. For a comparison of GetFederationToken with the other API +// operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide. +// +// Although it is possible to call GetFederationToken using the security +// credentials of an Amazon Web Services account root user rather than an IAM user +// that you create for the purpose of a proxy application, we do not recommend it. +// For more information, see [Safeguard your root user credentials and don't use them for everyday tasks]in the IAM User Guide. +// +// You can create a mobile-based or browser-based app that can authenticate users +// using a web identity provider like Login with Amazon, Facebook, Google, or an +// OpenID Connect-compatible identity provider. In this case, we recommend that you +// use [Amazon Cognito]or AssumeRoleWithWebIdentity . For more information, see [Federation Through a Web-based Identity Provider] in the IAM User +// Guide. +// +// # Session duration +// +// The temporary credentials are valid for the specified duration, from 900 +// seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default +// session duration is 43,200 seconds (12 hours). Temporary credentials obtained by +// using the root user credentials have a maximum duration of 3,600 seconds (1 +// hour). +// +// # Permissions +// +// You can use the temporary credentials created by GetFederationToken in any +// Amazon Web Services service with the following exceptions: +// // - You cannot call any IAM operations using the CLI or the Amazon Web Services // API. This limitation does not apply to console sessions. +// // - You cannot call any STS operations except GetCallerIdentity . // -// You can use temporary credentials for single sign-on (SSO) to the console. You -// must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) -// to this operation. You can pass a single JSON policy document to use as an -// inline session policy. You can also specify up to 10 managed policy Amazon -// Resource Names (ARNs) to use as managed session policies. The plaintext that you -// use for both inline and managed session policies can't exceed 2,048 characters. +// You can use temporary credentials for single sign-on (SSO) to the console. +// +// You must pass an inline or managed [session policy] to this operation. You can pass a single +// JSON policy document to use as an inline session policy. You can also specify up +// to 10 managed policy Amazon Resource Names (ARNs) to use as managed session +// policies. The plaintext that you use for both inline and managed session +// policies can't exceed 2,048 characters. +// // Though the session policy parameters are optional, if you do not pass a policy, // then the resulting federated user session has no permissions. When you pass // session policies, the session permissions are the intersection of the IAM user // policies and the session policies that you pass. This gives you a way to further // restrict the permissions for a federated user. You cannot use session policies // to grant more permissions than those that are defined in the permissions policy -// of the IAM user. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) -// in the IAM User Guide. For information about using GetFederationToken to create -// temporary security credentials, see GetFederationToken—Federation Through a -// Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken) -// . You can use the credentials to access a resource that has a resource-based +// of the IAM user. For more information, see [Session Policies]in the IAM User Guide. For +// information about using GetFederationToken to create temporary security +// credentials, see [GetFederationToken—Federation Through a Custom Identity Broker]. +// +// You can use the credentials to access a resource that has a resource-based // policy. If that policy specifically references the federated user session in the // Principal element of the policy, the session has the permissions allowed by the // policy. These permissions are granted in addition to the permissions granted by -// the session policies. Tags (Optional) You can pass tag key-value pairs to your -// session. These are called session tags. For more information about session tags, -// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) -// in the IAM User Guide. You can create a mobile-based or browser-based app that -// can authenticate users using a web identity provider like Login with Amazon, -// Facebook, Google, or an OpenID Connect-compatible identity provider. In this -// case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/) -// or AssumeRoleWithWebIdentity . For more information, see Federation Through a -// Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity) -// in the IAM User Guide. An administrator must grant you the permissions necessary -// to pass session tags. The administrator can also create granular permissions to -// allow you to pass only specific session tags. For more information, see -// Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) -// in the IAM User Guide. Tag key–value pairs are not case sensitive, but case is -// preserved. This means that you cannot have separate Department and department -// tag keys. Assume that the user that you are federating has the Department = -// Marketing tag and you pass the department = engineering session tag. Department -// and department are not saved as separate tags, and the session tag passed in -// the request takes precedence over the user tag. +// the session policies. +// +// # Tags +// +// (Optional) You can pass tag key-value pairs to your session. These are called +// session tags. For more information about session tags, see [Passing Session Tags in STS]in the IAM User +// Guide. +// +// You can create a mobile-based or browser-based app that can authenticate users +// using a web identity provider like Login with Amazon, Facebook, Google, or an +// OpenID Connect-compatible identity provider. In this case, we recommend that you +// use [Amazon Cognito]or AssumeRoleWithWebIdentity . For more information, see [Federation Through a Web-based Identity Provider] in the IAM User +// Guide. +// +// An administrator must grant you the permissions necessary to pass session tags. +// The administrator can also create granular permissions to allow you to pass only +// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide. +// +// Tag key–value pairs are not case sensitive, but case is preserved. This means +// that you cannot have separate Department and department tag keys. Assume that +// the user that you are federating has the Department = Marketing tag and you +// pass the department = engineering session tag. Department and department are +// not saved as separate tags, and the session tag passed in the request takes +// precedence over the user tag. +// +// [Federation Through a Web-based Identity Provider]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity +// [session policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session +// [Amazon Cognito]: http://aws.amazon.com/cognito/ +// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session +// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html +// [GetFederationToken—Federation Through a Custom Identity Broker]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken +// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison +// [Safeguard your root user credentials and don't use them for everyday tasks]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials +// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html +// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html func (c *Client) GetFederationToken(ctx context.Context, params *GetFederationTokenInput, optFns ...func(*Options)) (*GetFederationTokenOutput, error) { if params == nil { params = &GetFederationTokenInput{} @@ -102,10 +128,11 @@ type GetFederationTokenInput struct { // The name of the federated user. The name is used as an identifier for the // temporary security credentials (such as Bob ). For example, you can reference // the federated user name in a resource-based policy, such as in an Amazon S3 - // bucket policy. The regex used to validate this parameter is a string of - // characters consisting of upper- and lower-case alphanumeric characters with no - // spaces. You can also include underscores or any of the following characters: - // =,.@- + // bucket policy. + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can also + // include underscores or any of the following characters: =,.@- // // This member is required. Name *string @@ -119,99 +146,127 @@ type GetFederationTokenInput struct { DurationSeconds *int32 // An IAM policy in JSON format that you want to use as an inline session policy. - // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) - // to this operation. You can pass a single JSON policy document to use as an - // inline session policy. You can also specify up to 10 managed policy Amazon - // Resource Names (ARNs) to use as managed session policies. This parameter is - // optional. However, if you do not pass any session policies, then the resulting - // federated user session has no permissions. When you pass session policies, the - // session permissions are the intersection of the IAM user policies and the - // session policies that you pass. This gives you a way to further restrict the - // permissions for a federated user. You cannot use session policies to grant more - // permissions than those that are defined in the permissions policy of the IAM - // user. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) - // in the IAM User Guide. The resulting credentials can be used to access a - // resource that has a resource-based policy. If that policy specifically - // references the federated user session in the Principal element of the policy, - // the session has the permissions allowed by the policy. These permissions are - // granted in addition to the permissions that are granted by the session policies. + // + // You must pass an inline or managed [session policy] to this operation. You can pass a single + // JSON policy document to use as an inline session policy. You can also specify up + // to 10 managed policy Amazon Resource Names (ARNs) to use as managed session + // policies. + // + // This parameter is optional. However, if you do not pass any session policies, + // then the resulting federated user session has no permissions. + // + // When you pass session policies, the session permissions are the intersection of + // the IAM user policies and the session policies that you pass. This gives you a + // way to further restrict the permissions for a federated user. You cannot use + // session policies to grant more permissions than those that are defined in the + // permissions policy of the IAM user. For more information, see [Session Policies]in the IAM User + // Guide. + // + // The resulting credentials can be used to access a resource that has a + // resource-based policy. If that policy specifically references the federated user + // session in the Principal element of the policy, the session has the permissions + // allowed by the policy. These permissions are granted in addition to the + // permissions that are granted by the session policies. + // // The plaintext that you use for both inline and managed session policies can't // exceed 2,048 characters. The JSON policy characters can be any ASCII character // from the space character to the end of the valid character list (\u0020 through // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage - // return (\u000D) characters. An Amazon Web Services conversion compresses the - // passed inline session policy, managed policy ARNs, and session tags into a - // packed binary format that has a separate limit. Your request can fail for this - // limit even if your plaintext meets the other requirements. The PackedPolicySize - // response element indicates by percentage how close the policies and tags for - // your request are to the upper size limit. + // return (\u000D) characters. + // + // An Amazon Web Services conversion compresses the passed inline session policy, + // managed policy ARNs, and session tags into a packed binary format that has a + // separate limit. Your request can fail for this limit even if your plaintext + // meets the other requirements. The PackedPolicySize response element indicates + // by percentage how close the policies and tags for your request are to the upper + // size limit. + // + // [session policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session + // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Policy *string // The Amazon Resource Names (ARNs) of the IAM managed policies that you want to // use as a managed session policy. The policies must exist in the same account as - // the IAM user that is requesting federated access. You must pass an inline or - // managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) - // to this operation. You can pass a single JSON policy document to use as an - // inline session policy. You can also specify up to 10 managed policy Amazon - // Resource Names (ARNs) to use as managed session policies. The plaintext that you - // use for both inline and managed session policies can't exceed 2,048 characters. - // You can provide up to 10 managed policy ARNs. For more information about ARNs, - // see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - // in the Amazon Web Services General Reference. This parameter is optional. - // However, if you do not pass any session policies, then the resulting federated - // user session has no permissions. When you pass session policies, the session - // permissions are the intersection of the IAM user policies and the session - // policies that you pass. This gives you a way to further restrict the permissions - // for a federated user. You cannot use session policies to grant more permissions - // than those that are defined in the permissions policy of the IAM user. For more - // information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) - // in the IAM User Guide. The resulting credentials can be used to access a - // resource that has a resource-based policy. If that policy specifically - // references the federated user session in the Principal element of the policy, - // the session has the permissions allowed by the policy. These permissions are - // granted in addition to the permissions that are granted by the session policies. + // the IAM user that is requesting federated access. + // + // You must pass an inline or managed [session policy] to this operation. You can pass a single + // JSON policy document to use as an inline session policy. You can also specify up + // to 10 managed policy Amazon Resource Names (ARNs) to use as managed session + // policies. The plaintext that you use for both inline and managed session + // policies can't exceed 2,048 characters. You can provide up to 10 managed policy + // ARNs. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the Amazon Web Services General + // Reference. + // + // This parameter is optional. However, if you do not pass any session policies, + // then the resulting federated user session has no permissions. + // + // When you pass session policies, the session permissions are the intersection of + // the IAM user policies and the session policies that you pass. This gives you a + // way to further restrict the permissions for a federated user. You cannot use + // session policies to grant more permissions than those that are defined in the + // permissions policy of the IAM user. For more information, see [Session Policies]in the IAM User + // Guide. + // + // The resulting credentials can be used to access a resource that has a + // resource-based policy. If that policy specifically references the federated user + // session in the Principal element of the policy, the session has the permissions + // allowed by the policy. These permissions are granted in addition to the + // permissions that are granted by the session policies. + // // An Amazon Web Services conversion compresses the passed inline session policy, // managed policy ARNs, and session tags into a packed binary format that has a // separate limit. Your request can fail for this limit even if your plaintext // meets the other requirements. The PackedPolicySize response element indicates // by percentage how close the policies and tags for your request are to the upper // size limit. + // + // [session policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session + // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session + // [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html PolicyArns []types.PolicyDescriptorType // A list of session tags. Each session tag consists of a key name and an - // associated value. For more information about session tags, see Passing Session - // Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) - // in the IAM User Guide. This parameter is optional. You can pass up to 50 session - // tags. The plaintext session tag keys can’t exceed 128 characters and the values - // can’t exceed 256 characters. For these and additional limits, see IAM and STS - // Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) - // in the IAM User Guide. An Amazon Web Services conversion compresses the passed - // inline session policy, managed policy ARNs, and session tags into a packed - // binary format that has a separate limit. Your request can fail for this limit - // even if your plaintext meets the other requirements. The PackedPolicySize - // response element indicates by percentage how close the policies and tags for - // your request are to the upper size limit. You can pass a session tag with the - // same key as a tag that is already attached to the user you are federating. When - // you do, session tags override a user tag with the same key. Tag key–value pairs - // are not case sensitive, but case is preserved. This means that you cannot have - // separate Department and department tag keys. Assume that the role has the - // Department = Marketing tag and you pass the department = engineering session - // tag. Department and department are not saved as separate tags, and the session - // tag passed in the request takes precedence over the role tag. + // associated value. For more information about session tags, see [Passing Session Tags in STS]in the IAM User + // Guide. + // + // This parameter is optional. You can pass up to 50 session tags. The plaintext + // session tag keys can’t exceed 128 characters and the values can’t exceed 256 + // characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User Guide. + // + // An Amazon Web Services conversion compresses the passed inline session policy, + // managed policy ARNs, and session tags into a packed binary format that has a + // separate limit. Your request can fail for this limit even if your plaintext + // meets the other requirements. The PackedPolicySize response element indicates + // by percentage how close the policies and tags for your request are to the upper + // size limit. + // + // You can pass a session tag with the same key as a tag that is already attached + // to the user you are federating. When you do, session tags override a user tag + // with the same key. + // + // Tag key–value pairs are not case sensitive, but case is preserved. This means + // that you cannot have separate Department and department tag keys. Assume that + // the role has the Department = Marketing tag and you pass the department = + // engineering session tag. Department and department are not saved as separate + // tags, and the session tag passed in the request takes precedence over the role + // tag. + // + // [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html + // [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length Tags []types.Tag noSmithyDocumentSerde } -// Contains the response to a successful GetFederationToken request, including -// temporary Amazon Web Services credentials that can be used to make Amazon Web -// Services requests. +// Contains the response to a successful GetFederationToken request, including temporary Amazon Web +// Services credentials that can be used to make Amazon Web Services requests. type GetFederationTokenOutput struct { // The temporary security credentials, which include an access key ID, a secret - // access key, and a security (or session) token. The size of the security token - // that STS API operations return is not fixed. We strongly recommend that you make - // no assumptions about the maximum size. + // access key, and a security (or session) token. + // + // The size of the security token that STS API operations return is not fixed. We + // strongly recommend that you make no assumptions about the maximum size. Credentials *types.Credentials // Identifiers for the federated user associated with the credentials (such as diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go index 751fb147d4b..097ccd84480 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go @@ -15,43 +15,58 @@ import ( // IAM user. The credentials consist of an access key ID, a secret access key, and // a security token. Typically, you use GetSessionToken if you want to use MFA to // protect programmatic calls to specific Amazon Web Services API operations like -// Amazon EC2 StopInstances . MFA-enabled IAM users must call GetSessionToken and -// submit an MFA code that is associated with their MFA device. Using the temporary -// security credentials that the call returns, IAM users can then make programmatic -// calls to API operations that require MFA authentication. An incorrect MFA code -// causes the API to return an access denied error. For a comparison of -// GetSessionToken with the other API operations that produce temporary -// credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) -// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) -// in the IAM User Guide. No permissions are required for users to perform this -// operation. The purpose of the sts:GetSessionToken operation is to authenticate -// the user using MFA. You cannot use policies to control authentication -// operations. For more information, see Permissions for GetSessionToken (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html) -// in the IAM User Guide. Session Duration The GetSessionToken operation must be -// called by using the long-term Amazon Web Services security credentials of an IAM -// user. Credentials that are created by IAM users are valid for the duration that -// you specify. This duration can range from 900 seconds (15 minutes) up to a -// maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12 -// hours). Credentials based on account credentials can range from 900 seconds (15 -// minutes) up to 3,600 seconds (1 hour), with a default of 1 hour. Permissions The -// temporary security credentials created by GetSessionToken can be used to make -// API calls to any Amazon Web Services service with the following exceptions: +// Amazon EC2 StopInstances . +// +// MFA-enabled IAM users must call GetSessionToken and submit an MFA code that is +// associated with their MFA device. Using the temporary security credentials that +// the call returns, IAM users can then make programmatic calls to API operations +// that require MFA authentication. An incorrect MFA code causes the API to return +// an access denied error. For a comparison of GetSessionToken with the other API +// operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide. +// +// No permissions are required for users to perform this operation. The purpose of +// the sts:GetSessionToken operation is to authenticate the user using MFA. You +// cannot use policies to control authentication operations. For more information, +// see [Permissions for GetSessionToken]in the IAM User Guide. +// +// # Session Duration +// +// The GetSessionToken operation must be called by using the long-term Amazon Web +// Services security credentials of an IAM user. Credentials that are created by +// IAM users are valid for the duration that you specify. This duration can range +// from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), +// with a default of 43,200 seconds (12 hours). Credentials based on account +// credentials can range from 900 seconds (15 minutes) up to 3,600 seconds (1 +// hour), with a default of 1 hour. +// +// # Permissions +// +// The temporary security credentials created by GetSessionToken can be used to +// make API calls to any Amazon Web Services service with the following exceptions: +// // - You cannot call any IAM API operations unless MFA authentication // information is included in the request. +// // - You cannot call any STS API except AssumeRole or GetCallerIdentity . // // The credentials that GetSessionToken returns are based on permissions // associated with the IAM user whose credentials were used to call the operation. -// The temporary credentials have the same permissions as the IAM user. Although it -// is possible to call GetSessionToken using the security credentials of an Amazon -// Web Services account root user rather than an IAM user, we do not recommend it. -// If GetSessionToken is called using root user credentials, the temporary -// credentials have root user permissions. For more information, see Safeguard -// your root user credentials and don't use them for everyday tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials) -// in the IAM User Guide For more information about using GetSessionToken to -// create temporary credentials, see Temporary Credentials for Users in Untrusted -// Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken) -// in the IAM User Guide. +// The temporary credentials have the same permissions as the IAM user. +// +// Although it is possible to call GetSessionToken using the security credentials +// of an Amazon Web Services account root user rather than an IAM user, we do not +// recommend it. If GetSessionToken is called using root user credentials, the +// temporary credentials have root user permissions. For more information, see [Safeguard your root user credentials and don't use them for everyday tasks]in +// the IAM User Guide +// +// For more information about using GetSessionToken to create temporary +// credentials, see [Temporary Credentials for Users in Untrusted Environments]in the IAM User Guide. +// +// [Permissions for GetSessionToken]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html +// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison +// [Temporary Credentials for Users in Untrusted Environments]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken +// [Safeguard your root user credentials and don't use them for everyday tasks]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials +// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html func (c *Client) GetSessionToken(ctx context.Context, params *GetSessionTokenInput, optFns ...func(*Options)) (*GetSessionTokenOutput, error) { if params == nil { params = &GetSessionTokenInput{} @@ -83,10 +98,11 @@ type GetSessionTokenInput struct { // number for a hardware device (such as GAHT12345678 ) or an Amazon Resource Name // (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user ). You // can find the device for an IAM user by going to the Amazon Web Services - // Management Console and viewing the user's security credentials. The regex used - // to validate this parameter is a string of characters consisting of upper- and - // lower-case alphanumeric characters with no spaces. You can also include - // underscores or any of the following characters: =,.@:/- + // Management Console and viewing the user's security credentials. + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can also + // include underscores or any of the following characters: =,.@:/- SerialNumber *string // The value provided by the MFA device, if MFA is required. If any policy @@ -94,22 +110,24 @@ type GetSessionTokenInput struct { // authentication is required, the user must provide a code when requesting a set // of temporary security credentials. A user who fails to provide the code receives // an "access denied" response when requesting resources that require MFA - // authentication. The format for this parameter, as described by its regex - // pattern, is a sequence of six numeric digits. + // authentication. + // + // The format for this parameter, as described by its regex pattern, is a sequence + // of six numeric digits. TokenCode *string noSmithyDocumentSerde } -// Contains the response to a successful GetSessionToken request, including -// temporary Amazon Web Services credentials that can be used to make Amazon Web -// Services requests. +// Contains the response to a successful GetSessionToken request, including temporary Amazon Web +// Services credentials that can be used to make Amazon Web Services requests. type GetSessionTokenOutput struct { // The temporary security credentials, which include an access key ID, a secret - // access key, and a security (or session) token. The size of the security token - // that STS API operations return is not fixed. We strongly recommend that you make - // no assumptions about the maximum size. + // access key, and a security (or session) token. + // + // The size of the security token that STS API operations return is not fixed. We + // strongly recommend that you make no assumptions about the maximum size. Credentials *types.Credentials // Metadata pertaining to the operation's result. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/deserializers.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/deserializers.go index 5d634ce35c8..7e4346ec9fa 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/deserializers.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/deserializers.go @@ -20,8 +20,17 @@ import ( "io" "strconv" "strings" + "time" ) +func deserializeS3Expires(v string) (*time.Time, error) { + t, err := smithytime.ParseHTTPDate(v) + if err != nil { + return nil, nil + } + return &t, nil +} + type awsAwsquery_deserializeOpAssumeRole struct { } diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/doc.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/doc.go index d963fd8d19a..cbb19c7f668 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/doc.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/doc.go @@ -3,9 +3,11 @@ // Package sts provides the API client, operations, and parameter types for AWS // Security Token Service. // -// Security Token Service Security Token Service (STS) enables you to request -// temporary, limited-privilege credentials for users. This guide provides -// descriptions of the STS API. For more information about using this service, see -// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) -// . +// # Security Token Service +// +// Security Token Service (STS) enables you to request temporary, +// limited-privilege credentials for users. This guide provides descriptions of the +// STS API. For more information about using this service, see [Temporary Security Credentials]. +// +// [Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html package sts diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go index 8bba9b7dc15..f8c5b4e9162 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go @@ -3,4 +3,4 @@ package sts // goModuleVersion is the tagged release for this module -const goModuleVersion = "1.28.5" +const goModuleVersion = "1.28.10" diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/options.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/options.go index 5c1be79f8c0..bb291161aa9 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/options.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/options.go @@ -50,8 +50,10 @@ type Options struct { // Deprecated: Deprecated: EndpointResolver and WithEndpointResolver. Providing a // value for this field will likely prevent you from using any endpoint-related // service features released after the introduction of EndpointResolverV2 and - // BaseEndpoint. To migrate an EndpointResolver implementation that uses a custom - // endpoint, set the client option BaseEndpoint instead. + // BaseEndpoint. + // + // To migrate an EndpointResolver implementation that uses a custom endpoint, set + // the client option BaseEndpoint instead. EndpointResolver EndpointResolver // Resolves the endpoint used for a particular service operation. This should be @@ -70,17 +72,20 @@ type Options struct { // RetryMaxAttempts specifies the maximum number attempts an API client will call // an operation that fails with a retryable error. A value of 0 is ignored, and // will not be used to configure the API client created default retryer, or modify - // per operation call's retry max attempts. If specified in an operation call's - // functional options with a value that is different than the constructed client's - // Options, the Client's Retryer will be wrapped to use the operation's specific - // RetryMaxAttempts value. + // per operation call's retry max attempts. + // + // If specified in an operation call's functional options with a value that is + // different than the constructed client's Options, the Client's Retryer will be + // wrapped to use the operation's specific RetryMaxAttempts value. RetryMaxAttempts int // RetryMode specifies the retry mode the API client will be created with, if - // Retryer option is not also specified. When creating a new API Clients this - // member will only be used if the Retryer Options member is nil. This value will - // be ignored if Retryer is not nil. Currently does not support per operation call - // overrides, may in the future. + // Retryer option is not also specified. + // + // When creating a new API Clients this member will only be used if the Retryer + // Options member is nil. This value will be ignored if Retryer is not nil. + // + // Currently does not support per operation call overrides, may in the future. RetryMode aws.RetryMode // Retryer guides how HTTP requests should be retried in case of recoverable @@ -97,8 +102,9 @@ type Options struct { // The initial DefaultsMode used when the client options were constructed. If the // DefaultsMode was set to aws.DefaultsModeAuto this will store what the resolved - // value was at that point in time. Currently does not support per operation call - // overrides, may in the future. + // value was at that point in time. + // + // Currently does not support per operation call overrides, may in the future. resolvedDefaultsMode aws.DefaultsMode // The HTTP client to invoke API calls with. Defaults to client's default HTTP @@ -143,6 +149,7 @@ func WithAPIOptions(optFns ...func(*middleware.Stack) error) func(*Options) { // Deprecated: EndpointResolver and WithEndpointResolver. Providing a value for // this field will likely prevent you from using any endpoint-related service // features released after the introduction of EndpointResolverV2 and BaseEndpoint. +// // To migrate an EndpointResolver implementation that uses a custom endpoint, set // the client option BaseEndpoint instead. func WithEndpointResolver(v EndpointResolver) func(*Options) { diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go index 097875b279b..9573a4b6461 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go @@ -65,9 +65,10 @@ func (e *IDPCommunicationErrorException) ErrorCode() string { func (e *IDPCommunicationErrorException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient } // The identity provider (IdP) reported that authentication failed. This might be -// because the claim is invalid. If this error is returned for the -// AssumeRoleWithWebIdentity operation, it can also mean that the claim has expired -// or has been explicitly revoked. +// because the claim is invalid. +// +// If this error is returned for the AssumeRoleWithWebIdentity operation, it can +// also mean that the claim has expired or has been explicitly revoked. type IDPRejectedClaimException struct { Message *string @@ -183,11 +184,13 @@ func (e *MalformedPolicyDocumentException) ErrorFault() smithy.ErrorFault { retu // compresses the session policy document, session policy ARNs, and session tags // into a packed binary format that has a separate limit. The error message // indicates by percentage how close the policies and tags are to the upper size -// limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) -// in the IAM User Guide. You could receive this error even though you meet other -// defined session policy and session tag limits. For more information, see IAM -// and STS Entity Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length) -// in the IAM User Guide. +// limit. For more information, see [Passing Session Tags in STS]in the IAM User Guide. +// +// You could receive this error even though you meet other defined session policy +// and session tag limits. For more information, see [IAM and STS Entity Character Limits]in the IAM User Guide. +// +// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html +// [IAM and STS Entity Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length type PackedPolicyTooLargeException struct { Message *string @@ -215,9 +218,10 @@ func (e *PackedPolicyTooLargeException) ErrorFault() smithy.ErrorFault { return // STS is not activated in the requested region for the account that is being // asked to generate credentials. The account administrator must use the IAM -// console to activate STS in that region. For more information, see Activating -// and Deactivating Amazon Web Services STS in an Amazon Web Services Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) -// in the IAM User Guide. +// console to activate STS in that region. For more information, see [Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region]in the IAM +// User Guide. +// +// [Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html type RegionDisabledException struct { Message *string diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/types.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/types.go index e3701d11d15..dff7a3c2e76 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/types.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/types.go @@ -11,10 +11,11 @@ import ( // returns. type AssumedRoleUser struct { - // The ARN of the temporary security credentials that are returned from the - // AssumeRole action. For more information about ARNs and how to use them in - // policies, see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) - // in the IAM User Guide. + // The ARN of the temporary security credentials that are returned from the AssumeRole + // action. For more information about ARNs and how to use them in policies, see [IAM Identifiers]in + // the IAM User Guide. + // + // [IAM Identifiers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html // // This member is required. Arn *string @@ -61,8 +62,9 @@ type FederatedUser struct { // The ARN that specifies the federated user that is associated with the // credentials. For more information about ARNs and how to use them in policies, - // see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) - // in the IAM User Guide. + // see [IAM Identifiers]in the IAM User Guide. + // + // [IAM Identifiers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html // // This member is required. Arn *string @@ -81,9 +83,10 @@ type FederatedUser struct { type PolicyDescriptorType struct { // The Amazon Resource Name (ARN) of the IAM managed policy to use as a session - // policy for the role. For more information about ARNs, see Amazon Resource Names - // (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - // in the Amazon Web Services General Reference. + // policy for the role. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the Amazon Web + // Services General Reference. + // + // [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Arn *string noSmithyDocumentSerde @@ -107,23 +110,30 @@ type ProvidedContext struct { // You can pass custom key-value pair attributes when you assume a role or // federate a user. These are called session tags. You can then use the session -// tags to control access to resources. For more information, see Tagging Amazon -// Web Services STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) -// in the IAM User Guide. +// tags to control access to resources. For more information, see [Tagging Amazon Web Services STS Sessions]in the IAM User +// Guide. +// +// [Tagging Amazon Web Services STS Sessions]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html type Tag struct { - // The key for a session tag. You can pass up to 50 session tags. The plain text - // session tag keys can’t exceed 128 characters. For these and additional limits, - // see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) - // in the IAM User Guide. + // The key for a session tag. + // + // You can pass up to 50 session tags. The plain text session tag keys can’t + // exceed 128 characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User + // Guide. + // + // [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length // // This member is required. Key *string - // The value for a session tag. You can pass up to 50 session tags. The plain text - // session tag values can’t exceed 256 characters. For these and additional limits, - // see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) - // in the IAM User Guide. + // The value for a session tag. + // + // You can pass up to 50 session tags. The plain text session tag values can’t + // exceed 256 characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User + // Guide. + // + // [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length // // This member is required. Value *string diff --git a/vendor/github.com/aws/smithy-go/CHANGELOG.md b/vendor/github.com/aws/smithy-go/CHANGELOG.md index b8d6561a4e1..39ffae99938 100644 --- a/vendor/github.com/aws/smithy-go/CHANGELOG.md +++ b/vendor/github.com/aws/smithy-go/CHANGELOG.md @@ -1,3 +1,7 @@ +# Release (2024-03-29) + +* No change notes available for this release. + # Release (2024-02-21) ## Module Highlights diff --git a/vendor/github.com/aws/smithy-go/go_module_metadata.go b/vendor/github.com/aws/smithy-go/go_module_metadata.go index 341392e10f8..a6b22f353d3 100644 --- a/vendor/github.com/aws/smithy-go/go_module_metadata.go +++ b/vendor/github.com/aws/smithy-go/go_module_metadata.go @@ -3,4 +3,4 @@ package smithy // goModuleVersion is the tagged release for this module -const goModuleVersion = "1.20.1" +const goModuleVersion = "1.20.2" diff --git a/vendor/modules.txt b/vendor/modules.txt index 393690423a5..63e07058e81 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -151,7 +151,7 @@ github.com/ahmetb/gen-crd-api-reference-docs # github.com/antlr4-go/antlr/v4 v4.13.0 ## explicit; go 1.20 github.com/antlr4-go/antlr/v4 -# github.com/aws/aws-sdk-go-v2 v1.26.0 +# github.com/aws/aws-sdk-go-v2 v1.27.0 ## explicit; go 1.20 github.com/aws/aws-sdk-go-v2/aws github.com/aws/aws-sdk-go-v2/aws/defaults @@ -176,10 +176,10 @@ github.com/aws/aws-sdk-go-v2/internal/shareddefaults github.com/aws/aws-sdk-go-v2/internal/strings github.com/aws/aws-sdk-go-v2/internal/sync/singleflight github.com/aws/aws-sdk-go-v2/internal/timeconv -# github.com/aws/aws-sdk-go-v2/config v1.27.9 +# github.com/aws/aws-sdk-go-v2/config v1.27.16 ## explicit; go 1.20 github.com/aws/aws-sdk-go-v2/config -# github.com/aws/aws-sdk-go-v2/credentials v1.17.9 +# github.com/aws/aws-sdk-go-v2/credentials v1.17.16 ## explicit; go 1.20 github.com/aws/aws-sdk-go-v2/credentials github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds @@ -188,14 +188,14 @@ github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client github.com/aws/aws-sdk-go-v2/credentials/processcreds github.com/aws/aws-sdk-go-v2/credentials/ssocreds github.com/aws/aws-sdk-go-v2/credentials/stscreds -# github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 +# github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3 ## explicit; go 1.20 github.com/aws/aws-sdk-go-v2/feature/ec2/imds github.com/aws/aws-sdk-go-v2/feature/ec2/imds/internal/config -# github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 +# github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7 ## explicit; go 1.20 github.com/aws/aws-sdk-go-v2/internal/configsources -# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 +# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7 ## explicit; go 1.20 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 # github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 @@ -211,33 +211,33 @@ github.com/aws/aws-sdk-go-v2/service/ecr/types github.com/aws/aws-sdk-go-v2/service/ecrpublic github.com/aws/aws-sdk-go-v2/service/ecrpublic/internal/endpoints github.com/aws/aws-sdk-go-v2/service/ecrpublic/types -# github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 +# github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 ## explicit; go 1.20 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding -# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 +# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9 ## explicit; go 1.20 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url -# github.com/aws/aws-sdk-go-v2/service/kms v1.30.0 +# github.com/aws/aws-sdk-go-v2/service/kms v1.32.1 ## explicit; go 1.20 github.com/aws/aws-sdk-go-v2/service/kms github.com/aws/aws-sdk-go-v2/service/kms/internal/endpoints github.com/aws/aws-sdk-go-v2/service/kms/types -# github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 +# github.com/aws/aws-sdk-go-v2/service/sso v1.20.9 ## explicit; go 1.20 github.com/aws/aws-sdk-go-v2/service/sso github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints github.com/aws/aws-sdk-go-v2/service/sso/types -# github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 +# github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.3 ## explicit; go 1.20 github.com/aws/aws-sdk-go-v2/service/ssooidc github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints github.com/aws/aws-sdk-go-v2/service/ssooidc/types -# github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 +# github.com/aws/aws-sdk-go-v2/service/sts v1.28.10 ## explicit; go 1.20 github.com/aws/aws-sdk-go-v2/service/sts github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints github.com/aws/aws-sdk-go-v2/service/sts/types -# github.com/aws/smithy-go v1.20.1 +# github.com/aws/smithy-go v1.20.2 ## explicit; go 1.20 github.com/aws/smithy-go github.com/aws/smithy-go/auth @@ -854,8 +854,8 @@ github.com/sigstore/sigstore/pkg/signature/kms github.com/sigstore/sigstore/pkg/signature/kms/fake github.com/sigstore/sigstore/pkg/signature/options github.com/sigstore/sigstore/pkg/signature/payload -# github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 -## explicit; go 1.20 +# github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.4 +## explicit; go 1.21 github.com/sigstore/sigstore/pkg/signature/kms/aws # github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3 ## explicit; go 1.20