diff --git a/aws/sdk/build.gradle.kts b/aws/sdk/build.gradle.kts index d9f090502cc2146a9bd8f0befaa3a86afb76ce24..bf359a7a489eef1b5e18527d437dc039d49e6c7e 100644 --- a/aws/sdk/build.gradle.kts +++ b/aws/sdk/build.gradle.kts @@ -49,7 +49,7 @@ fun discoverServices(): List { throw Exception("There must be exactly one service in each aws model file") } val service = services[0] - val sdkId = service.expectTrait(ServiceTrait::class.java).sdkId.toLowerCase() + val sdkId = service.expectTrait(ServiceTrait::class.java).sdkId.toLowerCase().replace(" ", "") AwsService(service = service.id.toString(), module = sdkId, modelFile = file) } } diff --git a/aws/sdk/models/kinesis.json b/aws/sdk/models/kinesis.json new file mode 100644 index 0000000000000000000000000000000000000000..4cddbe5092a8d6264d5843c4c1f92a450aa09e66 --- /dev/null +++ b/aws/sdk/models/kinesis.json @@ -0,0 +1,3181 @@ +{ + "smithy": "1.0", + "metadata": { + "suppressions": [ + { + "id": "HttpMethodSemantics", + "namespace": "*" + }, + { + "id": "HttpResponseCodeSemantics", + "namespace": "*" + }, + { + "id": "PaginatedTrait", + "namespace": "*" + }, + { + "id": "HttpHeaderTrait", + "namespace": "*" + }, + { + "id": "HttpUriConflict", + "namespace": "*" + }, + { + "id": "Service", + "namespace": "*" + } + ] + }, + "shapes": { + "com.amazonaws.kinesis#AddTagsToStream": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#AddTagsToStreamInput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceInUseException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Adds or updates tags for the specified Kinesis data stream. Each time you invoke\n this operation, you can specify up to 10 tags. If you want to add more than 10 tags to\n your stream, you can invoke this operation multiple times. In total, each stream can\n have up to 50 tags.

\n

If tags have already been assigned to the stream, AddTagsToStream\n overwrites any existing tags that correspond to the specified tag keys.

\n

\n AddTagsToStream has a limit of five transactions per second per\n account.

" + } + }, + "com.amazonaws.kinesis#AddTagsToStreamInput": { + "type": "structure", + "members": { + "Tags": { + "target": "com.amazonaws.kinesis#TagMap", + "traits": { + "smithy.api#documentation": "

A set of up to 10 key-value pairs to use to create the tags.

", + "smithy.api#required": {} + } + }, + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the stream.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the input for AddTagsToStream.

" + } + }, + "com.amazonaws.kinesis#BooleanObject": { + "type": "boolean", + "traits": { + "smithy.api#box": {} + } + }, + "com.amazonaws.kinesis#ChildShard": { + "type": "structure", + "members": { + "ParentShards": { + "target": "com.amazonaws.kinesis#ShardIdList", + "traits": { + "smithy.api#required": {} + } + }, + "ShardId": { + "target": "com.amazonaws.kinesis#ShardId", + "traits": { + "smithy.api#required": {} + } + }, + "HashKeyRange": { + "target": "com.amazonaws.kinesis#HashKeyRange", + "traits": { + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kinesis#ChildShardList": { + "type": "list", + "member": { + "target": "com.amazonaws.kinesis#ChildShard" + } + }, + "com.amazonaws.kinesis#Consumer": { + "type": "structure", + "members": { + "ConsumerName": { + "target": "com.amazonaws.kinesis#ConsumerName", + "traits": { + "smithy.api#documentation": "

The name of the consumer is something you choose when you register the\n consumer.

", + "smithy.api#required": {} + } + }, + "ConsumerARN": { + "target": "com.amazonaws.kinesis#ConsumerARN", + "traits": { + "smithy.api#documentation": "

When you register a consumer, Kinesis Data Streams generates an ARN for it. You need\n this ARN to be able to call SubscribeToShard.

\n

If you delete a consumer and then create a new one with the same name, it won't have\n the same ARN. That's because consumer ARNs contain the creation timestamp. This is\n important to keep in mind if you have IAM policies that reference consumer ARNs.

", + "smithy.api#required": {} + } + }, + "ConsumerStatus": { + "target": "com.amazonaws.kinesis#ConsumerStatus", + "traits": { + "smithy.api#documentation": "

A consumer can't read data while in the CREATING or DELETING\n states.

", + "smithy.api#required": {} + } + }, + "ConsumerCreationTimestamp": { + "target": "com.amazonaws.kinesis#Timestamp", + "traits": { + "smithy.api#documentation": "

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

An object that represents the details of the consumer you registered. This type of\n object is returned by RegisterStreamConsumer.

" + } + }, + "com.amazonaws.kinesis#ConsumerARN": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 2048 + }, + "smithy.api#pattern": "^(arn):aws.*:kinesis:.*:\\d{12}:.*stream\\/[a-zA-Z0-9_.-]+\\/consumer\\/[a-zA-Z0-9_.-]+:[0-9]+" + } + }, + "com.amazonaws.kinesis#ConsumerCountObject": { + "type": "integer", + "traits": { + "smithy.api#box": {}, + "smithy.api#range": { + "min": 0, + "max": 1000000 + } + } + }, + "com.amazonaws.kinesis#ConsumerDescription": { + "type": "structure", + "members": { + "StreamARN": { + "target": "com.amazonaws.kinesis#StreamARN", + "traits": { + "smithy.api#documentation": "

The ARN of the stream with which you registered the consumer.

", + "smithy.api#required": {} + } + }, + "ConsumerName": { + "target": "com.amazonaws.kinesis#ConsumerName", + "traits": { + "smithy.api#documentation": "

The name of the consumer is something you choose when you register the\n consumer.

", + "smithy.api#required": {} + } + }, + "ConsumerARN": { + "target": "com.amazonaws.kinesis#ConsumerARN", + "traits": { + "smithy.api#documentation": "

When you register a consumer, Kinesis Data Streams generates an ARN for it. You need\n this ARN to be able to call SubscribeToShard.

\n

If you delete a consumer and then create a new one with the same name, it won't have\n the same ARN. That's because consumer ARNs contain the creation timestamp. This is\n important to keep in mind if you have IAM policies that reference consumer ARNs.

", + "smithy.api#required": {} + } + }, + "ConsumerStatus": { + "target": "com.amazonaws.kinesis#ConsumerStatus", + "traits": { + "smithy.api#documentation": "

A consumer can't read data while in the CREATING or DELETING\n states.

", + "smithy.api#required": {} + } + }, + "ConsumerCreationTimestamp": { + "target": "com.amazonaws.kinesis#Timestamp", + "traits": { + "smithy.api#documentation": "

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

An object that represents the details of a registered consumer. This type of object is\n returned by DescribeStreamConsumer.

" + } + }, + "com.amazonaws.kinesis#ConsumerList": { + "type": "list", + "member": { + "target": "com.amazonaws.kinesis#Consumer" + } + }, + "com.amazonaws.kinesis#ConsumerName": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 128 + }, + "smithy.api#pattern": "[a-zA-Z0-9_.-]+" + } + }, + "com.amazonaws.kinesis#ConsumerStatus": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "CREATING", + "name": "CREATING" + }, + { + "value": "DELETING", + "name": "DELETING" + }, + { + "value": "ACTIVE", + "name": "ACTIVE" + } + ] + } + }, + "com.amazonaws.kinesis#CreateStream": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#CreateStreamInput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceInUseException" + } + ], + "traits": { + "smithy.api#documentation": "

Creates a Kinesis data stream. A stream captures and transports data records that\n are continuously emitted from different data sources or producers.\n Scale-out within a stream is explicitly supported by means of shards, which are uniquely\n identified groups of data records in a stream.

\n

You specify and control the number of shards that a stream is composed of. Each\n shard can support reads up to five transactions per second, up to a maximum data read\n total of 2 MiB per second. Each shard can support writes up to 1,000 records per second,\n up to a maximum data write total of 1 MiB per second. If the amount of data input\n increases or decreases, you can add or remove shards.

\n

The stream name identifies the stream. The name is scoped to the AWS account used\n by the application. It is also scoped by AWS Region. That is, two streams in two\n different accounts can have the same name, and two streams in the same account, but in\n two different Regions, can have the same name.

\n

\n CreateStream is an asynchronous operation. Upon receiving a\n CreateStream request, Kinesis Data Streams immediately returns and sets\n the stream status to CREATING. After the stream is created, Kinesis Data\n Streams sets the stream status to ACTIVE. You should perform read and write\n operations only on an ACTIVE stream.

\n

You receive a LimitExceededException when making a\n CreateStream request when you try to do one of the following:

\n \n

For the default shard limit for an AWS account, see Amazon Kinesis Data Streams\n Limits in the Amazon Kinesis Data Streams Developer\n Guide. To increase this limit, contact AWS\n Support.

\n

You can use DescribeStream to check the stream status, which is\n returned in StreamStatus.

\n

\n CreateStream has a limit of five transactions per second per\n account.

" + } + }, + "com.amazonaws.kinesis#CreateStreamInput": { + "type": "structure", + "members": { + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

A name to identify the stream. The stream name is scoped to the AWS account used by\n the application that creates the stream. It is also scoped by AWS Region. That is, two\n streams in two different AWS accounts can have the same name. Two streams in the same\n AWS account but in two different Regions can also have the same name.

", + "smithy.api#required": {} + } + }, + "ShardCount": { + "target": "com.amazonaws.kinesis#PositiveIntegerObject", + "traits": { + "smithy.api#documentation": "

The number of shards that the stream will use. The throughput of the stream is a\n function of the number of shards; more shards are required for greater provisioned\n throughput.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the input for CreateStream.

" + } + }, + "com.amazonaws.kinesis#Data": { + "type": "blob", + "traits": { + "smithy.api#length": { + "min": 0, + "max": 1048576 + } + } + }, + "com.amazonaws.kinesis#DecreaseStreamRetentionPeriod": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#DecreaseStreamRetentionPeriodInput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceInUseException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Decreases the Kinesis data stream's retention period, which is the length of time\n data records are accessible after they are added to the stream. The minimum value of a\n stream's retention period is 24 hours.

\n

This operation may result in lost data. For example, if the stream's retention\n period is 48 hours and is decreased to 24 hours, any data already in the stream that is\n older than 24 hours is inaccessible.

" + } + }, + "com.amazonaws.kinesis#DecreaseStreamRetentionPeriodInput": { + "type": "structure", + "members": { + "RetentionPeriodHours": { + "target": "com.amazonaws.kinesis#RetentionPeriodHours", + "traits": { + "smithy.api#documentation": "

The new retention period of the stream, in hours. Must be less than the current\n retention period.

", + "smithy.api#required": {} + } + }, + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the stream to modify.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the input for DecreaseStreamRetentionPeriod.

" + } + }, + "com.amazonaws.kinesis#DeleteStream": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#DeleteStreamInput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceInUseException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Deletes a Kinesis data stream and all its shards and data. You must shut down any\n applications that are operating on the stream before you delete the stream. If an\n application attempts to operate on a deleted stream, it receives the exception\n ResourceNotFoundException.

\n

If the stream is in the ACTIVE state, you can delete it. After a\n DeleteStream request, the specified stream is in the\n DELETING state until Kinesis Data Streams completes the\n deletion.

\n

\n Note: Kinesis Data Streams might continue to accept\n data read and write operations, such as PutRecord, PutRecords, and GetRecords, on a stream in the\n DELETING state until the stream deletion is complete.

\n

When you delete a stream, any shards in that stream are also deleted, and any tags\n are dissociated from the stream.

\n

You can use the DescribeStream operation to check the state of\n the stream, which is returned in StreamStatus.

\n

\n DeleteStream has a limit of five transactions per second per\n account.

" + } + }, + "com.amazonaws.kinesis#DeleteStreamInput": { + "type": "structure", + "members": { + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the stream to delete.

", + "smithy.api#required": {} + } + }, + "EnforceConsumerDeletion": { + "target": "com.amazonaws.kinesis#BooleanObject", + "traits": { + "smithy.api#documentation": "

If this parameter is unset (null) or if you set it to false,\n and the stream has registered consumers, the call to DeleteStream fails\n with a ResourceInUseException.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the input for DeleteStream.

" + } + }, + "com.amazonaws.kinesis#DeregisterStreamConsumer": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#DeregisterStreamConsumerInput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

To deregister a consumer, provide its ARN. Alternatively, you can provide the ARN of\n the data stream and the name you gave the consumer when you registered it. You may also\n provide all three parameters, as long as they don't conflict with each other. If you\n don't know the name or ARN of the consumer that you want to deregister, you can use the\n ListStreamConsumers operation to get a list of the descriptions of\n all the consumers that are currently registered with a given data stream. The\n description of a consumer contains its name and ARN.

\n

This operation has a limit of five transactions per second per stream.

" + } + }, + "com.amazonaws.kinesis#DeregisterStreamConsumerInput": { + "type": "structure", + "members": { + "StreamARN": { + "target": "com.amazonaws.kinesis#StreamARN", + "traits": { + "smithy.api#documentation": "

The ARN of the Kinesis data stream that the consumer is registered with. For more\n information, see Amazon Resource Names (ARNs) and AWS Service Namespaces.

" + } + }, + "ConsumerName": { + "target": "com.amazonaws.kinesis#ConsumerName", + "traits": { + "smithy.api#documentation": "

The name that you gave to the consumer.

" + } + }, + "ConsumerARN": { + "target": "com.amazonaws.kinesis#ConsumerARN", + "traits": { + "smithy.api#documentation": "

The ARN returned by Kinesis Data Streams when you registered the consumer. If you\n don't know the ARN of the consumer that you want to deregister, you can use the\n ListStreamConsumers operation to get a list of the descriptions of all the consumers\n that are currently registered with a given data stream. The description of a consumer\n contains its ARN.

" + } + } + } + }, + "com.amazonaws.kinesis#DescribeLimits": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#DescribeLimitsInput" + }, + "output": { + "target": "com.amazonaws.kinesis#DescribeLimitsOutput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#LimitExceededException" + } + ], + "traits": { + "smithy.api#documentation": "

Describes the shard limits and usage for the account.

\n

If you update your account limits, the old limits might be returned for a few\n minutes.

\n

This operation has a limit of one transaction per second per account.

" + } + }, + "com.amazonaws.kinesis#DescribeLimitsInput": { + "type": "structure", + "members": {} + }, + "com.amazonaws.kinesis#DescribeLimitsOutput": { + "type": "structure", + "members": { + "OpenShardCount": { + "target": "com.amazonaws.kinesis#ShardCountObject", + "traits": { + "smithy.api#documentation": "

The number of open shards.

", + "smithy.api#required": {} + } + }, + "ShardLimit": { + "target": "com.amazonaws.kinesis#ShardCountObject", + "traits": { + "smithy.api#documentation": "

The maximum number of shards.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kinesis#DescribeStream": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#DescribeStreamInput" + }, + "output": { + "target": "com.amazonaws.kinesis#DescribeStreamOutput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Describes the specified Kinesis data stream.

\n\n

The information returned includes the stream name, Amazon Resource Name (ARN),\n creation time, enhanced metric configuration, and shard map. The shard map is an array\n of shard objects. For each shard object, there is the hash key and sequence number\n ranges that the shard spans, and the IDs of any earlier shards that played in a role in\n creating the shard. Every record ingested in the stream is identified by a sequence\n number, which is assigned when the record is put into the stream.

\n\n

You can limit the number of shards returned by each call. For more information, see\n Retrieving\n Shards from a Stream in the Amazon Kinesis Data Streams Developer\n Guide.

\n

There are no guarantees about the chronological order shards returned. To process\n shards in chronological order, use the ID of the parent shard to track the lineage to\n the oldest shard.

\n

This operation has a limit of 10 transactions per second per account.

" + } + }, + "com.amazonaws.kinesis#DescribeStreamConsumer": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#DescribeStreamConsumerInput" + }, + "output": { + "target": "com.amazonaws.kinesis#DescribeStreamConsumerOutput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

To get the description of a registered consumer, provide the ARN of the consumer.\n Alternatively, you can provide the ARN of the data stream and the name you gave the\n consumer when you registered it. You may also provide all three parameters, as long as\n they don't conflict with each other. If you don't know the name or ARN of the consumer\n that you want to describe, you can use the ListStreamConsumers\n operation to get a list of the descriptions of all the consumers that are currently\n registered with a given data stream.

\n

This operation has a limit of 20 transactions per second per stream.

" + } + }, + "com.amazonaws.kinesis#DescribeStreamConsumerInput": { + "type": "structure", + "members": { + "StreamARN": { + "target": "com.amazonaws.kinesis#StreamARN", + "traits": { + "smithy.api#documentation": "

The ARN of the Kinesis data stream that the consumer is registered with. For more\n information, see Amazon Resource Names (ARNs) and AWS Service Namespaces.

" + } + }, + "ConsumerName": { + "target": "com.amazonaws.kinesis#ConsumerName", + "traits": { + "smithy.api#documentation": "

The name that you gave to the consumer.

" + } + }, + "ConsumerARN": { + "target": "com.amazonaws.kinesis#ConsumerARN", + "traits": { + "smithy.api#documentation": "

The ARN returned by Kinesis Data Streams when you registered the consumer.

" + } + } + } + }, + "com.amazonaws.kinesis#DescribeStreamConsumerOutput": { + "type": "structure", + "members": { + "ConsumerDescription": { + "target": "com.amazonaws.kinesis#ConsumerDescription", + "traits": { + "smithy.api#documentation": "

An object that represents the details of the consumer.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kinesis#DescribeStreamInput": { + "type": "structure", + "members": { + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the stream to describe.

", + "smithy.api#required": {} + } + }, + "ExclusiveStartShardId": { + "target": "com.amazonaws.kinesis#ShardId", + "traits": { + "smithy.api#documentation": "

The shard ID of the shard to start with.

" + } + }, + "Limit": { + "target": "com.amazonaws.kinesis#DescribeStreamInputLimit", + "traits": { + "smithy.api#documentation": "

The maximum number of shards to return in a single call. The default value is 100.\n If you specify a value greater than 100, at most 100 shards are returned.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the input for DescribeStream.

" + } + }, + "com.amazonaws.kinesis#DescribeStreamInputLimit": { + "type": "integer", + "traits": { + "smithy.api#box": {}, + "smithy.api#range": { + "min": 1, + "max": 10000 + } + } + }, + "com.amazonaws.kinesis#DescribeStreamOutput": { + "type": "structure", + "members": { + "StreamDescription": { + "target": "com.amazonaws.kinesis#StreamDescription", + "traits": { + "smithy.api#documentation": "

The current status of the stream, the stream Amazon Resource Name (ARN), an array\n of shard objects that comprise the stream, and whether there are more shards\n available.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the output for DescribeStream.

" + } + }, + "com.amazonaws.kinesis#DescribeStreamSummary": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#DescribeStreamSummaryInput" + }, + "output": { + "target": "com.amazonaws.kinesis#DescribeStreamSummaryOutput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Provides a summarized description of the specified Kinesis data stream without the\n shard list.

\n

The information returned includes the stream name, Amazon Resource Name (ARN),\n status, record retention period, approximate creation time, monitoring, encryption\n details, and open shard count.

\n

\n DescribeStreamSummary has a limit of 20 transactions per second\n per account.

" + } + }, + "com.amazonaws.kinesis#DescribeStreamSummaryInput": { + "type": "structure", + "members": { + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the stream to describe.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kinesis#DescribeStreamSummaryOutput": { + "type": "structure", + "members": { + "StreamDescriptionSummary": { + "target": "com.amazonaws.kinesis#StreamDescriptionSummary", + "traits": { + "smithy.api#documentation": "

A StreamDescriptionSummary containing information about the\n stream.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kinesis#DisableEnhancedMonitoring": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#DisableEnhancedMonitoringInput" + }, + "output": { + "target": "com.amazonaws.kinesis#EnhancedMonitoringOutput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceInUseException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Disables enhanced monitoring.

" + } + }, + "com.amazonaws.kinesis#DisableEnhancedMonitoringInput": { + "type": "structure", + "members": { + "ShardLevelMetrics": { + "target": "com.amazonaws.kinesis#MetricsNameList", + "traits": { + "smithy.api#documentation": "

List of shard-level metrics to disable.

\n

The following are the valid shard-level metrics. The value \"ALL\"\n disables every metric.

\n \n

For more information, see Monitoring the Amazon\n Kinesis Data Streams Service with Amazon CloudWatch in the Amazon\n Kinesis Data Streams Developer Guide.

", + "smithy.api#required": {} + } + }, + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the Kinesis data stream for which to disable enhanced\n monitoring.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the input for DisableEnhancedMonitoring.

" + } + }, + "com.amazonaws.kinesis#EnableEnhancedMonitoring": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#EnableEnhancedMonitoringInput" + }, + "output": { + "target": "com.amazonaws.kinesis#EnhancedMonitoringOutput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceInUseException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Enables enhanced Kinesis data stream monitoring for shard-level metrics.

" + } + }, + "com.amazonaws.kinesis#EnableEnhancedMonitoringInput": { + "type": "structure", + "members": { + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the stream for which to enable enhanced monitoring.

", + "smithy.api#required": {} + } + }, + "ShardLevelMetrics": { + "target": "com.amazonaws.kinesis#MetricsNameList", + "traits": { + "smithy.api#documentation": "

List of shard-level metrics to enable.

\n

The following are the valid shard-level metrics. The value \"ALL\"\n enables every metric.

\n \n

For more information, see Monitoring the Amazon\n Kinesis Data Streams Service with Amazon CloudWatch in the Amazon\n Kinesis Data Streams Developer Guide.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the input for EnableEnhancedMonitoring.

" + } + }, + "com.amazonaws.kinesis#EncryptionType": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "NONE", + "name": "NONE" + }, + { + "value": "KMS", + "name": "KMS" + } + ] + } + }, + "com.amazonaws.kinesis#EnhancedMetrics": { + "type": "structure", + "members": { + "ShardLevelMetrics": { + "target": "com.amazonaws.kinesis#MetricsNameList", + "traits": { + "smithy.api#documentation": "

List of shard-level metrics.

\n

The following are the valid shard-level metrics. The value \"ALL\"\n enhances every metric.

\n \n

For more information, see Monitoring the Amazon\n Kinesis Data Streams Service with Amazon CloudWatch in the Amazon\n Kinesis Data Streams Developer Guide.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents enhanced metrics types.

" + } + }, + "com.amazonaws.kinesis#EnhancedMonitoringList": { + "type": "list", + "member": { + "target": "com.amazonaws.kinesis#EnhancedMetrics" + } + }, + "com.amazonaws.kinesis#EnhancedMonitoringOutput": { + "type": "structure", + "members": { + "DesiredShardLevelMetrics": { + "target": "com.amazonaws.kinesis#MetricsNameList", + "traits": { + "smithy.api#documentation": "

Represents the list of all the metrics that would be in the enhanced state after\n the operation.

" + } + }, + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the Kinesis data stream.

" + } + }, + "CurrentShardLevelMetrics": { + "target": "com.amazonaws.kinesis#MetricsNameList", + "traits": { + "smithy.api#documentation": "

Represents the current state of the metrics that are in the enhanced state before\n the operation.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the output for EnableEnhancedMonitoring and DisableEnhancedMonitoring.

" + } + }, + "com.amazonaws.kinesis#ErrorCode": { + "type": "string" + }, + "com.amazonaws.kinesis#ErrorMessage": { + "type": "string" + }, + "com.amazonaws.kinesis#ExpiredIteratorException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kinesis#ErrorMessage", + "traits": { + "smithy.api#documentation": "

A message that provides information about the error.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

The provided iterator exceeds the maximum age allowed.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.kinesis#ExpiredNextTokenException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kinesis#ErrorMessage" + } + }, + "traits": { + "smithy.api#documentation": "

The pagination token passed to the operation is expired.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.kinesis#GetRecords": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#GetRecordsInput" + }, + "output": { + "target": "com.amazonaws.kinesis#GetRecordsOutput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#ExpiredIteratorException" + }, + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#KMSAccessDeniedException" + }, + { + "target": "com.amazonaws.kinesis#KMSDisabledException" + }, + { + "target": "com.amazonaws.kinesis#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kinesis#KMSNotFoundException" + }, + { + "target": "com.amazonaws.kinesis#KMSOptInRequired" + }, + { + "target": "com.amazonaws.kinesis#KMSThrottlingException" + }, + { + "target": "com.amazonaws.kinesis#ProvisionedThroughputExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Gets data records from a Kinesis data stream's shard.

\n

Specify a shard iterator using the ShardIterator parameter. The shard\n iterator specifies the position in the shard from which you want to start reading data\n records sequentially. If there are no records available in the portion of the shard that\n the iterator points to, GetRecords returns an empty list. It might\n take multiple calls to get to a portion of the shard that contains records.

\n

You can scale by provisioning multiple shards per stream while considering service\n limits (for more information, see Amazon Kinesis Data Streams\n Limits in the Amazon Kinesis Data Streams Developer\n Guide). Your application should have one thread per shard, each reading\n continuously from its stream. To read from a stream continually, call GetRecords in a loop. Use GetShardIterator to get the\n shard iterator to specify in the first GetRecords call. GetRecords returns a new shard iterator in\n NextShardIterator. Specify the shard iterator returned in\n NextShardIterator in subsequent calls to GetRecords.\n If the shard has been closed, the shard iterator can't return more data and GetRecords returns null in NextShardIterator.\n You can terminate the loop when the shard is closed, or when the shard iterator reaches\n the record with the sequence number or other attribute that marks it as the last record\n to process.

\n

Each data record can be up to 1 MiB in size, and each shard can read up to 2 MiB\n per second. You can ensure that your calls don't exceed the maximum supported size or\n throughput by using the Limit parameter to specify the maximum number of\n records that GetRecords can return. Consider your average record size\n when determining this limit. The maximum number of records that can be returned per call\n is 10,000.

\n\n

The size of the data returned by GetRecords varies depending on\n the utilization of the shard. The maximum size of data that GetRecords\n can return is 10 MiB. If a call returns this amount of data, subsequent calls made\n within the next 5 seconds throw ProvisionedThroughputExceededException. If\n there is insufficient provisioned throughput on the stream, subsequent calls made within\n the next 1 second throw ProvisionedThroughputExceededException. GetRecords doesn't return any data when it throws an exception. For this\n reason, we recommend that you wait 1 second between calls to GetRecords. However, it's possible that the application will get exceptions for longer than 1\n second.

\n

To detect whether the application is falling behind in processing, you can use the\n MillisBehindLatest response attribute. You can also monitor the stream\n using CloudWatch metrics and other mechanisms (see Monitoring in the Amazon\n Kinesis Data Streams Developer Guide).

\n

Each Amazon Kinesis record includes a value,\n ApproximateArrivalTimestamp, that is set when a stream successfully\n receives and stores a record. This is commonly referred to as a server-side time stamp,\n whereas a client-side time stamp is set when a data producer creates or sends the record\n to a stream (a data producer is any data source putting data records into a stream, for\n example with PutRecords). The time stamp has millisecond precision.\n There are no guarantees about the time stamp accuracy, or that the time stamp is always\n increasing. For example, records in a shard or across a stream might have time stamps\n that are out of order.

\n

This operation has a limit of five transactions per second per shard.

" + } + }, + "com.amazonaws.kinesis#GetRecordsInput": { + "type": "structure", + "members": { + "ShardIterator": { + "target": "com.amazonaws.kinesis#ShardIterator", + "traits": { + "smithy.api#documentation": "

The position in the shard from which you want to start sequentially reading data\n records. A shard iterator specifies this position using the sequence number of a data\n record in the shard.

", + "smithy.api#required": {} + } + }, + "Limit": { + "target": "com.amazonaws.kinesis#GetRecordsInputLimit", + "traits": { + "smithy.api#documentation": "

The maximum number of records to return. Specify a value of up to 10,000. If you\n specify a value that is greater than 10,000, GetRecords throws\n InvalidArgumentException. The default value is 10,000.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the input for GetRecords.

" + } + }, + "com.amazonaws.kinesis#GetRecordsInputLimit": { + "type": "integer", + "traits": { + "smithy.api#box": {}, + "smithy.api#range": { + "min": 1, + "max": 10000 + } + } + }, + "com.amazonaws.kinesis#GetRecordsOutput": { + "type": "structure", + "members": { + "NextShardIterator": { + "target": "com.amazonaws.kinesis#ShardIterator", + "traits": { + "smithy.api#documentation": "

The next position in the shard from which to start sequentially reading data\n records. If set to null, the shard has been closed and the requested\n iterator does not return any more data.

" + } + }, + "Records": { + "target": "com.amazonaws.kinesis#RecordList", + "traits": { + "smithy.api#documentation": "

The data records retrieved from the shard.

", + "smithy.api#required": {} + } + }, + "MillisBehindLatest": { + "target": "com.amazonaws.kinesis#MillisBehindLatest", + "traits": { + "smithy.api#documentation": "

The number of milliseconds the GetRecords response is from the\n tip of the stream, indicating how far behind current time the consumer is. A value of\n zero indicates that record processing is caught up, and there are no new records to\n process at this moment.

" + } + }, + "ChildShards": { + "target": "com.amazonaws.kinesis#ChildShardList" + } + }, + "traits": { + "smithy.api#documentation": "

Represents the output for GetRecords.

" + } + }, + "com.amazonaws.kinesis#GetShardIterator": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#GetShardIteratorInput" + }, + "output": { + "target": "com.amazonaws.kinesis#GetShardIteratorOutput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#ProvisionedThroughputExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Gets an Amazon Kinesis shard iterator. A shard iterator expires 5 minutes after it\n is returned to the requester.

\n

A shard iterator specifies the shard position from which to start reading data\n records sequentially. The position is specified using the sequence number of a data\n record in a shard. A sequence number is the identifier associated with every record\n ingested in the stream, and is assigned when a record is put into the stream. Each\n stream has one or more shards.

\n

You must specify the shard iterator type. For example, you can set the\n ShardIteratorType parameter to read exactly from the position denoted\n by a specific sequence number by using the AT_SEQUENCE_NUMBER shard\n iterator type. Alternatively, the parameter can read right after the sequence number by\n using the AFTER_SEQUENCE_NUMBER shard iterator type, using sequence numbers\n returned by earlier calls to PutRecord, PutRecords,\n GetRecords, or DescribeStream. In the request,\n you can specify the shard iterator type AT_TIMESTAMP to read records from\n an arbitrary point in time, TRIM_HORIZON to cause\n ShardIterator to point to the last untrimmed record in the shard in the\n system (the oldest data record in the shard), or LATEST so that you always\n read the most recent data in the shard.

\n

When you read repeatedly from a stream, use a GetShardIterator\n request to get the first shard iterator for use in your first GetRecords request and for subsequent reads use the shard iterator returned by the GetRecords request in NextShardIterator. A new shard\n iterator is returned by every GetRecords request in\n NextShardIterator, which you use in the ShardIterator\n parameter of the next GetRecords request.

\n

If a GetShardIterator request is made too often, you receive a\n ProvisionedThroughputExceededException. For more information about\n throughput limits, see GetRecords, and Streams Limits in the\n Amazon Kinesis Data Streams Developer Guide.

\n

If the shard is closed, GetShardIterator returns a valid iterator\n for the last sequence number of the shard. A shard can be closed as a result of using\n SplitShard or MergeShards.

\n

\n GetShardIterator has a limit of five transactions per second per\n account per open shard.

" + } + }, + "com.amazonaws.kinesis#GetShardIteratorInput": { + "type": "structure", + "members": { + "ShardIteratorType": { + "target": "com.amazonaws.kinesis#ShardIteratorType", + "traits": { + "smithy.api#documentation": "

Determines how the shard iterator is used to start reading data records from the\n shard.

\n

The following are the valid Amazon Kinesis shard iterator types:

\n ", + "smithy.api#required": {} + } + }, + "ShardId": { + "target": "com.amazonaws.kinesis#ShardId", + "traits": { + "smithy.api#documentation": "

The shard ID of the Kinesis Data Streams shard to get the iterator for.

", + "smithy.api#required": {} + } + }, + "StartingSequenceNumber": { + "target": "com.amazonaws.kinesis#SequenceNumber", + "traits": { + "smithy.api#documentation": "

The sequence number of the data record in the shard from which to start reading.\n Used with shard iterator type AT_SEQUENCE_NUMBER and AFTER_SEQUENCE_NUMBER.

" + } + }, + "Timestamp": { + "target": "com.amazonaws.kinesis#Timestamp", + "traits": { + "smithy.api#documentation": "

The time stamp of the data record from which to start reading. Used with shard\n iterator type AT_TIMESTAMP. A time stamp is the Unix epoch date with precision in\n milliseconds. For example, 2016-04-04T19:58:46.480-00:00 or\n 1459799926.480. If a record with this exact time stamp does not exist,\n the iterator returned is for the next (later) record. If the time stamp is older than\n the current trim horizon, the iterator returned is for the oldest untrimmed data record\n (TRIM_HORIZON).

" + } + }, + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the Amazon Kinesis data stream.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the input for GetShardIterator.

" + } + }, + "com.amazonaws.kinesis#GetShardIteratorOutput": { + "type": "structure", + "members": { + "ShardIterator": { + "target": "com.amazonaws.kinesis#ShardIterator", + "traits": { + "smithy.api#documentation": "

The position in the shard from which to start reading data records sequentially. A\n shard iterator specifies this position using the sequence number of a data record in a\n shard.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the output for GetShardIterator.

" + } + }, + "com.amazonaws.kinesis#HashKey": { + "type": "string", + "traits": { + "smithy.api#pattern": "0|([1-9]\\d{0,38})" + } + }, + "com.amazonaws.kinesis#HashKeyRange": { + "type": "structure", + "members": { + "StartingHashKey": { + "target": "com.amazonaws.kinesis#HashKey", + "traits": { + "smithy.api#documentation": "

The starting hash key of the hash key range.

", + "smithy.api#required": {} + } + }, + "EndingHashKey": { + "target": "com.amazonaws.kinesis#HashKey", + "traits": { + "smithy.api#documentation": "

The ending hash key of the hash key range.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

The range of possible hash key values for the shard, which is a set of ordered\n contiguous positive integers.

" + } + }, + "com.amazonaws.kinesis#IncreaseStreamRetentionPeriod": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#IncreaseStreamRetentionPeriodInput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceInUseException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Increases the Kinesis data stream's retention period, which is the length of time\n data records are accessible after they are added to the stream. The maximum value of a\n stream's retention period is 168 hours (7 days).

\n

If you choose a longer stream retention period, this operation increases the time\n period during which records that have not yet expired are accessible. However, it does\n not make previous, expired data (older than the stream's previous retention period)\n accessible after the operation has been called. For example, if a stream's retention\n period is set to 24 hours and is increased to 168 hours, any data that is older than 24\n hours remains inaccessible to consumer applications.

" + } + }, + "com.amazonaws.kinesis#IncreaseStreamRetentionPeriodInput": { + "type": "structure", + "members": { + "RetentionPeriodHours": { + "target": "com.amazonaws.kinesis#RetentionPeriodHours", + "traits": { + "smithy.api#documentation": "

The new retention period of the stream, in hours. Must be more than the current\n retention period.

", + "smithy.api#required": {} + } + }, + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the stream to modify.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the input for IncreaseStreamRetentionPeriod.

" + } + }, + "com.amazonaws.kinesis#InternalFailureException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kinesis#ErrorMessage" + } + }, + "traits": { + "smithy.api#documentation": "

The processing of the request failed because of an unknown error, exception, or\n failure.

", + "smithy.api#error": "server" + } + }, + "com.amazonaws.kinesis#InvalidArgumentException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kinesis#ErrorMessage", + "traits": { + "smithy.api#documentation": "

A message that provides information about the error.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

A specified parameter exceeds its restrictions, is not supported, or can't be used.\n For more information, see the returned message.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.kinesis#KMSAccessDeniedException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kinesis#ErrorMessage", + "traits": { + "smithy.api#documentation": "

A message that provides information about the error.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

The ciphertext references a key that doesn't exist or that you don't have access\n to.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.kinesis#KMSDisabledException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kinesis#ErrorMessage", + "traits": { + "smithy.api#documentation": "

A message that provides information about the error.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the specified customer master key (CMK) isn't\n enabled.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.kinesis#KMSInvalidStateException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kinesis#ErrorMessage", + "traits": { + "smithy.api#documentation": "

A message that provides information about the error.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the state of the specified resource isn't valid\n for this request. For more information, see How Key State Affects Use of a\n Customer Master Key in the AWS Key Management Service Developer\n Guide.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.kinesis#KMSNotFoundException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kinesis#ErrorMessage", + "traits": { + "smithy.api#documentation": "

A message that provides information about the error.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the specified entity or resource can't be\n found.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.kinesis#KMSOptInRequired": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kinesis#ErrorMessage", + "traits": { + "smithy.api#documentation": "

A message that provides information about the error.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

The AWS access key ID needs a subscription for the service.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.kinesis#KMSThrottlingException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kinesis#ErrorMessage", + "traits": { + "smithy.api#documentation": "

A message that provides information about the error.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

The request was denied due to request throttling. For more information about\n throttling, see Limits in\n the AWS Key Management Service Developer Guide.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.kinesis#KeyId": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 2048 + } + } + }, + "com.amazonaws.kinesis#Kinesis_20131202": { + "type": "service", + "version": "2013-12-02", + "operations": [ + { + "target": "com.amazonaws.kinesis#AddTagsToStream" + }, + { + "target": "com.amazonaws.kinesis#CreateStream" + }, + { + "target": "com.amazonaws.kinesis#DecreaseStreamRetentionPeriod" + }, + { + "target": "com.amazonaws.kinesis#DeleteStream" + }, + { + "target": "com.amazonaws.kinesis#DeregisterStreamConsumer" + }, + { + "target": "com.amazonaws.kinesis#DescribeLimits" + }, + { + "target": "com.amazonaws.kinesis#DescribeStream" + }, + { + "target": "com.amazonaws.kinesis#DescribeStreamConsumer" + }, + { + "target": "com.amazonaws.kinesis#DescribeStreamSummary" + }, + { + "target": "com.amazonaws.kinesis#DisableEnhancedMonitoring" + }, + { + "target": "com.amazonaws.kinesis#EnableEnhancedMonitoring" + }, + { + "target": "com.amazonaws.kinesis#GetRecords" + }, + { + "target": "com.amazonaws.kinesis#GetShardIterator" + }, + { + "target": "com.amazonaws.kinesis#IncreaseStreamRetentionPeriod" + }, + { + "target": "com.amazonaws.kinesis#ListShards" + }, + { + "target": "com.amazonaws.kinesis#ListStreamConsumers" + }, + { + "target": "com.amazonaws.kinesis#ListStreams" + }, + { + "target": "com.amazonaws.kinesis#ListTagsForStream" + }, + { + "target": "com.amazonaws.kinesis#MergeShards" + }, + { + "target": "com.amazonaws.kinesis#PutRecord" + }, + { + "target": "com.amazonaws.kinesis#PutRecords" + }, + { + "target": "com.amazonaws.kinesis#RegisterStreamConsumer" + }, + { + "target": "com.amazonaws.kinesis#RemoveTagsFromStream" + }, + { + "target": "com.amazonaws.kinesis#SplitShard" + }, + { + "target": "com.amazonaws.kinesis#StartStreamEncryption" + }, + { + "target": "com.amazonaws.kinesis#StopStreamEncryption" + }, + { + "target": "com.amazonaws.kinesis#SubscribeToShard" + }, + { + "target": "com.amazonaws.kinesis#UpdateShardCount" + } + ], + "traits": { + "aws.api#service": { + "sdkId": "Kinesis", + "arnNamespace": "kinesis", + "cloudFormationName": "Kinesis", + "cloudTrailEventSource": "kinesis.amazonaws.com" + }, + "aws.auth#sigv4": { + "name": "kinesis" + }, + "aws.protocols#awsJson1_1": {}, + "smithy.api#documentation": "Amazon Kinesis Data Streams Service API Reference\n

Amazon Kinesis Data Streams is a managed service that scales elastically for\n real-time processing of streaming big data.

", + "smithy.api#title": "Amazon Kinesis", + "smithy.api#xmlNamespace": { + "uri": "http://kinesis.amazonaws.com/doc/2013-12-02" + } + } + }, + "com.amazonaws.kinesis#LimitExceededException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kinesis#ErrorMessage", + "traits": { + "smithy.api#documentation": "

A message that provides information about the error.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

The requested resource exceeds the maximum number allowed, or the number of\n concurrent stream requests exceeds the maximum number allowed.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.kinesis#ListShards": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#ListShardsInput" + }, + "output": { + "target": "com.amazonaws.kinesis#ListShardsOutput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#ExpiredNextTokenException" + }, + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceInUseException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Lists the shards in a stream and provides information about each shard. This\n operation has a limit of 100 transactions per second per data stream.

\n \n

This API is a new operation that is used by the Amazon Kinesis Client Library\n (KCL). If you have a fine-grained IAM policy that only allows specific operations,\n you must update your policy to allow calls to this API. For more information, see\n Controlling Access to Amazon Kinesis Data Streams Resources Using\n IAM.

\n " + } + }, + "com.amazonaws.kinesis#ListShardsInput": { + "type": "structure", + "members": { + "MaxResults": { + "target": "com.amazonaws.kinesis#ListShardsInputLimit", + "traits": { + "smithy.api#documentation": "

The maximum number of shards to return in a single call to ListShards.\n The minimum value you can specify for this parameter is 1, and the maximum is 10,000,\n which is also the default.

\n

When the number of shards to be listed is greater than the value of\n MaxResults, the response contains a NextToken value that\n you can use in a subsequent call to ListShards to list the next set of\n shards.

" + } + }, + "StreamCreationTimestamp": { + "target": "com.amazonaws.kinesis#Timestamp", + "traits": { + "smithy.api#documentation": "

Specify this input parameter to distinguish data streams that have the same name.\n For example, if you create a data stream and then delete it, and you later create\n another data stream with the same name, you can use this input parameter to specify\n which of the two streams you want to list the shards for.

\n

You cannot specify this parameter if you specify the NextToken\n parameter.

" + } + }, + "NextToken": { + "target": "com.amazonaws.kinesis#NextToken", + "traits": { + "smithy.api#documentation": "

When the number of shards in the data stream is greater than the default value for\n the MaxResults parameter, or if you explicitly specify a value for\n MaxResults that is less than the number of shards in the data stream,\n the response includes a pagination token named NextToken. You can specify\n this NextToken value in a subsequent call to ListShards to\n list the next set of shards.

\n

Don't specify StreamName or StreamCreationTimestamp if\n you specify NextToken because the latter unambiguously identifies the\n stream.

\n

You can optionally specify a value for the MaxResults parameter when\n you specify NextToken. If you specify a MaxResults value that\n is less than the number of shards that the operation returns if you don't specify\n MaxResults, the response will contain a new NextToken\n value. You can use the new NextToken value in a subsequent call to the\n ListShards operation.

\n \n

Tokens expire after 300 seconds. When you obtain a value for\n NextToken in the response to a call to ListShards, you\n have 300 seconds to use that value. If you specify an expired token in a call to\n ListShards, you get\n ExpiredNextTokenException.

\n " + } + }, + "ExclusiveStartShardId": { + "target": "com.amazonaws.kinesis#ShardId", + "traits": { + "smithy.api#documentation": "

Specify this parameter to indicate that you want to list the shards starting with\n the shard whose ID immediately follows ExclusiveStartShardId.

\n

If you don't specify this parameter, the default behavior is for\n ListShards to list the shards starting with the first one in the\n stream.

\n

You cannot specify this parameter if you specify NextToken.

" + } + }, + "ShardFilter": { + "target": "com.amazonaws.kinesis#ShardFilter" + }, + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the data stream whose shards you want to list.

\n

You cannot specify this parameter if you specify the NextToken\n parameter.

" + } + } + } + }, + "com.amazonaws.kinesis#ListShardsInputLimit": { + "type": "integer", + "traits": { + "smithy.api#box": {}, + "smithy.api#range": { + "min": 1, + "max": 10000 + } + } + }, + "com.amazonaws.kinesis#ListShardsOutput": { + "type": "structure", + "members": { + "NextToken": { + "target": "com.amazonaws.kinesis#NextToken", + "traits": { + "smithy.api#documentation": "

When the number of shards in the data stream is greater than the default value for\n the MaxResults parameter, or if you explicitly specify a value for\n MaxResults that is less than the number of shards in the data stream,\n the response includes a pagination token named NextToken. You can specify\n this NextToken value in a subsequent call to ListShards to\n list the next set of shards. For more information about the use of this pagination token\n when calling the ListShards operation, see ListShardsInput$NextToken.

\n \n

Tokens expire after 300 seconds. When you obtain a value for\n NextToken in the response to a call to ListShards, you\n have 300 seconds to use that value. If you specify an expired token in a call to\n ListShards, you get\n ExpiredNextTokenException.

\n " + } + }, + "Shards": { + "target": "com.amazonaws.kinesis#ShardList", + "traits": { + "smithy.api#documentation": "

An array of JSON objects. Each object represents one shard and specifies the IDs of\n the shard, the shard's parent, and the shard that's adjacent to the shard's parent. Each\n object also contains the starting and ending hash keys and the starting and ending\n sequence numbers for the shard.

" + } + } + } + }, + "com.amazonaws.kinesis#ListStreamConsumers": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#ListStreamConsumersInput" + }, + "output": { + "target": "com.amazonaws.kinesis#ListStreamConsumersOutput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#ExpiredNextTokenException" + }, + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceInUseException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Lists the consumers registered to receive data from a stream using enhanced fan-out,\n and provides information about each consumer.

\n

This operation has a limit of 5 transactions per second per stream.

", + "smithy.api#paginated": { + "inputToken": "NextToken", + "outputToken": "NextToken", + "pageSize": "MaxResults" + } + } + }, + "com.amazonaws.kinesis#ListStreamConsumersInput": { + "type": "structure", + "members": { + "NextToken": { + "target": "com.amazonaws.kinesis#NextToken", + "traits": { + "smithy.api#documentation": "

When the number of consumers that are registered with the data stream is greater than\n the default value for the MaxResults parameter, or if you explicitly\n specify a value for MaxResults that is less than the number of consumers\n that are registered with the data stream, the response includes a pagination token named\n NextToken. You can specify this NextToken value in a\n subsequent call to ListStreamConsumers to list the next set of registered\n consumers.

\n

Don't specify StreamName or StreamCreationTimestamp if you\n specify NextToken because the latter unambiguously identifies the\n stream.

\n

You can optionally specify a value for the MaxResults parameter when you\n specify NextToken. If you specify a MaxResults value that is\n less than the number of consumers that the operation returns if you don't specify\n MaxResults, the response will contain a new NextToken\n value. You can use the new NextToken value in a subsequent call to the\n ListStreamConsumers operation to list the next set of consumers.

\n \n

Tokens expire after 300 seconds. When you obtain a value for\n NextToken in the response to a call to\n ListStreamConsumers, you have 300 seconds to use that value. If you\n specify an expired token in a call to ListStreamConsumers, you get\n ExpiredNextTokenException.

\n " + } + }, + "StreamCreationTimestamp": { + "target": "com.amazonaws.kinesis#Timestamp", + "traits": { + "smithy.api#documentation": "

Specify this input parameter to distinguish data streams that have the same name. For\n example, if you create a data stream and then delete it, and you later create another\n data stream with the same name, you can use this input parameter to specify which of the\n two streams you want to list the consumers for.

\n

You can't specify this parameter if you specify the NextToken parameter.

" + } + }, + "StreamARN": { + "target": "com.amazonaws.kinesis#StreamARN", + "traits": { + "smithy.api#documentation": "

The ARN of the Kinesis data stream for which you want to list the registered\n consumers. For more information, see Amazon Resource Names (ARNs) and AWS Service Namespaces.

", + "smithy.api#required": {} + } + }, + "MaxResults": { + "target": "com.amazonaws.kinesis#ListStreamConsumersInputLimit", + "traits": { + "smithy.api#documentation": "

The maximum number of consumers that you want a single call of\n ListStreamConsumers to return.

" + } + } + } + }, + "com.amazonaws.kinesis#ListStreamConsumersInputLimit": { + "type": "integer", + "traits": { + "smithy.api#box": {}, + "smithy.api#range": { + "min": 1, + "max": 10000 + } + } + }, + "com.amazonaws.kinesis#ListStreamConsumersOutput": { + "type": "structure", + "members": { + "Consumers": { + "target": "com.amazonaws.kinesis#ConsumerList", + "traits": { + "smithy.api#documentation": "

An array of JSON objects. Each object represents one registered consumer.

" + } + }, + "NextToken": { + "target": "com.amazonaws.kinesis#NextToken", + "traits": { + "smithy.api#documentation": "

When the number of consumers that are registered with the data stream is greater than\n the default value for the MaxResults parameter, or if you explicitly\n specify a value for MaxResults that is less than the number of registered\n consumers, the response includes a pagination token named NextToken. You\n can specify this NextToken value in a subsequent call to\n ListStreamConsumers to list the next set of registered consumers. For\n more information about the use of this pagination token when calling the\n ListStreamConsumers operation, see ListStreamConsumersInput$NextToken.

\n \n

Tokens expire after 300 seconds. When you obtain a value for\n NextToken in the response to a call to\n ListStreamConsumers, you have 300 seconds to use that value. If you\n specify an expired token in a call to ListStreamConsumers, you get\n ExpiredNextTokenException.

\n " + } + } + } + }, + "com.amazonaws.kinesis#ListStreams": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#ListStreamsInput" + }, + "output": { + "target": "com.amazonaws.kinesis#ListStreamsOutput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#LimitExceededException" + } + ], + "traits": { + "smithy.api#documentation": "

Lists your Kinesis data streams.

\n

The number of streams may be too large to return from a single call to\n ListStreams. You can limit the number of returned streams using the\n Limit parameter. If you do not specify a value for the\n Limit parameter, Kinesis Data Streams uses the default limit, which is\n currently 10.

\n

You can detect if there are more streams available to list by using the\n HasMoreStreams flag from the returned output. If there are more streams\n available, you can request more streams by using the name of the last stream returned by\n the ListStreams request in the ExclusiveStartStreamName\n parameter in a subsequent request to ListStreams. The group of stream names\n returned by the subsequent request is then added to the list. You can continue this\n process until all the stream names have been collected in the list.

\n

\n ListStreams has a limit of five transactions per second per\n account.

" + } + }, + "com.amazonaws.kinesis#ListStreamsInput": { + "type": "structure", + "members": { + "Limit": { + "target": "com.amazonaws.kinesis#ListStreamsInputLimit", + "traits": { + "smithy.api#documentation": "

The maximum number of streams to list.

" + } + }, + "ExclusiveStartStreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the stream to start the list with.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the input for ListStreams.

" + } + }, + "com.amazonaws.kinesis#ListStreamsInputLimit": { + "type": "integer", + "traits": { + "smithy.api#box": {}, + "smithy.api#range": { + "min": 1, + "max": 10000 + } + } + }, + "com.amazonaws.kinesis#ListStreamsOutput": { + "type": "structure", + "members": { + "StreamNames": { + "target": "com.amazonaws.kinesis#StreamNameList", + "traits": { + "smithy.api#documentation": "

The names of the streams that are associated with the AWS account making the\n ListStreams request.

", + "smithy.api#required": {} + } + }, + "HasMoreStreams": { + "target": "com.amazonaws.kinesis#BooleanObject", + "traits": { + "smithy.api#documentation": "

If set to true, there are more streams available to list.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the output for ListStreams.

" + } + }, + "com.amazonaws.kinesis#ListTagsForStream": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#ListTagsForStreamInput" + }, + "output": { + "target": "com.amazonaws.kinesis#ListTagsForStreamOutput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Lists the tags for the specified Kinesis data stream. This operation has a limit of\n five transactions per second per account.

" + } + }, + "com.amazonaws.kinesis#ListTagsForStreamInput": { + "type": "structure", + "members": { + "Limit": { + "target": "com.amazonaws.kinesis#ListTagsForStreamInputLimit", + "traits": { + "smithy.api#documentation": "

The number of tags to return. If this number is less than the total number of tags\n associated with the stream, HasMoreTags is set to true. To\n list additional tags, set ExclusiveStartTagKey to the last key in the\n response.

" + } + }, + "ExclusiveStartTagKey": { + "target": "com.amazonaws.kinesis#TagKey", + "traits": { + "smithy.api#documentation": "

The key to use as the starting point for the list of tags. If this parameter is\n set, ListTagsForStream gets all tags that occur after\n ExclusiveStartTagKey.

" + } + }, + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the stream.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the input for ListTagsForStream.

" + } + }, + "com.amazonaws.kinesis#ListTagsForStreamInputLimit": { + "type": "integer", + "traits": { + "smithy.api#box": {}, + "smithy.api#range": { + "min": 1, + "max": 50 + } + } + }, + "com.amazonaws.kinesis#ListTagsForStreamOutput": { + "type": "structure", + "members": { + "Tags": { + "target": "com.amazonaws.kinesis#TagList", + "traits": { + "smithy.api#documentation": "

A list of tags associated with StreamName, starting with the first tag\n after ExclusiveStartTagKey and up to the specified Limit.\n

", + "smithy.api#required": {} + } + }, + "HasMoreTags": { + "target": "com.amazonaws.kinesis#BooleanObject", + "traits": { + "smithy.api#documentation": "

If set to true, more tags are available. To request additional tags,\n set ExclusiveStartTagKey to the key of the last tag returned.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the output for ListTagsForStream.

" + } + }, + "com.amazonaws.kinesis#MergeShards": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#MergeShardsInput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceInUseException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Merges two adjacent shards in a Kinesis data stream and combines them into a single\n shard to reduce the stream's capacity to ingest and transport data. Two shards are\n considered adjacent if the union of the hash key ranges for the two shards form a\n contiguous set with no gaps. For example, if you have two shards, one with a hash key\n range of 276...381 and the other with a hash key range of 382...454, then you could\n merge these two shards into a single shard that would have a hash key range of\n 276...454. After the merge, the single child shard receives data for all hash key values\n covered by the two parent shards.

\n

\n MergeShards is called when there is a need to reduce the overall capacity\n of a stream because of excess capacity that is not being used. You must specify the\n shard to be merged and the adjacent shard for a stream. For more information about\n merging shards, see Merge Two\n Shards in the Amazon Kinesis Data Streams Developer\n Guide.

\n

If the stream is in the ACTIVE state, you can call\n MergeShards. If a stream is in the CREATING,\n UPDATING, or DELETING state, MergeShards\n returns a ResourceInUseException. If the specified stream does not exist,\n MergeShards returns a ResourceNotFoundException.

\n

You can use DescribeStream to check the state of the stream,\n which is returned in StreamStatus.

\n

\n MergeShards is an asynchronous operation. Upon receiving a\n MergeShards request, Amazon Kinesis Data Streams immediately returns a\n response and sets the StreamStatus to UPDATING. After the\n operation is completed, Kinesis Data Streams sets the StreamStatus to\n ACTIVE. Read and write operations continue to work while the stream is\n in the UPDATING state.

\n

You use DescribeStream to determine the shard IDs that are\n specified in the MergeShards request.

\n

If you try to operate on too many streams in parallel using CreateStream, DeleteStream, MergeShards,\n or SplitShard, you receive a LimitExceededException.

\n

\n MergeShards has a limit of five transactions per second per\n account.

" + } + }, + "com.amazonaws.kinesis#MergeShardsInput": { + "type": "structure", + "members": { + "AdjacentShardToMerge": { + "target": "com.amazonaws.kinesis#ShardId", + "traits": { + "smithy.api#documentation": "

The shard ID of the adjacent shard for the merge.

", + "smithy.api#required": {} + } + }, + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the stream for the merge.

", + "smithy.api#required": {} + } + }, + "ShardToMerge": { + "target": "com.amazonaws.kinesis#ShardId", + "traits": { + "smithy.api#documentation": "

The shard ID of the shard to combine with the adjacent shard for the\n merge.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the input for MergeShards.

" + } + }, + "com.amazonaws.kinesis#MetricsName": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "IncomingBytes", + "name": "INCOMING_BYTES" + }, + { + "value": "IncomingRecords", + "name": "INCOMING_RECORDS" + }, + { + "value": "OutgoingBytes", + "name": "OUTGOING_BYTES" + }, + { + "value": "OutgoingRecords", + "name": "OUTGOING_RECORDS" + }, + { + "value": "WriteProvisionedThroughputExceeded", + "name": "WRITE_PROVISIONED_THROUGHPUT_EXCEEDED" + }, + { + "value": "ReadProvisionedThroughputExceeded", + "name": "READ_PROVISIONED_THROUGHPUT_EXCEEDED" + }, + { + "value": "IteratorAgeMilliseconds", + "name": "ITERATOR_AGE_MILLISECONDS" + }, + { + "value": "ALL", + "name": "ALL" + } + ] + } + }, + "com.amazonaws.kinesis#MetricsNameList": { + "type": "list", + "member": { + "target": "com.amazonaws.kinesis#MetricsName" + }, + "traits": { + "smithy.api#length": { + "min": 1, + "max": 7 + } + } + }, + "com.amazonaws.kinesis#MillisBehindLatest": { + "type": "long", + "traits": { + "smithy.api#box": {}, + "smithy.api#range": { + "min": 0 + } + } + }, + "com.amazonaws.kinesis#NextToken": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 1048576 + } + } + }, + "com.amazonaws.kinesis#PartitionKey": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 256 + } + } + }, + "com.amazonaws.kinesis#PositiveIntegerObject": { + "type": "integer", + "traits": { + "smithy.api#box": {}, + "smithy.api#range": { + "min": 1 + } + } + }, + "com.amazonaws.kinesis#ProvisionedThroughputExceededException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kinesis#ErrorMessage", + "traits": { + "smithy.api#documentation": "

A message that provides information about the error.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

The request rate for the stream is too high, or the requested data is too large for\n the available throughput. Reduce the frequency or size of your requests. For more\n information, see Streams Limits in the\n Amazon Kinesis Data Streams Developer Guide, and Error Retries and\n Exponential Backoff in AWS in the AWS General\n Reference.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.kinesis#PutRecord": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#PutRecordInput" + }, + "output": { + "target": "com.amazonaws.kinesis#PutRecordOutput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#KMSAccessDeniedException" + }, + { + "target": "com.amazonaws.kinesis#KMSDisabledException" + }, + { + "target": "com.amazonaws.kinesis#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kinesis#KMSNotFoundException" + }, + { + "target": "com.amazonaws.kinesis#KMSOptInRequired" + }, + { + "target": "com.amazonaws.kinesis#KMSThrottlingException" + }, + { + "target": "com.amazonaws.kinesis#ProvisionedThroughputExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Writes a single data record into an Amazon Kinesis data stream. Call\n PutRecord to send data into the stream for real-time ingestion and\n subsequent processing, one record at a time. Each shard can support writes up to 1,000\n records per second, up to a maximum data write total of 1 MiB per second.

\n

You must specify the name of the stream that captures, stores, and transports the\n data; a partition key; and the data blob itself.

\n

The data blob can be any type of data; for example, a segment from a log file,\n geographic/location data, website clickstream data, and so on.

\n

The partition key is used by Kinesis Data Streams to distribute data across shards.\n Kinesis Data Streams segregates the data records that belong to a stream into multiple\n shards, using the partition key associated with each data record to determine the shard\n to which a given data record belongs.

\n

Partition keys are Unicode strings, with a maximum length limit of 256 characters\n for each key. An MD5 hash function is used to map partition keys to 128-bit integer\n values and to map associated data records to shards using the hash key ranges of the\n shards. You can override hashing the partition key to determine the shard by explicitly\n specifying a hash value using the ExplicitHashKey parameter. For more\n information, see Adding Data to a Stream in the Amazon Kinesis Data Streams\n Developer Guide.

\n

\n PutRecord returns the shard ID of where the data record was placed and the\n sequence number that was assigned to the data record.

\n

Sequence numbers increase over time and are specific to a shard within a stream,\n not across all shards within a stream. To guarantee strictly increasing ordering, write\n serially to a shard and use the SequenceNumberForOrdering parameter. For\n more information, see Adding Data to a Stream in the Amazon Kinesis Data Streams\n Developer Guide.

\n \n

After you write a record to a stream, you cannot modify that record or its order\n within the stream.

\n \n

If a PutRecord request cannot be processed because of insufficient\n provisioned throughput on the shard involved in the request, PutRecord\n throws ProvisionedThroughputExceededException.

\n

By default, data records are accessible for 24 hours from the time that they are\n added to a stream. You can use IncreaseStreamRetentionPeriod or DecreaseStreamRetentionPeriod to modify this retention period.

" + } + }, + "com.amazonaws.kinesis#PutRecordInput": { + "type": "structure", + "members": { + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the stream to put the data record into.

", + "smithy.api#required": {} + } + }, + "ExplicitHashKey": { + "target": "com.amazonaws.kinesis#HashKey", + "traits": { + "smithy.api#documentation": "

The hash value used to explicitly determine the shard the data record is assigned\n to by overriding the partition key hash.

" + } + }, + "SequenceNumberForOrdering": { + "target": "com.amazonaws.kinesis#SequenceNumber", + "traits": { + "smithy.api#documentation": "

Guarantees strictly increasing sequence numbers, for puts from the same client and\n to the same partition key. Usage: set the SequenceNumberForOrdering of\n record n to the sequence number of record n-1\n (as returned in the result when putting record n-1). If this\n parameter is not set, records are coarsely ordered based on arrival time.

" + } + }, + "PartitionKey": { + "target": "com.amazonaws.kinesis#PartitionKey", + "traits": { + "smithy.api#documentation": "

Determines which shard in the stream the data record is assigned to. Partition keys\n are Unicode strings with a maximum length limit of 256 characters for each key. Amazon\n Kinesis Data Streams uses the partition key as input to a hash function that maps the\n partition key and associated data to a specific shard. Specifically, an MD5 hash\n function is used to map partition keys to 128-bit integer values and to map associated\n data records to shards. As a result of this hashing mechanism, all data records with the\n same partition key map to the same shard within the stream.

", + "smithy.api#required": {} + } + }, + "Data": { + "target": "com.amazonaws.kinesis#Data", + "traits": { + "smithy.api#documentation": "

The data blob to put into the record, which is base64-encoded when the blob is\n serialized. When the data blob (the payload before base64-encoding) is added to the\n partition key size, the total size must not exceed the maximum record size (1\n MiB).

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the input for PutRecord.

" + } + }, + "com.amazonaws.kinesis#PutRecordOutput": { + "type": "structure", + "members": { + "ShardId": { + "target": "com.amazonaws.kinesis#ShardId", + "traits": { + "smithy.api#documentation": "

The shard ID of the shard where the data record was placed.

", + "smithy.api#required": {} + } + }, + "SequenceNumber": { + "target": "com.amazonaws.kinesis#SequenceNumber", + "traits": { + "smithy.api#documentation": "

The sequence number identifier that was assigned to the put data record. The\n sequence number for the record is unique across all records in the stream. A sequence\n number is the identifier associated with every record put into the stream.

", + "smithy.api#required": {} + } + }, + "EncryptionType": { + "target": "com.amazonaws.kinesis#EncryptionType", + "traits": { + "smithy.api#documentation": "

The encryption type to use on the record. This parameter can be one of the\n following values:

\n " + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the output for PutRecord.

" + } + }, + "com.amazonaws.kinesis#PutRecords": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#PutRecordsInput" + }, + "output": { + "target": "com.amazonaws.kinesis#PutRecordsOutput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#KMSAccessDeniedException" + }, + { + "target": "com.amazonaws.kinesis#KMSDisabledException" + }, + { + "target": "com.amazonaws.kinesis#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kinesis#KMSNotFoundException" + }, + { + "target": "com.amazonaws.kinesis#KMSOptInRequired" + }, + { + "target": "com.amazonaws.kinesis#KMSThrottlingException" + }, + { + "target": "com.amazonaws.kinesis#ProvisionedThroughputExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Writes multiple data records into a Kinesis data stream in a single call (also\n referred to as a PutRecords request). Use this operation to send data into\n the stream for data ingestion and processing.

\n

Each PutRecords request can support up to 500 records. Each record in\n the request can be as large as 1 MiB, up to a limit of 5 MiB for the entire request,\n including partition keys. Each shard can support writes up to 1,000 records per second,\n up to a maximum data write total of 1 MiB per second.

\n

You must specify the name of the stream that captures, stores, and transports the\n data; and an array of request Records, with each record in the array\n requiring a partition key and data blob. The record size limit applies to the total size\n of the partition key and data blob.

\n

The data blob can be any type of data; for example, a segment from a log file,\n geographic/location data, website clickstream data, and so on.

\n

The partition key is used by Kinesis Data Streams as input to a hash function that\n maps the partition key and associated data to a specific shard. An MD5 hash function is\n used to map partition keys to 128-bit integer values and to map associated data records\n to shards. As a result of this hashing mechanism, all data records with the same\n partition key map to the same shard within the stream. For more information, see Adding Data to a Stream in the Amazon Kinesis Data Streams\n Developer Guide.

\n

Each record in the Records array may include an optional parameter,\n ExplicitHashKey, which overrides the partition key to shard mapping.\n This parameter allows a data producer to determine explicitly the shard where the record\n is stored. For more information, see Adding Multiple Records with PutRecords in the Amazon Kinesis\n Data Streams Developer Guide.

\n

The PutRecords response includes an array of response\n Records. Each record in the response array directly correlates with a\n record in the request array using natural ordering, from the top to the bottom of the\n request and response. The response Records array always includes the same\n number of records as the request array.

\n

The response Records array includes both successfully and\n unsuccessfully processed records. Kinesis Data Streams attempts to process all records\n in each PutRecords request. A single record failure does not stop the\n processing of subsequent records. As a result, PutRecords doesn't guarantee the ordering\n of records. If you need to read records in the same order they are written to the\n stream, use PutRecord instead of PutRecords, and write to\n the same shard.

\n

A successfully processed record includes ShardId and\n SequenceNumber values. The ShardId parameter identifies\n the shard in the stream where the record is stored. The SequenceNumber\n parameter is an identifier assigned to the put record, unique to all records in the\n stream.

\n

An unsuccessfully processed record includes ErrorCode and\n ErrorMessage values. ErrorCode reflects the type of error\n and can be one of the following values:\n ProvisionedThroughputExceededException or InternalFailure.\n ErrorMessage provides more detailed information about the\n ProvisionedThroughputExceededException exception including the account\n ID, stream name, and shard ID of the record that was throttled. For more information\n about partially successful responses, see Adding Multiple Records with PutRecords in the Amazon Kinesis\n Data Streams Developer Guide.

\n \n

After you write a record to a stream, you cannot modify that record or its order\n within the stream.

\n \n

By default, data records are accessible for 24 hours from the time that they are\n added to a stream. You can use IncreaseStreamRetentionPeriod or DecreaseStreamRetentionPeriod to modify this retention period.

" + } + }, + "com.amazonaws.kinesis#PutRecordsInput": { + "type": "structure", + "members": { + "Records": { + "target": "com.amazonaws.kinesis#PutRecordsRequestEntryList", + "traits": { + "smithy.api#documentation": "

The records associated with the request.

", + "smithy.api#required": {} + } + }, + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The stream name associated with the request.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

A PutRecords request.

" + } + }, + "com.amazonaws.kinesis#PutRecordsOutput": { + "type": "structure", + "members": { + "Records": { + "target": "com.amazonaws.kinesis#PutRecordsResultEntryList", + "traits": { + "smithy.api#documentation": "

An array of successfully and unsuccessfully processed record results, correlated\n with the request by natural ordering. A record that is successfully added to a stream\n includes SequenceNumber and ShardId in the result. A record\n that fails to be added to a stream includes ErrorCode and\n ErrorMessage in the result.

", + "smithy.api#required": {} + } + }, + "EncryptionType": { + "target": "com.amazonaws.kinesis#EncryptionType", + "traits": { + "smithy.api#documentation": "

The encryption type used on the records. This parameter can be one of the following\n values:

\n " + } + }, + "FailedRecordCount": { + "target": "com.amazonaws.kinesis#PositiveIntegerObject", + "traits": { + "smithy.api#documentation": "

The number of unsuccessfully processed records in a PutRecords\n request.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

\n PutRecords results.

" + } + }, + "com.amazonaws.kinesis#PutRecordsRequestEntry": { + "type": "structure", + "members": { + "Data": { + "target": "com.amazonaws.kinesis#Data", + "traits": { + "smithy.api#documentation": "

The data blob to put into the record, which is base64-encoded when the blob is\n serialized. When the data blob (the payload before base64-encoding) is added to the\n partition key size, the total size must not exceed the maximum record size (1\n MiB).

", + "smithy.api#required": {} + } + }, + "PartitionKey": { + "target": "com.amazonaws.kinesis#PartitionKey", + "traits": { + "smithy.api#documentation": "

Determines which shard in the stream the data record is assigned to. Partition keys\n are Unicode strings with a maximum length limit of 256 characters for each key. Amazon\n Kinesis Data Streams uses the partition key as input to a hash function that maps the\n partition key and associated data to a specific shard. Specifically, an MD5 hash\n function is used to map partition keys to 128-bit integer values and to map associated\n data records to shards. As a result of this hashing mechanism, all data records with the\n same partition key map to the same shard within the stream.

", + "smithy.api#required": {} + } + }, + "ExplicitHashKey": { + "target": "com.amazonaws.kinesis#HashKey", + "traits": { + "smithy.api#documentation": "

The hash value used to determine explicitly the shard that the data record is\n assigned to by overriding the partition key hash.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the output for PutRecords.

" + } + }, + "com.amazonaws.kinesis#PutRecordsRequestEntryList": { + "type": "list", + "member": { + "target": "com.amazonaws.kinesis#PutRecordsRequestEntry" + }, + "traits": { + "smithy.api#length": { + "min": 1, + "max": 500 + } + } + }, + "com.amazonaws.kinesis#PutRecordsResultEntry": { + "type": "structure", + "members": { + "ErrorCode": { + "target": "com.amazonaws.kinesis#ErrorCode", + "traits": { + "smithy.api#documentation": "

The error code for an individual record result. ErrorCodes can be\n either ProvisionedThroughputExceededException or\n InternalFailure.

" + } + }, + "ShardId": { + "target": "com.amazonaws.kinesis#ShardId", + "traits": { + "smithy.api#documentation": "

The shard ID for an individual record result.

" + } + }, + "ErrorMessage": { + "target": "com.amazonaws.kinesis#ErrorMessage", + "traits": { + "smithy.api#documentation": "

The error message for an individual record result. An ErrorCode value\n of ProvisionedThroughputExceededException has an error message that\n includes the account ID, stream name, and shard ID. An ErrorCode value of\n InternalFailure has the error message \"Internal Service\n Failure\".

" + } + }, + "SequenceNumber": { + "target": "com.amazonaws.kinesis#SequenceNumber", + "traits": { + "smithy.api#documentation": "

The sequence number for an individual record result.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the result of an individual record from a PutRecords\n request. A record that is successfully added to a stream includes\n SequenceNumber and ShardId in the result. A record that\n fails to be added to the stream includes ErrorCode and\n ErrorMessage in the result.

" + } + }, + "com.amazonaws.kinesis#PutRecordsResultEntryList": { + "type": "list", + "member": { + "target": "com.amazonaws.kinesis#PutRecordsResultEntry" + }, + "traits": { + "smithy.api#length": { + "min": 1, + "max": 500 + } + } + }, + "com.amazonaws.kinesis#Record": { + "type": "structure", + "members": { + "SequenceNumber": { + "target": "com.amazonaws.kinesis#SequenceNumber", + "traits": { + "smithy.api#documentation": "

The unique identifier of the record within its shard.

", + "smithy.api#required": {} + } + }, + "EncryptionType": { + "target": "com.amazonaws.kinesis#EncryptionType", + "traits": { + "smithy.api#documentation": "

The encryption type used on the record. This parameter can be one of the following\n values:

\n " + } + }, + "Data": { + "target": "com.amazonaws.kinesis#Data", + "traits": { + "smithy.api#documentation": "

The data blob. The data in the blob is both opaque and immutable to Kinesis Data\n Streams, which does not inspect, interpret, or change the data in the blob in any way.\n When the data blob (the payload before base64-encoding) is added to the partition key\n size, the total size must not exceed the maximum record size (1 MiB).

", + "smithy.api#required": {} + } + }, + "ApproximateArrivalTimestamp": { + "target": "com.amazonaws.kinesis#Timestamp", + "traits": { + "smithy.api#documentation": "

The approximate time that the record was inserted into the stream.

" + } + }, + "PartitionKey": { + "target": "com.amazonaws.kinesis#PartitionKey", + "traits": { + "smithy.api#documentation": "

Identifies which shard in the stream the data record is assigned to.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

The unit of data of the Kinesis data stream, which is composed of a sequence\n number, a partition key, and a data blob.

" + } + }, + "com.amazonaws.kinesis#RecordList": { + "type": "list", + "member": { + "target": "com.amazonaws.kinesis#Record" + } + }, + "com.amazonaws.kinesis#RegisterStreamConsumer": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#RegisterStreamConsumerInput" + }, + "output": { + "target": "com.amazonaws.kinesis#RegisterStreamConsumerOutput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceInUseException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Registers a consumer with a Kinesis data stream. When you use this operation, the\n consumer you register can then call SubscribeToShard to receive data\n from the stream using enhanced fan-out, at a rate of up to 2 MiB per second for every\n shard you subscribe to. This rate is unaffected by the total number of consumers that\n read from the same stream.

\n

You can register up to 20 consumers per stream. A given consumer can only be\n registered with one stream at a time.

\n

For an example of how to use this operations, see Enhanced Fan-Out\n Using the Kinesis Data Streams API.

\n

The use of this operation has a limit of five transactions per second per account.\n Also, only 5 consumers can be created simultaneously. In other words, you cannot have\n more than 5 consumers in a CREATING status at the same time. Registering a\n 6th consumer while there are 5 in a CREATING status results in a\n LimitExceededException.

" + } + }, + "com.amazonaws.kinesis#RegisterStreamConsumerInput": { + "type": "structure", + "members": { + "ConsumerName": { + "target": "com.amazonaws.kinesis#ConsumerName", + "traits": { + "smithy.api#documentation": "

For a given Kinesis data stream, each consumer must have a unique name. However,\n consumer names don't have to be unique across data streams.

", + "smithy.api#required": {} + } + }, + "StreamARN": { + "target": "com.amazonaws.kinesis#StreamARN", + "traits": { + "smithy.api#documentation": "

The ARN of the Kinesis data stream that you want to register the consumer with. For\n more info, see Amazon Resource Names (ARNs) and AWS Service Namespaces.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kinesis#RegisterStreamConsumerOutput": { + "type": "structure", + "members": { + "Consumer": { + "target": "com.amazonaws.kinesis#Consumer", + "traits": { + "smithy.api#documentation": "

An object that represents the details of the consumer you registered. When you\n register a consumer, it gets an ARN that is generated by Kinesis Data Streams.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kinesis#RemoveTagsFromStream": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#RemoveTagsFromStreamInput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceInUseException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Removes tags from the specified Kinesis data stream. Removed tags are deleted and\n cannot be recovered after this operation successfully completes.

\n

If you specify a tag that does not exist, it is ignored.

\n

\n RemoveTagsFromStream has a limit of five transactions per second per\n account.

" + } + }, + "com.amazonaws.kinesis#RemoveTagsFromStreamInput": { + "type": "structure", + "members": { + "TagKeys": { + "target": "com.amazonaws.kinesis#TagKeyList", + "traits": { + "smithy.api#documentation": "

A list of tag keys. Each corresponding tag is removed from the stream.

", + "smithy.api#required": {} + } + }, + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the stream.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the input for RemoveTagsFromStream.

" + } + }, + "com.amazonaws.kinesis#ResourceInUseException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kinesis#ErrorMessage", + "traits": { + "smithy.api#documentation": "

A message that provides information about the error.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

The resource is not available for this operation. For successful operation, the\n resource must be in the ACTIVE state.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.kinesis#ResourceNotFoundException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kinesis#ErrorMessage", + "traits": { + "smithy.api#documentation": "

A message that provides information about the error.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

The requested resource could not be found. The stream might not be specified\n correctly.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.kinesis#RetentionPeriodHours": { + "type": "integer", + "traits": { + "smithy.api#box": {} + } + }, + "com.amazonaws.kinesis#ScalingType": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "UNIFORM_SCALING", + "name": "UNIFORM_SCALING" + } + ] + } + }, + "com.amazonaws.kinesis#SequenceNumber": { + "type": "string", + "traits": { + "smithy.api#pattern": "0|([1-9]\\d{0,128})" + } + }, + "com.amazonaws.kinesis#SequenceNumberRange": { + "type": "structure", + "members": { + "StartingSequenceNumber": { + "target": "com.amazonaws.kinesis#SequenceNumber", + "traits": { + "smithy.api#documentation": "

The starting sequence number for the range.

", + "smithy.api#required": {} + } + }, + "EndingSequenceNumber": { + "target": "com.amazonaws.kinesis#SequenceNumber", + "traits": { + "smithy.api#documentation": "

The ending sequence number for the range. Shards that are in the OPEN state have an\n ending sequence number of null.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

The range of possible sequence numbers for the shard.

" + } + }, + "com.amazonaws.kinesis#Shard": { + "type": "structure", + "members": { + "SequenceNumberRange": { + "target": "com.amazonaws.kinesis#SequenceNumberRange", + "traits": { + "smithy.api#documentation": "

The range of possible sequence numbers for the shard.

", + "smithy.api#required": {} + } + }, + "ShardId": { + "target": "com.amazonaws.kinesis#ShardId", + "traits": { + "smithy.api#documentation": "

The unique identifier of the shard within the stream.

", + "smithy.api#required": {} + } + }, + "HashKeyRange": { + "target": "com.amazonaws.kinesis#HashKeyRange", + "traits": { + "smithy.api#documentation": "

The range of possible hash key values for the shard, which is a set of ordered\n contiguous positive integers.

", + "smithy.api#required": {} + } + }, + "AdjacentParentShardId": { + "target": "com.amazonaws.kinesis#ShardId", + "traits": { + "smithy.api#documentation": "

The shard ID of the shard adjacent to the shard's parent.

" + } + }, + "ParentShardId": { + "target": "com.amazonaws.kinesis#ShardId", + "traits": { + "smithy.api#documentation": "

The shard ID of the shard's parent.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

A uniquely identified group of data records in a Kinesis data stream.

" + } + }, + "com.amazonaws.kinesis#ShardCountObject": { + "type": "integer", + "traits": { + "smithy.api#box": {}, + "smithy.api#range": { + "min": 0, + "max": 1000000 + } + } + }, + "com.amazonaws.kinesis#ShardFilter": { + "type": "structure", + "members": { + "ShardId": { + "target": "com.amazonaws.kinesis#ShardId" + }, + "Timestamp": { + "target": "com.amazonaws.kinesis#Timestamp" + }, + "Type": { + "target": "com.amazonaws.kinesis#ShardFilterType", + "traits": { + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kinesis#ShardFilterType": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "AFTER_SHARD_ID", + "name": "AFTER_SHARD_ID" + }, + { + "value": "AT_TRIM_HORIZON", + "name": "AT_TRIM_HORIZON" + }, + { + "value": "FROM_TRIM_HORIZON", + "name": "FROM_TRIM_HORIZON" + }, + { + "value": "AT_LATEST", + "name": "AT_LATEST" + }, + { + "value": "AT_TIMESTAMP", + "name": "AT_TIMESTAMP" + }, + { + "value": "FROM_TIMESTAMP", + "name": "FROM_TIMESTAMP" + } + ] + } + }, + "com.amazonaws.kinesis#ShardId": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 128 + }, + "smithy.api#pattern": "[a-zA-Z0-9_.-]+" + } + }, + "com.amazonaws.kinesis#ShardIdList": { + "type": "list", + "member": { + "target": "com.amazonaws.kinesis#ShardId" + } + }, + "com.amazonaws.kinesis#ShardIterator": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 512 + } + } + }, + "com.amazonaws.kinesis#ShardIteratorType": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "AT_SEQUENCE_NUMBER", + "name": "AT_SEQUENCE_NUMBER" + }, + { + "value": "AFTER_SEQUENCE_NUMBER", + "name": "AFTER_SEQUENCE_NUMBER" + }, + { + "value": "TRIM_HORIZON", + "name": "TRIM_HORIZON" + }, + { + "value": "LATEST", + "name": "LATEST" + }, + { + "value": "AT_TIMESTAMP", + "name": "AT_TIMESTAMP" + } + ] + } + }, + "com.amazonaws.kinesis#ShardList": { + "type": "list", + "member": { + "target": "com.amazonaws.kinesis#Shard" + } + }, + "com.amazonaws.kinesis#SplitShard": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#SplitShardInput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceInUseException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Splits a shard into two new shards in the Kinesis data stream, to increase the\n stream's capacity to ingest and transport data. SplitShard is called when\n there is a need to increase the overall capacity of a stream because of an expected\n increase in the volume of data records being ingested.

\n

You can also use SplitShard when a shard appears to be approaching its\n maximum utilization; for example, the producers sending data into the specific shard are\n suddenly sending more than previously anticipated. You can also call\n SplitShard to increase stream capacity, so that more Kinesis Data\n Streams applications can simultaneously read data from the stream for real-time\n processing.

\n

You must specify the shard to be split and the new hash key, which is the position\n in the shard where the shard gets split in two. In many cases, the new hash key might be\n the average of the beginning and ending hash key, but it can be any hash key value in\n the range being mapped into the shard. For more information, see Split a\n Shard in the Amazon Kinesis Data Streams Developer\n Guide.

\n

You can use DescribeStream to determine the shard ID and hash key\n values for the ShardToSplit and NewStartingHashKey parameters\n that are specified in the SplitShard request.

\n

\n SplitShard is an asynchronous operation. Upon receiving a\n SplitShard request, Kinesis Data Streams immediately returns a response\n and sets the stream status to UPDATING. After the operation is completed,\n Kinesis Data Streams sets the stream status to ACTIVE. Read and write\n operations continue to work while the stream is in the UPDATING state.

\n

You can use DescribeStream to check the status of the stream, which is\n returned in StreamStatus. If the stream is in the ACTIVE\n state, you can call SplitShard. If a stream is in CREATING or\n UPDATING or DELETING states, DescribeStream\n returns a ResourceInUseException.

\n

If the specified stream does not exist, DescribeStream returns a\n ResourceNotFoundException. If you try to create more shards than are\n authorized for your account, you receive a LimitExceededException.

\n

For the default shard limit for an AWS account, see Kinesis Data Streams\n Limits in the Amazon Kinesis Data Streams Developer\n Guide. To increase this limit, contact AWS\n Support.

\n

If you try to operate on too many streams simultaneously using CreateStream, DeleteStream, MergeShards, and/or SplitShard, you receive a\n LimitExceededException.

\n

\n SplitShard has a limit of five transactions per second per\n account.

" + } + }, + "com.amazonaws.kinesis#SplitShardInput": { + "type": "structure", + "members": { + "ShardToSplit": { + "target": "com.amazonaws.kinesis#ShardId", + "traits": { + "smithy.api#documentation": "

The shard ID of the shard to split.

", + "smithy.api#required": {} + } + }, + "NewStartingHashKey": { + "target": "com.amazonaws.kinesis#HashKey", + "traits": { + "smithy.api#documentation": "

A hash key value for the starting hash key of one of the child shards created by\n the split. The hash key range for a given shard constitutes a set of ordered contiguous\n positive integers. The value for NewStartingHashKey must be in the range of\n hash keys being mapped into the shard. The NewStartingHashKey hash key\n value and all higher hash key values in hash key range are distributed to one of the\n child shards. All the lower hash key values in the range are distributed to the other\n child shard.

", + "smithy.api#required": {} + } + }, + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the stream for the shard split.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the input for SplitShard.

" + } + }, + "com.amazonaws.kinesis#StartStreamEncryption": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#StartStreamEncryptionInput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#KMSAccessDeniedException" + }, + { + "target": "com.amazonaws.kinesis#KMSDisabledException" + }, + { + "target": "com.amazonaws.kinesis#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kinesis#KMSNotFoundException" + }, + { + "target": "com.amazonaws.kinesis#KMSOptInRequired" + }, + { + "target": "com.amazonaws.kinesis#KMSThrottlingException" + }, + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceInUseException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Enables or updates server-side encryption using an AWS KMS key for a specified\n stream.

\n

Starting encryption is an asynchronous operation. Upon receiving the request,\n Kinesis Data Streams returns immediately and sets the status of the stream to\n UPDATING. After the update is complete, Kinesis Data Streams sets the\n status of the stream back to ACTIVE. Updating or applying encryption\n normally takes a few seconds to complete, but it can take minutes. You can continue to\n read and write data to your stream while its status is UPDATING. Once the\n status of the stream is ACTIVE, encryption begins for records written to\n the stream.

\n

API Limits: You can successfully apply a new AWS KMS key for server-side encryption\n 25 times in a rolling 24-hour period.

\n

Note: It can take up to 5 seconds after the stream is in an ACTIVE\n status before all records written to the stream are encrypted. After you enable\n encryption, you can verify that encryption is applied by inspecting the API response\n from PutRecord or PutRecords.

" + } + }, + "com.amazonaws.kinesis#StartStreamEncryptionInput": { + "type": "structure", + "members": { + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the stream for which to start encrypting records.

", + "smithy.api#required": {} + } + }, + "EncryptionType": { + "target": "com.amazonaws.kinesis#EncryptionType", + "traits": { + "smithy.api#documentation": "

The encryption type to use. The only valid value is KMS.

", + "smithy.api#required": {} + } + }, + "KeyId": { + "target": "com.amazonaws.kinesis#KeyId", + "traits": { + "smithy.api#documentation": "

The GUID for the customer-managed AWS KMS key to use for encryption. This value can\n be a globally unique identifier, a fully specified Amazon Resource Name (ARN) to either\n an alias or a key, or an alias name prefixed by \"alias/\".You can also use a master key\n owned by Kinesis Data Streams by specifying the alias\n aws/kinesis.

\n ", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kinesis#StartingPosition": { + "type": "structure", + "members": { + "Timestamp": { + "target": "com.amazonaws.kinesis#Timestamp", + "traits": { + "smithy.api#documentation": "

The time stamp of the data record from which to start reading. To specify a time\n stamp, set StartingPosition to Type AT_TIMESTAMP. A time stamp\n is the Unix epoch date with precision in milliseconds. For example,\n 2016-04-04T19:58:46.480-00:00 or 1459799926.480. If a\n record with this exact time stamp does not exist, records will be streamed from the next\n (later) record. If the time stamp is older than the current trim horizon, records will\n be streamed from the oldest untrimmed data record (TRIM_HORIZON).

" + } + }, + "SequenceNumber": { + "target": "com.amazonaws.kinesis#SequenceNumber", + "traits": { + "smithy.api#documentation": "

The sequence number of the data record in the shard from which to start streaming. To\n specify a sequence number, set StartingPosition to\n AT_SEQUENCE_NUMBER or AFTER_SEQUENCE_NUMBER.

" + } + }, + "Type": { + "target": "com.amazonaws.kinesis#ShardIteratorType", + "traits": { + "smithy.api#documentation": "

You can set the starting position to one of the following values:

\n

\n AT_SEQUENCE_NUMBER: Start streaming from the position denoted by the\n sequence number specified in the SequenceNumber field.

\n

\n AFTER_SEQUENCE_NUMBER: Start streaming right after the position denoted\n by the sequence number specified in the SequenceNumber field.

\n

\n AT_TIMESTAMP: Start streaming from the position denoted by the time stamp\n specified in the Timestamp field.

\n

\n TRIM_HORIZON: Start streaming at the last untrimmed record in the shard,\n which is the oldest data record in the shard.

\n

\n LATEST: Start streaming just after the most recent record in the shard,\n so that you always read the most recent data in the shard.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

" + } + }, + "com.amazonaws.kinesis#StopStreamEncryption": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#StopStreamEncryptionInput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceInUseException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Disables server-side encryption for a specified stream.

\n

Stopping encryption is an asynchronous operation. Upon receiving the request,\n Kinesis Data Streams returns immediately and sets the status of the stream to\n UPDATING. After the update is complete, Kinesis Data Streams sets the\n status of the stream back to ACTIVE. Stopping encryption normally takes a\n few seconds to complete, but it can take minutes. You can continue to read and write\n data to your stream while its status is UPDATING. Once the status of the\n stream is ACTIVE, records written to the stream are no longer encrypted by\n Kinesis Data Streams.

\n

API Limits: You can successfully disable server-side encryption 25 times in a\n rolling 24-hour period.

\n

Note: It can take up to 5 seconds after the stream is in an ACTIVE\n status before all records written to the stream are no longer subject to encryption.\n After you disabled encryption, you can verify that encryption is not applied by\n inspecting the API response from PutRecord or\n PutRecords.

" + } + }, + "com.amazonaws.kinesis#StopStreamEncryptionInput": { + "type": "structure", + "members": { + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the stream on which to stop encrypting records.

", + "smithy.api#required": {} + } + }, + "EncryptionType": { + "target": "com.amazonaws.kinesis#EncryptionType", + "traits": { + "smithy.api#documentation": "

The encryption type. The only valid value is KMS.

", + "smithy.api#required": {} + } + }, + "KeyId": { + "target": "com.amazonaws.kinesis#KeyId", + "traits": { + "smithy.api#documentation": "

The GUID for the customer-managed AWS KMS key to use for encryption. This value can\n be a globally unique identifier, a fully specified Amazon Resource Name (ARN) to either\n an alias or a key, or an alias name prefixed by \"alias/\".You can also use a master key\n owned by Kinesis Data Streams by specifying the alias\n aws/kinesis.

\n ", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kinesis#StreamARN": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 2048 + }, + "smithy.api#pattern": "arn:aws.*:kinesis:.*:\\d{12}:stream/.+" + } + }, + "com.amazonaws.kinesis#StreamDescription": { + "type": "structure", + "members": { + "EncryptionType": { + "target": "com.amazonaws.kinesis#EncryptionType", + "traits": { + "smithy.api#documentation": "

The server-side encryption type used on the stream. This parameter can be one of\n the following values:

\n " + } + }, + "EnhancedMonitoring": { + "target": "com.amazonaws.kinesis#EnhancedMonitoringList", + "traits": { + "smithy.api#documentation": "

Represents the current enhanced monitoring settings of the stream.

", + "smithy.api#required": {} + } + }, + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the stream being described.

", + "smithy.api#required": {} + } + }, + "StreamARN": { + "target": "com.amazonaws.kinesis#StreamARN", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (ARN) for the stream being described.

", + "smithy.api#required": {} + } + }, + "Shards": { + "target": "com.amazonaws.kinesis#ShardList", + "traits": { + "smithy.api#documentation": "

The shards that comprise the stream.

", + "smithy.api#required": {} + } + }, + "RetentionPeriodHours": { + "target": "com.amazonaws.kinesis#RetentionPeriodHours", + "traits": { + "smithy.api#documentation": "

The current retention period, in hours. Minimum value of 24. Maximum value of\n 168.

", + "smithy.api#required": {} + } + }, + "HasMoreShards": { + "target": "com.amazonaws.kinesis#BooleanObject", + "traits": { + "smithy.api#documentation": "

If set to true, more shards in the stream are available to\n describe.

", + "smithy.api#required": {} + } + }, + "KeyId": { + "target": "com.amazonaws.kinesis#KeyId", + "traits": { + "smithy.api#documentation": "

The GUID for the customer-managed AWS KMS key to use for encryption. This value can\n be a globally unique identifier, a fully specified ARN to either an alias or a key, or\n an alias name prefixed by \"alias/\".You can also use a master key owned by Kinesis Data\n Streams by specifying the alias aws/kinesis.

\n " + } + }, + "StreamStatus": { + "target": "com.amazonaws.kinesis#StreamStatus", + "traits": { + "smithy.api#documentation": "

The current status of the stream being described. The stream status is one of the\n following states:

\n ", + "smithy.api#required": {} + } + }, + "StreamCreationTimestamp": { + "target": "com.amazonaws.kinesis#Timestamp", + "traits": { + "smithy.api#documentation": "

The approximate time that the stream was created.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the output for DescribeStream.

" + } + }, + "com.amazonaws.kinesis#StreamDescriptionSummary": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kinesis#KeyId", + "traits": { + "smithy.api#documentation": "

The GUID for the customer-managed AWS KMS key to use for encryption. This value can\n be a globally unique identifier, a fully specified ARN to either an alias or a key, or\n an alias name prefixed by \"alias/\".You can also use a master key owned by Kinesis Data\n Streams by specifying the alias aws/kinesis.

\n " + } + }, + "StreamStatus": { + "target": "com.amazonaws.kinesis#StreamStatus", + "traits": { + "smithy.api#documentation": "

The current status of the stream being described. The stream status is one of the\n following states:

\n ", + "smithy.api#required": {} + } + }, + "StreamARN": { + "target": "com.amazonaws.kinesis#StreamARN", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (ARN) for the stream being described.

", + "smithy.api#required": {} + } + }, + "ConsumerCount": { + "target": "com.amazonaws.kinesis#ConsumerCountObject", + "traits": { + "smithy.api#documentation": "

The number of enhanced fan-out consumers registered with the stream.

" + } + }, + "OpenShardCount": { + "target": "com.amazonaws.kinesis#ShardCountObject", + "traits": { + "smithy.api#documentation": "

The number of open shards in the stream.

", + "smithy.api#required": {} + } + }, + "StreamCreationTimestamp": { + "target": "com.amazonaws.kinesis#Timestamp", + "traits": { + "smithy.api#documentation": "

The approximate time that the stream was created.

", + "smithy.api#required": {} + } + }, + "EncryptionType": { + "target": "com.amazonaws.kinesis#EncryptionType", + "traits": { + "smithy.api#documentation": "

The encryption type used. This value is one of the following:

\n " + } + }, + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the stream being described.

", + "smithy.api#required": {} + } + }, + "RetentionPeriodHours": { + "target": "com.amazonaws.kinesis#RetentionPeriodHours", + "traits": { + "smithy.api#documentation": "

The current retention period, in hours.

", + "smithy.api#required": {} + } + }, + "EnhancedMonitoring": { + "target": "com.amazonaws.kinesis#EnhancedMonitoringList", + "traits": { + "smithy.api#documentation": "

Represents the current enhanced monitoring settings of the stream.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

Represents the output for DescribeStreamSummary\n

" + } + }, + "com.amazonaws.kinesis#StreamName": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 128 + }, + "smithy.api#pattern": "[a-zA-Z0-9_.-]+" + } + }, + "com.amazonaws.kinesis#StreamNameList": { + "type": "list", + "member": { + "target": "com.amazonaws.kinesis#StreamName" + } + }, + "com.amazonaws.kinesis#StreamStatus": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "CREATING", + "name": "CREATING" + }, + { + "value": "DELETING", + "name": "DELETING" + }, + { + "value": "ACTIVE", + "name": "ACTIVE" + }, + { + "value": "UPDATING", + "name": "UPDATING" + } + ] + } + }, + "com.amazonaws.kinesis#SubscribeToShard": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#SubscribeToShardInput" + }, + "output": { + "target": "com.amazonaws.kinesis#SubscribeToShardOutput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceInUseException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

This operation establishes an HTTP/2 connection between the consumer you specify in\n the ConsumerARN parameter and the shard you specify in the\n ShardId parameter. After the connection is successfully established,\n Kinesis Data Streams pushes records from the shard to the consumer over this connection.\n Before you call this operation, call RegisterStreamConsumer to\n register the consumer with Kinesis Data Streams.

\n

When the SubscribeToShard call succeeds, your consumer starts receiving\n events of type SubscribeToShardEvent over the HTTP/2 connection for up\n to 5 minutes, after which time you need to call SubscribeToShard again to\n renew the subscription if you want to continue to receive records.

\n

You can make one call to SubscribeToShard per second per registered\n consumer per shard. For example, if you have a 4000 shard stream and two registered\n stream consumers, you can make one SubscribeToShard request per second for\n each combination of shard and registered consumer, allowing you to subscribe both\n consumers to all 4000 shards in one second.

\n

If you call SubscribeToShard again with the same ConsumerARN\n and ShardId within 5 seconds of a successful call, you'll get a\n ResourceInUseException. If you call SubscribeToShard 5\n seconds or more after a successful call, the first connection will expire and the second\n call will take over the subscription.

\n

For an example of how to use this operations, see Enhanced Fan-Out\n Using the Kinesis Data Streams API.

" + } + }, + "com.amazonaws.kinesis#SubscribeToShardEvent": { + "type": "structure", + "members": { + "Records": { + "target": "com.amazonaws.kinesis#RecordList", + "traits": { + "smithy.api#documentation": "

", + "smithy.api#required": {} + } + }, + "ContinuationSequenceNumber": { + "target": "com.amazonaws.kinesis#SequenceNumber", + "traits": { + "smithy.api#documentation": "

Use this as SequenceNumber in the next call to SubscribeToShard, with StartingPosition set to\n AT_SEQUENCE_NUMBER or AFTER_SEQUENCE_NUMBER. Use\n ContinuationSequenceNumber for checkpointing because it captures your\n shard progress even when no data is written to the shard.

", + "smithy.api#required": {} + } + }, + "MillisBehindLatest": { + "target": "com.amazonaws.kinesis#MillisBehindLatest", + "traits": { + "smithy.api#documentation": "

The number of milliseconds the read records are from the tip of the stream, indicating\n how far behind current time the consumer is. A value of zero indicates that record\n processing is caught up, and there are no new records to process at this moment.

", + "smithy.api#required": {} + } + }, + "ChildShards": { + "target": "com.amazonaws.kinesis#ChildShardList" + } + }, + "traits": { + "smithy.api#documentation": "

After you call SubscribeToShard, Kinesis Data Streams sends events\n of this type over an HTTP/2 connection to your consumer.

" + } + }, + "com.amazonaws.kinesis#SubscribeToShardEventStream": { + "type": "union", + "members": { + "KMSThrottlingException": { + "target": "com.amazonaws.kinesis#KMSThrottlingException" + }, + "InternalFailureException": { + "target": "com.amazonaws.kinesis#InternalFailureException", + "traits": { + "smithy.api#documentation": "

The processing of the request failed because of an unknown error, exception, or\n failure.

" + } + }, + "ResourceInUseException": { + "target": "com.amazonaws.kinesis#ResourceInUseException" + }, + "KMSOptInRequired": { + "target": "com.amazonaws.kinesis#KMSOptInRequired" + }, + "KMSDisabledException": { + "target": "com.amazonaws.kinesis#KMSDisabledException" + }, + "KMSAccessDeniedException": { + "target": "com.amazonaws.kinesis#KMSAccessDeniedException" + }, + "KMSInvalidStateException": { + "target": "com.amazonaws.kinesis#KMSInvalidStateException" + }, + "KMSNotFoundException": { + "target": "com.amazonaws.kinesis#KMSNotFoundException" + }, + "ResourceNotFoundException": { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + }, + "SubscribeToShardEvent": { + "target": "com.amazonaws.kinesis#SubscribeToShardEvent", + "traits": { + "smithy.api#documentation": "

After you call SubscribeToShard, Kinesis Data Streams sends events\n of this type to your consumer. For an example of how to handle these events, see Enhanced Fan-Out\n Using the Kinesis Data Streams API.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

This is a tagged union for all of the types of events an enhanced fan-out consumer can\n receive over HTTP/2 after a call to SubscribeToShard.

", + "smithy.api#streaming": {} + } + }, + "com.amazonaws.kinesis#SubscribeToShardInput": { + "type": "structure", + "members": { + "ShardId": { + "target": "com.amazonaws.kinesis#ShardId", + "traits": { + "smithy.api#documentation": "

The ID of the shard you want to subscribe to. To see a list of all the shards for a\n given stream, use ListShards.

", + "smithy.api#required": {} + } + }, + "StartingPosition": { + "target": "com.amazonaws.kinesis#StartingPosition", + "traits": { + "smithy.api#documentation": "

", + "smithy.api#required": {} + } + }, + "ConsumerARN": { + "target": "com.amazonaws.kinesis#ConsumerARN", + "traits": { + "smithy.api#documentation": "

For this parameter, use the value you obtained when you called RegisterStreamConsumer.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kinesis#SubscribeToShardOutput": { + "type": "structure", + "members": { + "EventStream": { + "target": "com.amazonaws.kinesis#SubscribeToShardEventStream", + "traits": { + "smithy.api#documentation": "

The event stream that your consumer can use to read records from the shard.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kinesis#Tag": { + "type": "structure", + "members": { + "Value": { + "target": "com.amazonaws.kinesis#TagValue", + "traits": { + "smithy.api#documentation": "

An optional string, typically used to describe or define the tag. Maximum length:\n 256 characters. Valid characters: Unicode letters, digits, white space, _ . / = + - %\n @

" + } + }, + "Key": { + "target": "com.amazonaws.kinesis#TagKey", + "traits": { + "smithy.api#documentation": "

A unique identifier for the tag. Maximum length: 128 characters. Valid characters:\n Unicode letters, digits, white space, _ . / = + - % @

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

Metadata assigned to the stream, consisting of a key-value pair.

" + } + }, + "com.amazonaws.kinesis#TagKey": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 128 + } + } + }, + "com.amazonaws.kinesis#TagKeyList": { + "type": "list", + "member": { + "target": "com.amazonaws.kinesis#TagKey" + }, + "traits": { + "smithy.api#length": { + "min": 1, + "max": 50 + } + } + }, + "com.amazonaws.kinesis#TagList": { + "type": "list", + "member": { + "target": "com.amazonaws.kinesis#Tag" + }, + "traits": { + "smithy.api#length": { + "min": 0, + "max": 200 + } + } + }, + "com.amazonaws.kinesis#TagMap": { + "type": "map", + "key": { + "target": "com.amazonaws.kinesis#TagKey" + }, + "value": { + "target": "com.amazonaws.kinesis#TagValue" + }, + "traits": { + "smithy.api#length": { + "min": 1, + "max": 200 + } + } + }, + "com.amazonaws.kinesis#TagValue": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 0, + "max": 256 + } + } + }, + "com.amazonaws.kinesis#Timestamp": { + "type": "timestamp" + }, + "com.amazonaws.kinesis#UpdateShardCount": { + "type": "operation", + "input": { + "target": "com.amazonaws.kinesis#UpdateShardCountInput" + }, + "output": { + "target": "com.amazonaws.kinesis#UpdateShardCountOutput" + }, + "errors": [ + { + "target": "com.amazonaws.kinesis#InvalidArgumentException" + }, + { + "target": "com.amazonaws.kinesis#LimitExceededException" + }, + { + "target": "com.amazonaws.kinesis#ResourceInUseException" + }, + { + "target": "com.amazonaws.kinesis#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Updates the shard count of the specified stream to the specified number of\n shards.

\n

Updating the shard count is an asynchronous operation. Upon receiving the request,\n Kinesis Data Streams returns immediately and sets the status of the stream to\n UPDATING. After the update is complete, Kinesis Data Streams sets the\n status of the stream back to ACTIVE. Depending on the size of the stream,\n the scaling action could take a few minutes to complete. You can continue to read and\n write data to your stream while its status is UPDATING.

\n

To update the shard count, Kinesis Data Streams performs splits or merges on\n individual shards. This can cause short-lived shards to be created, in addition to the\n final shards. These short-lived shards count towards your total shard limit for your\n account in the Region.

\n

When using this operation, we recommend that you specify a target shard count that\n is a multiple of 25% (25%, 50%, 75%, 100%). You can specify any target value within your\n shard limit. However, if you specify a target that isn't a multiple of 25%, the scaling\n action might take longer to complete.

\n

This operation has the following default limits. By default, you cannot do the\n following:

\n \n

For the default limits for an AWS account, see Streams Limits in the\n Amazon Kinesis Data Streams Developer Guide. To request an\n increase in the call rate limit, the shard limit for this API, or your overall shard\n limit, use the limits form.

" + } + }, + "com.amazonaws.kinesis#UpdateShardCountInput": { + "type": "structure", + "members": { + "ScalingType": { + "target": "com.amazonaws.kinesis#ScalingType", + "traits": { + "smithy.api#documentation": "

The scaling type. Uniform scaling creates shards of equal size.

", + "smithy.api#required": {} + } + }, + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the stream.

", + "smithy.api#required": {} + } + }, + "TargetShardCount": { + "target": "com.amazonaws.kinesis#PositiveIntegerObject", + "traits": { + "smithy.api#documentation": "

The new number of shards. This value has the following default limits. By default,\n you cannot do the following:

\n ", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kinesis#UpdateShardCountOutput": { + "type": "structure", + "members": { + "StreamName": { + "target": "com.amazonaws.kinesis#StreamName", + "traits": { + "smithy.api#documentation": "

The name of the stream.

" + } + }, + "TargetShardCount": { + "target": "com.amazonaws.kinesis#PositiveIntegerObject", + "traits": { + "smithy.api#documentation": "

The updated number of shards.

" + } + }, + "CurrentShardCount": { + "target": "com.amazonaws.kinesis#PositiveIntegerObject", + "traits": { + "smithy.api#documentation": "

The current number of shards.

" + } + } + } + } + } +} diff --git a/aws/sdk/models/kms.json b/aws/sdk/models/kms.json new file mode 100644 index 0000000000000000000000000000000000000000..397e50e7448330270eb5ddd3e094dfbd52de16eb --- /dev/null +++ b/aws/sdk/models/kms.json @@ -0,0 +1,4904 @@ +{ + "smithy": "1.0", + "metadata": { + "suppressions": [ + { + "id": "HttpMethodSemantics", + "namespace": "*" + }, + { + "id": "HttpResponseCodeSemantics", + "namespace": "*" + }, + { + "id": "PaginatedTrait", + "namespace": "*" + }, + { + "id": "HttpHeaderTrait", + "namespace": "*" + }, + { + "id": "HttpUriConflict", + "namespace": "*" + }, + { + "id": "Service", + "namespace": "*" + } + ] + }, + "shapes": { + "com.amazonaws.kms#AWSAccountIdType": { + "type": "string" + }, + "com.amazonaws.kms#AlgorithmSpec": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "RSAES_PKCS1_V1_5", + "name": "RSAES_PKCS1_V1_5" + }, + { + "value": "RSAES_OAEP_SHA_1", + "name": "RSAES_OAEP_SHA_1" + }, + { + "value": "RSAES_OAEP_SHA_256", + "name": "RSAES_OAEP_SHA_256" + } + ] + } + }, + "com.amazonaws.kms#AliasList": { + "type": "list", + "member": { + "target": "com.amazonaws.kms#AliasListEntry" + } + }, + "com.amazonaws.kms#AliasListEntry": { + "type": "structure", + "members": { + "AliasName": { + "target": "com.amazonaws.kms#AliasNameType", + "traits": { + "smithy.api#documentation": "

String that contains the alias. This value begins with alias/.

" + } + }, + "AliasArn": { + "target": "com.amazonaws.kms#ArnType", + "traits": { + "smithy.api#documentation": "

String that contains the key ARN.

" + } + }, + "TargetKeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

String that contains the key identifier of the CMK associated with the alias.

" + } + }, + "CreationDate": { + "target": "com.amazonaws.kms#DateType", + "traits": { + "smithy.api#documentation": "

Date and time that the alias was most recently created in the account and Region. Formatted as Unix time.

" + } + }, + "LastUpdatedDate": { + "target": "com.amazonaws.kms#DateType", + "traits": { + "smithy.api#documentation": "

Date and time that the alias was most recently associated with a CMK in the account and Region. Formatted as Unix time.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Contains information about an alias.

" + } + }, + "com.amazonaws.kms#AliasNameType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 256 + }, + "smithy.api#pattern": "^[a-zA-Z0-9:/_-]+$" + } + }, + "com.amazonaws.kms#AlreadyExistsException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because it attempted to create a resource that already\n exists.

", + "smithy.api#error": "client", + "smithy.api#httpError": 409 + } + }, + "com.amazonaws.kms#ArnType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 20, + "max": 2048 + } + } + }, + "com.amazonaws.kms#BooleanType": { + "type": "boolean" + }, + "com.amazonaws.kms#CancelKeyDeletion": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#CancelKeyDeletionRequest" + }, + "output": { + "target": "com.amazonaws.kms#CancelKeyDeletionResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Cancels the deletion of a customer master key (CMK). When this operation succeeds, the key\n state of the CMK is Disabled. To enable the CMK, use EnableKey.

\n

For more information about scheduling and canceling deletion of a CMK, see Deleting Customer Master\n Keys in the AWS Key Management Service Developer Guide.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.

\n

\n Required permissions: kms:CancelKeyDeletion (key policy)

\n

\n Related operations: ScheduleKeyDeletion\n

" + } + }, + "com.amazonaws.kms#CancelKeyDeletionRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The unique identifier for the customer master key (CMK) for which to cancel\n deletion.

\n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#CancelKeyDeletionResponse": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (key ARN) of the CMK whose deletion is canceled.

" + } + } + } + }, + "com.amazonaws.kms#CiphertextType": { + "type": "blob", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 6144 + } + } + }, + "com.amazonaws.kms#CloudHsmClusterIdType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 19, + "max": 24 + } + } + }, + "com.amazonaws.kms#CloudHsmClusterInUseException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the specified AWS CloudHSM cluster is already associated with a\n custom key store or it shares a backup history with a cluster that is associated with a custom\n key store. Each custom key store must be associated with a different AWS CloudHSM cluster.

\n

Clusters that share a backup history have the same cluster certificate. To view the\n cluster certificate of a cluster, use the DescribeClusters operation.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#CloudHsmClusterInvalidConfigurationException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the associated AWS CloudHSM cluster did not meet the\n configuration requirements for a custom key store.

\n\n \n

For information about the requirements for an AWS CloudHSM cluster that is associated with a\n custom key store, see Assemble the Prerequisites\n in the AWS Key Management Service Developer Guide. For information about creating a private subnet for an AWS CloudHSM cluster,\n see Create a Private\n Subnet in the AWS CloudHSM User Guide. For information about cluster security groups, see\n Configure a Default Security\n Group in the \n AWS CloudHSM User Guide\n .

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#CloudHsmClusterNotActiveException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the AWS CloudHSM cluster that is associated with the custom key\n store is not active. Initialize and activate the cluster and try the command again. For\n detailed instructions, see Getting Started in the AWS CloudHSM User Guide.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#CloudHsmClusterNotFoundException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster with the specified\n cluster ID. Retry the request with a different cluster ID.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#CloudHsmClusterNotRelatedException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the specified AWS CloudHSM cluster has a different cluster\n certificate than the original cluster. You cannot use the operation to specify an unrelated\n cluster.

\n

Specify a cluster that shares a backup history with the original cluster. This includes\n clusters that were created from a backup of the current cluster, and clusters that were\n created from the same backup that produced the current cluster.

\n

Clusters that share a backup history have the same cluster certificate. To view the\n cluster certificate of a cluster, use the DescribeClusters operation.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#ConnectCustomKeyStore": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#ConnectCustomKeyStoreRequest" + }, + "output": { + "target": "com.amazonaws.kms#ConnectCustomKeyStoreResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#CloudHsmClusterInvalidConfigurationException" + }, + { + "target": "com.amazonaws.kms#CloudHsmClusterNotActiveException" + }, + { + "target": "com.amazonaws.kms#CustomKeyStoreInvalidStateException" + }, + { + "target": "com.amazonaws.kms#CustomKeyStoreNotFoundException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + } + ], + "traits": { + "smithy.api#documentation": "

Connects or reconnects a custom key store to its associated AWS CloudHSM cluster.

\n

The custom key store must be connected before you can create customer master keys (CMKs)\n in the key store or use the CMKs it contains. You can disconnect and reconnect a custom key\n store at any time.

\n

To connect a custom key store, its associated AWS CloudHSM cluster must have at least one active\n HSM. To get the number of active HSMs in a cluster, use the DescribeClusters operation. To add HSMs\n to the cluster, use the CreateHsm operation. Also, the \n kmsuser crypto\n user (CU) must not be logged into the cluster. This prevents AWS KMS from using this\n account to log in.

\n

The connection process can take an extended amount of time to complete; up to 20 minutes.\n This operation starts the connection process, but it does not wait for it to complete. When it\n succeeds, this operation quickly returns an HTTP 200 response and a JSON object with no\n properties. However, this response does not indicate that the custom key store is connected.\n To get the connection state of the custom key store, use the DescribeCustomKeyStores operation.

\n

During the connection process, AWS KMS finds the AWS CloudHSM cluster that is associated with the\n custom key store, creates the connection infrastructure, connects to the cluster, logs into\n the AWS CloudHSM client as the kmsuser CU, and rotates its password.

\n

The ConnectCustomKeyStore operation might fail for various reasons. To find\n the reason, use the DescribeCustomKeyStores operation and see the\n ConnectionErrorCode in the response. For help interpreting the\n ConnectionErrorCode, see CustomKeyStoresListEntry.

\n

To fix the failure, use the DisconnectCustomKeyStore operation to\n disconnect the custom key store, correct the error, use the UpdateCustomKeyStore operation if necessary, and then use\n ConnectCustomKeyStore again.

\n

If you are having trouble connecting or disconnecting a custom key store, see Troubleshooting a Custom Key\n Store in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on a custom key store in a different AWS account.

\n \n

\n Required permissions: kms:ConnectCustomKeyStore (IAM policy)

\n

\n Related operations\n

\n " + } + }, + "com.amazonaws.kms#ConnectCustomKeyStoreRequest": { + "type": "structure", + "members": { + "CustomKeyStoreId": { + "target": "com.amazonaws.kms#CustomKeyStoreIdType", + "traits": { + "smithy.api#documentation": "

Enter the key store ID of the custom key store that you want to connect.\n To find the ID of a custom key store, use the DescribeCustomKeyStores operation.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#ConnectCustomKeyStoreResponse": { + "type": "structure", + "members": {} + }, + "com.amazonaws.kms#ConnectionErrorCodeType": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "INVALID_CREDENTIALS", + "name": "INVALID_CREDENTIALS" + }, + { + "value": "CLUSTER_NOT_FOUND", + "name": "CLUSTER_NOT_FOUND" + }, + { + "value": "NETWORK_ERRORS", + "name": "NETWORK_ERRORS" + }, + { + "value": "INTERNAL_ERROR", + "name": "INTERNAL_ERROR" + }, + { + "value": "INSUFFICIENT_CLOUDHSM_HSMS", + "name": "INSUFFICIENT_CLOUDHSM_HSMS" + }, + { + "value": "USER_LOCKED_OUT", + "name": "USER_LOCKED_OUT" + }, + { + "value": "USER_NOT_FOUND", + "name": "USER_NOT_FOUND" + }, + { + "value": "USER_LOGGED_IN", + "name": "USER_LOGGED_IN" + }, + { + "value": "SUBNET_NOT_FOUND", + "name": "SUBNET_NOT_FOUND" + } + ] + } + }, + "com.amazonaws.kms#ConnectionStateType": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "CONNECTED", + "name": "CONNECTED" + }, + { + "value": "CONNECTING", + "name": "CONNECTING" + }, + { + "value": "FAILED", + "name": "FAILED" + }, + { + "value": "DISCONNECTED", + "name": "DISCONNECTED" + }, + { + "value": "DISCONNECTING", + "name": "DISCONNECTING" + } + ] + } + }, + "com.amazonaws.kms#CreateAlias": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#CreateAliasRequest" + }, + "errors": [ + { + "target": "com.amazonaws.kms#AlreadyExistsException" + }, + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidAliasNameException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#LimitExceededException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Creates a friendly name for a customer master key (CMK). You can use an alias to identify\n a CMK in the AWS KMS console, in the DescribeKey operation and in\n cryptographic operations, such as Encrypt and GenerateDataKey.

\n

You can also change the CMK that's associated with the alias (UpdateAlias) or delete the alias (DeleteAlias) at any time. These operations don't\n affect the underlying CMK.

\n

You can associate the alias with any customer managed CMK in the same AWS Region. Each\n alias is associated with only on CMK at a time, but a CMK can have multiple aliases. A valid\n CMK is required. You can't create an alias without a CMK.

\n

The alias must be unique in the account and Region, but you can have aliases with the same\n name in different Regions. For detailed information about aliases, see Using aliases in the\n AWS Key Management Service Developer Guide.

\n

This operation does not return a response. To get the alias that you created, use the\n ListAliases operation.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on an alias in a different AWS account.

\n \n

\n Required permissions\n

\n \n

For details, see Controlling access to aliases in the AWS Key Management Service Developer Guide.

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#CreateAliasRequest": { + "type": "structure", + "members": { + "AliasName": { + "target": "com.amazonaws.kms#AliasNameType", + "traits": { + "smithy.api#documentation": "

Specifies the alias name. This value must begin with alias/ followed by a\n name, such as alias/ExampleAlias.

\n

The AliasName value must be string of 1-256 characters. It can contain only alphanumeric characters,\n forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with alias/aws/. The alias/aws/ prefix is reserved\n for AWS managed CMKs.

", + "smithy.api#required": {} + } + }, + "TargetKeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

Associates the alias with the specified customer managed CMK. The CMK must be\n in the same AWS Region.

\n

A valid CMK ID is required. If you supply a null or empty string value, this operation\n returns an error.

\n

For help finding the key ID and ARN, see Finding the Key ID and\n ARN in the AWS Key Management Service Developer Guide.

\n \n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#CreateCustomKeyStore": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#CreateCustomKeyStoreRequest" + }, + "output": { + "target": "com.amazonaws.kms#CreateCustomKeyStoreResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#CloudHsmClusterInUseException" + }, + { + "target": "com.amazonaws.kms#CloudHsmClusterInvalidConfigurationException" + }, + { + "target": "com.amazonaws.kms#CloudHsmClusterNotActiveException" + }, + { + "target": "com.amazonaws.kms#CloudHsmClusterNotFoundException" + }, + { + "target": "com.amazonaws.kms#CustomKeyStoreNameInUseException" + }, + { + "target": "com.amazonaws.kms#IncorrectTrustAnchorException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + } + ], + "traits": { + "smithy.api#documentation": "

Creates a custom key store that is associated with an AWS CloudHSM cluster that you own and\n manage.

\n

This operation is part of the Custom Key Store feature feature in AWS KMS, which\ncombines the convenience and extensive integration of AWS KMS with the isolation and control of a\nsingle-tenant key store.

\n

Before you create the custom key store, you must assemble\n the required elements, including an AWS CloudHSM cluster that fulfills the requirements for a custom\n key store. For details about the required elements, see Assemble the Prerequisites\n in the AWS Key Management Service Developer Guide.

\n

When the operation completes successfully, it returns the ID of the new custom key store.\n Before you can use your new custom key store, you need to use the ConnectCustomKeyStore operation to connect the new key store to its AWS CloudHSM\n cluster. Even if you are not going to use your custom key store immediately, you might want to\n connect it to verify that all settings are correct and then disconnect it until you are ready\n to use it.

\n

For help with failures, see Troubleshooting a Custom Key Store in the\n AWS Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on a custom key store in a different AWS account.

\n

\n Required permissions: kms:CreateCustomKeyStore (IAM policy).

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#CreateCustomKeyStoreRequest": { + "type": "structure", + "members": { + "CustomKeyStoreName": { + "target": "com.amazonaws.kms#CustomKeyStoreNameType", + "traits": { + "smithy.api#documentation": "

Specifies a friendly name for the custom key store. The name must be unique in your AWS\n account.

", + "smithy.api#required": {} + } + }, + "CloudHsmClusterId": { + "target": "com.amazonaws.kms#CloudHsmClusterIdType", + "traits": { + "smithy.api#documentation": "

Identifies the AWS CloudHSM cluster for the custom key store. Enter the cluster ID of any active\n AWS CloudHSM cluster that is not already associated with a custom key store. To find the cluster ID,\n use the DescribeClusters operation.

", + "smithy.api#required": {} + } + }, + "TrustAnchorCertificate": { + "target": "com.amazonaws.kms#TrustAnchorCertificateType", + "traits": { + "smithy.api#documentation": "

Enter the content of the trust anchor certificate for the cluster. This is the content of\n the customerCA.crt file that you created when you initialized the cluster.

", + "smithy.api#required": {} + } + }, + "KeyStorePassword": { + "target": "com.amazonaws.kms#KeyStorePasswordType", + "traits": { + "smithy.api#documentation": "

Enter the password of the \n kmsuser crypto user\n (CU) account in the specified AWS CloudHSM cluster. AWS KMS logs into the cluster as this\n user to manage key material on your behalf.

\n

The password must be a string of 7 to 32 characters. Its value is case sensitive.

\n

This parameter tells AWS KMS the kmsuser account password; it does not change\n the password in the AWS CloudHSM cluster.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#CreateCustomKeyStoreResponse": { + "type": "structure", + "members": { + "CustomKeyStoreId": { + "target": "com.amazonaws.kms#CustomKeyStoreIdType", + "traits": { + "smithy.api#documentation": "

A unique identifier for the new custom key store.

" + } + } + } + }, + "com.amazonaws.kms#CreateGrant": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#CreateGrantRequest" + }, + "output": { + "target": "com.amazonaws.kms#CreateGrantResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#DisabledException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#InvalidGrantTokenException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#LimitExceededException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Adds a grant to a customer master key (CMK). The grant allows the grantee principal to use\n the CMK when the conditions specified in the grant are met. When setting permissions, grants\n are an alternative to key policies.

\n

To create a grant that allows a cryptographic operation only when the request includes a particular\n encryption\n context, use the Constraints parameter. For details, see GrantConstraints.

\n

You can create grants on symmetric and asymmetric CMKs. However, if the grant allows an\n operation that the CMK does not support, CreateGrant fails with a\n ValidationException.

\n\n \n

For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide. For more information about grants, see Grants in the\n \n AWS Key Management Service Developer Guide\n .

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: Yes. To perform this operation on a CMK in a different AWS account, specify the key\n ARN in the value of the KeyId parameter.

\n

\n Required permissions: kms:CreateGrant (key policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#CreateGrantRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The unique identifier for the customer master key (CMK) that the grant applies to.

\n \n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a\ndifferent AWS account, you must use the key ARN.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + }, + "GranteePrincipal": { + "target": "com.amazonaws.kms#PrincipalIdType", + "traits": { + "smithy.api#documentation": "

The principal that is given permission to perform the operations that the grant\n permits.

\n

To specify the principal, use the Amazon Resource Name (ARN) of an AWS\n principal. Valid AWS principals include AWS accounts (root), IAM users, IAM roles, federated\n users, and assumed role users. For examples of the ARN syntax to use for specifying a\n principal, see AWS Identity and Access\n Management (IAM) in the Example ARNs section of the AWS General\n Reference.

", + "smithy.api#required": {} + } + }, + "RetiringPrincipal": { + "target": "com.amazonaws.kms#PrincipalIdType", + "traits": { + "smithy.api#documentation": "

The principal that is given permission to retire the grant by using RetireGrant operation.

\n

To specify the principal, use the Amazon Resource Name (ARN) of an AWS\n principal. Valid AWS principals include AWS accounts (root), IAM users, federated users, and\n assumed role users. For examples of the ARN syntax to use for specifying a principal, see\n AWS Identity and Access Management (IAM) in the Example ARNs section of the\n AWS General Reference.

" + } + }, + "Operations": { + "target": "com.amazonaws.kms#GrantOperationList", + "traits": { + "smithy.api#documentation": "

A list of operations that the grant permits.

", + "smithy.api#required": {} + } + }, + "Constraints": { + "target": "com.amazonaws.kms#GrantConstraints", + "traits": { + "smithy.api#documentation": "

Allows a cryptographic operation only when the encryption context matches or includes the encryption\n context specified in this structure. For more information about encryption context, see Encryption\n Context in the \n AWS Key Management Service Developer Guide\n .

\n

Grant constraints are not applied to operations that do not support an encryption context,\n such as cryptographic operations with asymmetric CMKs and management operations, such as\n DescribeKey or RetireGrant.

" + } + }, + "GrantTokens": { + "target": "com.amazonaws.kms#GrantTokenList", + "traits": { + "smithy.api#documentation": "

A list of grant tokens.

\n

For more information, see Grant Tokens in the\n AWS Key Management Service Developer Guide.

" + } + }, + "Name": { + "target": "com.amazonaws.kms#GrantNameType", + "traits": { + "smithy.api#documentation": "

A friendly name for the grant. Use this value to prevent the unintended\n creation of duplicate grants when retrying this request.

\n

When this value is absent, all CreateGrant requests result in a new grant\n with a unique GrantId even if all the supplied parameters are identical. This can\n result in unintended duplicates when you retry the CreateGrant request.

\n

When this value is present, you can retry a CreateGrant request with\n identical parameters; if the grant already exists, the original GrantId is\n returned without creating a new grant. Note that the returned grant token is unique with every\n CreateGrant request, even when a duplicate GrantId is returned.\n All grant tokens for the same grant ID can be used interchangeably.

" + } + } + } + }, + "com.amazonaws.kms#CreateGrantResponse": { + "type": "structure", + "members": { + "GrantToken": { + "target": "com.amazonaws.kms#GrantTokenType", + "traits": { + "smithy.api#documentation": "

The grant token.

\n

For more information, see Grant Tokens in the\n AWS Key Management Service Developer Guide.

" + } + }, + "GrantId": { + "target": "com.amazonaws.kms#GrantIdType", + "traits": { + "smithy.api#documentation": "

The unique identifier for the grant.

\n

You can use the GrantId in a subsequent RetireGrant or\n RevokeGrant operation.

" + } + } + } + }, + "com.amazonaws.kms#CreateKey": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#CreateKeyRequest" + }, + "output": { + "target": "com.amazonaws.kms#CreateKeyResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#CloudHsmClusterInvalidConfigurationException" + }, + { + "target": "com.amazonaws.kms#CustomKeyStoreInvalidStateException" + }, + { + "target": "com.amazonaws.kms#CustomKeyStoreNotFoundException" + }, + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#LimitExceededException" + }, + { + "target": "com.amazonaws.kms#MalformedPolicyDocumentException" + }, + { + "target": "com.amazonaws.kms#TagException" + }, + { + "target": "com.amazonaws.kms#UnsupportedOperationException" + } + ], + "traits": { + "smithy.api#documentation": "

Creates a unique customer managed customer master key (CMK) in your AWS\n account and Region.

\n\n

You can use the CreateKey operation to create symmetric or asymmetric\n CMKs.

\n \n

For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.

\n\n\n

To create different types of CMKs, use the following guidance:

\n\n
\n
Asymmetric CMKs
\n
\n

To create an asymmetric CMK, use the CustomerMasterKeySpec parameter to\n specify the type of key material in the CMK. Then, use the KeyUsage\n parameter to determine whether the CMK will be used to encrypt and decrypt or sign and\n verify. You can't change these properties after the CMK is created.

\n

\n
\n
Symmetric CMKs
\n
\n

When creating a symmetric CMK, you don't need to specify the\n CustomerMasterKeySpec or KeyUsage parameters. The default\n value for CustomerMasterKeySpec, SYMMETRIC_DEFAULT, and the\n default value for KeyUsage, ENCRYPT_DECRYPT, are the only\n valid values for symmetric CMKs.

\n

\n
\n
Imported Key Material
\n
\n

To import your own key material, begin by creating a symmetric CMK with no key\n material. To do this, use the Origin parameter of CreateKey\n with a value of EXTERNAL. Next, use GetParametersForImport operation to get a public key and import token, and use the public key to encrypt\n your key material. Then, use ImportKeyMaterial with your import token\n to import the key material. For step-by-step instructions, see Importing Key Material in the \n AWS Key Management Service Developer Guide\n . You\n cannot import the key material into an asymmetric CMK.

\n

\n
\n
Custom Key Stores
\n
\n

To create a symmetric CMK in a custom key store, use the\n CustomKeyStoreId parameter to specify the custom key store. You must also\n use the Origin parameter with a value of AWS_CLOUDHSM. The\n AWS CloudHSM cluster that is associated with the custom key store must have at least two active\n HSMs in different Availability Zones in the AWS Region.

\n

You cannot create an asymmetric CMK in a custom key store. For information about\n custom key stores in AWS KMS see Using Custom Key Stores in\n the \n AWS Key Management Service Developer Guide\n .

\n
\n
\n

\n Cross-account use: No. You cannot use this operation to\n create a CMK in a different AWS account.

\n\n

\n Required permissions: kms:CreateKey (IAM policy). To use the\n Tags parameter, kms:TagResource (IAM policy). For examples and information about related\n permissions, see Allow a user to create\n CMKs in the AWS Key Management Service Developer Guide.

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#CreateKeyRequest": { + "type": "structure", + "members": { + "Policy": { + "target": "com.amazonaws.kms#PolicyType", + "traits": { + "smithy.api#documentation": "

The key policy to attach to the CMK.

\n

If you provide a key policy, it must meet the following criteria:

\n \n

If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK. For\n more information, see Default Key Policy in the\n AWS Key Management Service Developer Guide.

\n

The key policy size quota is 32 kilobytes (32768 bytes).

\n

For help writing and formatting a JSON policy document, see the IAM JSON Policy Reference in the \n IAM User Guide\n .

" + } + }, + "Description": { + "target": "com.amazonaws.kms#DescriptionType", + "traits": { + "smithy.api#documentation": "

A description of the CMK.

\n

Use a description that helps you decide whether the CMK is appropriate for a task.

" + } + }, + "KeyUsage": { + "target": "com.amazonaws.kms#KeyUsageType", + "traits": { + "smithy.api#documentation": "

Determines the cryptographic operations for which you can use the CMK. The default value\n is ENCRYPT_DECRYPT. This parameter is required only for asymmetric CMKs. You\n can't change the KeyUsage value after the CMK is created.

\n

Select only one valid value.

\n " + } + }, + "CustomerMasterKeySpec": { + "target": "com.amazonaws.kms#CustomerMasterKeySpec", + "traits": { + "smithy.api#documentation": "

Specifies the type of CMK to create. The default value, SYMMETRIC_DEFAULT,\n creates a CMK with a 256-bit symmetric key for encryption and decryption. For help choosing a\n key spec for your CMK, see How to Choose Your CMK\n Configuration in the AWS Key Management Service Developer\n Guide.

\n

The CustomerMasterKeySpec determines whether the CMK contains a symmetric key\n or an asymmetric key pair. It also determines the encryption algorithms or signing algorithms\n that the CMK supports. You can't change the CustomerMasterKeySpec after the CMK\n is created. To further restrict the algorithms that can be used with the CMK, use a condition\n key in its key policy or IAM policy. For more information, see kms:EncryptionAlgorithm or kms:Signing Algorithm in the AWS Key Management Service Developer\n Guide.

\n \n

\n AWS services that\n are integrated with AWS KMS use symmetric CMKs to protect your data. These\n services do not support asymmetric CMKs. For help determining whether a CMK is symmetric or\n asymmetric, see Identifying Symmetric and Asymmetric\n CMKs in the AWS Key Management Service Developer\n Guide.

\n \n

AWS KMS supports the following key specs for CMKs:

\n " + } + }, + "Origin": { + "target": "com.amazonaws.kms#OriginType", + "traits": { + "smithy.api#documentation": "

The source of the key material for the CMK. You cannot change the origin after you create\n the CMK. The default is AWS_KMS, which means AWS KMS creates the key\n material.

\n

When the parameter value is EXTERNAL, AWS KMS creates a CMK without key\n material so that you can import key material from your existing key management infrastructure.\n For more information about importing key material into AWS KMS, see Importing Key Material in the\n AWS Key Management Service Developer Guide. This value is valid only for symmetric CMKs.

\n

When the parameter value is AWS_CLOUDHSM, AWS KMS creates the CMK in an AWS KMS\n custom key store and creates its key material in the associated AWS CloudHSM cluster. You must also\n use the CustomKeyStoreId parameter to identify the custom key store. This value\n is valid only for symmetric CMKs.

" + } + }, + "CustomKeyStoreId": { + "target": "com.amazonaws.kms#CustomKeyStoreIdType", + "traits": { + "smithy.api#documentation": "

Creates the CMK in the specified custom key store and the key material in its associated\n AWS CloudHSM cluster. To create a CMK in a custom key store, you must also specify the\n Origin parameter with a value of AWS_CLOUDHSM. The AWS CloudHSM cluster\n that is associated with the custom key store must have at least two active HSMs, each in a\n different Availability Zone in the Region.

\n

This parameter is valid only for symmetric CMKs. You cannot create an asymmetric CMK in a\n custom key store.

\n

To find the ID of a custom key store, use the DescribeCustomKeyStores operation.

\n

The response includes the custom key store ID and the ID of the AWS CloudHSM cluster.

\n

This operation is part of the Custom Key Store feature feature in AWS KMS, which\ncombines the convenience and extensive integration of AWS KMS with the isolation and control of a\nsingle-tenant key store.

" + } + }, + "BypassPolicyLockoutSafetyCheck": { + "target": "com.amazonaws.kms#BooleanType", + "traits": { + "smithy.api#documentation": "

A flag to indicate whether to bypass the key policy lockout safety check.

\n \n

Setting this value to true increases the risk that the CMK becomes unmanageable. Do not\n set this value to true indiscriminately.

\n

For more information, refer to the scenario in the Default Key Policy section in the \n AWS Key Management Service Developer Guide\n .

\n \n

Use this parameter only when you include a policy in the request and you intend to prevent\n the principal that is making the request from making a subsequent PutKeyPolicy request on the CMK.

\n

The default value is false.

" + } + }, + "Tags": { + "target": "com.amazonaws.kms#TagList", + "traits": { + "smithy.api#documentation": "

One or more tags. Each tag consists of a tag key and a tag value. Both the tag key and the\n tag value are required, but the tag value can be an empty (null) string.

\n

When you add tags to an AWS resource, AWS generates a cost allocation\n report with usage and costs aggregated by tags. For information about adding, changing, deleting and listing tags for CMKs,\n see Tagging Keys.

\n

Use this parameter to tag the CMK when it is created. To add tags to an\n existing CMK, use the TagResource operation.

\n

To use this parameter, you must have kms:TagResource permission in an IAM policy.

" + } + } + } + }, + "com.amazonaws.kms#CreateKeyResponse": { + "type": "structure", + "members": { + "KeyMetadata": { + "target": "com.amazonaws.kms#KeyMetadata", + "traits": { + "smithy.api#documentation": "

Metadata associated with the CMK.

" + } + } + } + }, + "com.amazonaws.kms#CustomKeyStoreHasCMKsException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the custom key store contains AWS KMS customer master keys\n (CMKs). After verifying that you do not need to use the CMKs, use the ScheduleKeyDeletion operation to delete the CMKs. After they are deleted, you\n can delete the custom key store.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#CustomKeyStoreIdType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 64 + } + } + }, + "com.amazonaws.kms#CustomKeyStoreInvalidStateException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because of the ConnectionState of the custom key\n store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores operation.

\n

This exception is thrown under the following conditions:

\n ", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#CustomKeyStoreNameInUseException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the specified custom key store name is already assigned\n to another custom key store in the account. Try again with a custom key store name that is\n unique in the account.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#CustomKeyStoreNameType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 256 + } + } + }, + "com.amazonaws.kms#CustomKeyStoreNotFoundException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because AWS KMS cannot find a custom key store with the specified\n key store name or ID.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#CustomKeyStoresList": { + "type": "list", + "member": { + "target": "com.amazonaws.kms#CustomKeyStoresListEntry" + } + }, + "com.amazonaws.kms#CustomKeyStoresListEntry": { + "type": "structure", + "members": { + "CustomKeyStoreId": { + "target": "com.amazonaws.kms#CustomKeyStoreIdType", + "traits": { + "smithy.api#documentation": "

A unique identifier for the custom key store.

" + } + }, + "CustomKeyStoreName": { + "target": "com.amazonaws.kms#CustomKeyStoreNameType", + "traits": { + "smithy.api#documentation": "

The user-specified friendly name for the custom key store.

" + } + }, + "CloudHsmClusterId": { + "target": "com.amazonaws.kms#CloudHsmClusterIdType", + "traits": { + "smithy.api#documentation": "

A unique identifier for the AWS CloudHSM cluster that is associated with the custom key\n store.

" + } + }, + "TrustAnchorCertificate": { + "target": "com.amazonaws.kms#TrustAnchorCertificateType", + "traits": { + "smithy.api#documentation": "

The trust anchor certificate of the associated AWS CloudHSM cluster. When you initialize the\n cluster, you create this certificate and save it in the customerCA.crt\n file.

" + } + }, + "ConnectionState": { + "target": "com.amazonaws.kms#ConnectionStateType", + "traits": { + "smithy.api#documentation": "

Indicates whether the custom key store is connected to its AWS CloudHSM cluster.

\n

You can create and use CMKs in your custom key stores only when its connection state is\n CONNECTED.

\n

The value is DISCONNECTED if the key store has never been connected or you\n use the DisconnectCustomKeyStore operation to disconnect it. If the value is\n CONNECTED but you are having trouble using the custom key store, make sure that\n its associated AWS CloudHSM cluster is active and contains at least one active HSM.

\n

A value of FAILED indicates that an attempt to connect was unsuccessful. The ConnectionErrorCode field in the response indicates the cause of the failure. For\n help resolving a connection failure, see Troubleshooting a Custom Key Store in the\n AWS Key Management Service Developer Guide.

" + } + }, + "ConnectionErrorCode": { + "target": "com.amazonaws.kms#ConnectionErrorCodeType", + "traits": { + "smithy.api#documentation": "

Describes the connection error. This field appears in the response only when the ConnectionState is FAILED. For help resolving these errors, see How to Fix a Connection Failure in AWS Key Management Service Developer Guide.

\n

Valid values are:

\n " + } + }, + "CreationDate": { + "target": "com.amazonaws.kms#DateType", + "traits": { + "smithy.api#documentation": "

The date and time when the custom key store was created.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Contains information about each custom key store in the custom key store list.

" + } + }, + "com.amazonaws.kms#CustomerMasterKeySpec": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "RSA_2048", + "name": "RSA_2048" + }, + { + "value": "RSA_3072", + "name": "RSA_3072" + }, + { + "value": "RSA_4096", + "name": "RSA_4096" + }, + { + "value": "ECC_NIST_P256", + "name": "ECC_NIST_P256" + }, + { + "value": "ECC_NIST_P384", + "name": "ECC_NIST_P384" + }, + { + "value": "ECC_NIST_P521", + "name": "ECC_NIST_P521" + }, + { + "value": "ECC_SECG_P256K1", + "name": "ECC_SECG_P256K1" + }, + { + "value": "SYMMETRIC_DEFAULT", + "name": "SYMMETRIC_DEFAULT" + } + ] + } + }, + "com.amazonaws.kms#DataKeyPairSpec": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "RSA_2048", + "name": "RSA_2048" + }, + { + "value": "RSA_3072", + "name": "RSA_3072" + }, + { + "value": "RSA_4096", + "name": "RSA_4096" + }, + { + "value": "ECC_NIST_P256", + "name": "ECC_NIST_P256" + }, + { + "value": "ECC_NIST_P384", + "name": "ECC_NIST_P384" + }, + { + "value": "ECC_NIST_P521", + "name": "ECC_NIST_P521" + }, + { + "value": "ECC_SECG_P256K1", + "name": "ECC_SECG_P256K1" + } + ] + } + }, + "com.amazonaws.kms#DataKeySpec": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "AES_256", + "name": "AES_256" + }, + { + "value": "AES_128", + "name": "AES_128" + } + ] + } + }, + "com.amazonaws.kms#DateType": { + "type": "timestamp" + }, + "com.amazonaws.kms#Decrypt": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#DecryptRequest" + }, + "output": { + "target": "com.amazonaws.kms#DecryptResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#DisabledException" + }, + { + "target": "com.amazonaws.kms#IncorrectKeyException" + }, + { + "target": "com.amazonaws.kms#InvalidCiphertextException" + }, + { + "target": "com.amazonaws.kms#InvalidGrantTokenException" + }, + { + "target": "com.amazonaws.kms#InvalidKeyUsageException" + }, + { + "target": "com.amazonaws.kms#KeyUnavailableException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Decrypts ciphertext that was encrypted by a AWS KMS customer master key (CMK) using any of\n the following operations:

\n \n

You can use this operation to decrypt ciphertext that was encrypted under a symmetric or\n asymmetric CMK. When the CMK is asymmetric, you must specify the CMK and the encryption\n algorithm that was used to encrypt the ciphertext. For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.

\n

The Decrypt operation also decrypts ciphertext that was encrypted outside of AWS KMS by the\n public key in an AWS KMS asymmetric CMK. However, it cannot decrypt ciphertext produced by other\n libraries, such as the AWS Encryption\n SDK or Amazon S3 client-side encryption. These libraries return a ciphertext format that\n is incompatible with AWS KMS.

\n

If the ciphertext was encrypted under a symmetric CMK, the KeyId parameter is\n optional. AWS KMS can get this information from metadata that it adds to the symmetric\n ciphertext blob. This feature adds durability to your implementation by ensuring that\n authorized users can decrypt ciphertext decades after it was encrypted, even if they've lost\n track of the CMK ID. However, specifying the CMK is always recommended as a best practice.\n When you use the KeyId parameter to specify a CMK, AWS KMS only uses the CMK you\n specify. If the ciphertext was encrypted under a different CMK, the Decrypt\n operation fails. This practice ensures that you use the CMK that you intend.

\n

Whenever possible, use key policies to give users permission to call the\n Decrypt operation on a particular CMK, instead of using IAM policies.\n Otherwise, you might create an IAM user policy that gives the user Decrypt\n permission on all CMKs. This user could decrypt ciphertext that was encrypted by CMKs in other\n accounts if the key policy for the cross-account CMK permits it. If you must use an IAM policy\n for Decrypt permissions, limit the user to particular CMKs or particular trusted\n accounts. For details, see Best practices for IAM policies in the AWS Key Management Service Developer Guide.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: Yes. You can decrypt a ciphertext\n using a CMK in a different AWS account.

\n \n

\n Required permissions: kms:Decrypt (key policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#DecryptRequest": { + "type": "structure", + "members": { + "CiphertextBlob": { + "target": "com.amazonaws.kms#CiphertextType", + "traits": { + "smithy.api#documentation": "

Ciphertext to be decrypted. The blob includes metadata.

", + "smithy.api#required": {} + } + }, + "EncryptionContext": { + "target": "com.amazonaws.kms#EncryptionContextType", + "traits": { + "smithy.api#documentation": "

Specifies the encryption context to use when decrypting the data.\n An encryption context is valid only for cryptographic operations with a symmetric CMK. The standard asymmetric encryption algorithms that AWS KMS uses do not support an encryption context.

\n

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

\n

For more information, see\n Encryption\n Context in the AWS Key Management Service Developer Guide.

" + } + }, + "GrantTokens": { + "target": "com.amazonaws.kms#GrantTokenList", + "traits": { + "smithy.api#documentation": "

A list of grant tokens.

\n

For more information, see Grant Tokens in the\n AWS Key Management Service Developer Guide.

" + } + }, + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

Specifies the customer master key (CMK) that AWS KMS uses to decrypt the ciphertext. Enter a\n key ID of the CMK that was used to encrypt the ciphertext.

\n

This parameter is required only when the ciphertext was encrypted under an asymmetric CMK.\n If you used a symmetric CMK, AWS KMS can get the CMK from metadata that it adds to the\n symmetric ciphertext blob. However, it is always recommended as a best practice. This practice\n ensures that you use the CMK that you intend.

\n \n

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

" + } + }, + "EncryptionAlgorithm": { + "target": "com.amazonaws.kms#EncryptionAlgorithmSpec", + "traits": { + "smithy.api#documentation": "

Specifies the encryption algorithm that will be used to decrypt the ciphertext. Specify\n the same algorithm that was used to encrypt the data. If you specify a different algorithm,\n the Decrypt operation fails.

\n

This parameter is required only when the ciphertext was encrypted under an asymmetric CMK.\n The default value, SYMMETRIC_DEFAULT, represents the only supported algorithm\n that is valid for symmetric CMKs.

" + } + } + } + }, + "com.amazonaws.kms#DecryptResponse": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (key ARN) of the CMK that was used to decrypt the ciphertext.

" + } + }, + "Plaintext": { + "target": "com.amazonaws.kms#PlaintextType", + "traits": { + "smithy.api#documentation": "

Decrypted plaintext data. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

" + } + }, + "EncryptionAlgorithm": { + "target": "com.amazonaws.kms#EncryptionAlgorithmSpec", + "traits": { + "smithy.api#documentation": "

The encryption algorithm that was used to decrypt the ciphertext.

" + } + } + } + }, + "com.amazonaws.kms#DeleteAlias": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#DeleteAliasRequest" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Deletes the specified alias.

\n

Because an alias is not a property of a CMK, you can delete and change the aliases of a\n CMK without affecting the CMK. Also, aliases do not appear in the response from the DescribeKey operation. To get the aliases of all CMKs, use the ListAliases operation.

\n

Each CMK can have multiple aliases. To change the alias of a CMK, use DeleteAlias to delete the current alias and CreateAlias to\n create a new alias. To associate an existing alias with a different customer master key (CMK),\n call UpdateAlias.

\n

\n Cross-account use: No. You cannot perform this operation on an alias in a different AWS account.

\n

\n Required permissions\n

\n \n

For details, see Controlling access to aliases in the AWS Key Management Service Developer Guide.

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#DeleteAliasRequest": { + "type": "structure", + "members": { + "AliasName": { + "target": "com.amazonaws.kms#AliasNameType", + "traits": { + "smithy.api#documentation": "

The alias to be deleted. The alias name must begin with alias/ followed by\n the alias name, such as alias/ExampleAlias.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#DeleteCustomKeyStore": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#DeleteCustomKeyStoreRequest" + }, + "output": { + "target": "com.amazonaws.kms#DeleteCustomKeyStoreResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#CustomKeyStoreHasCMKsException" + }, + { + "target": "com.amazonaws.kms#CustomKeyStoreInvalidStateException" + }, + { + "target": "com.amazonaws.kms#CustomKeyStoreNotFoundException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + } + ], + "traits": { + "smithy.api#documentation": "

Deletes a custom key store. This operation does not delete the AWS CloudHSM cluster that is\n associated with the custom key store, or affect any users or keys in the cluster.

\n

The custom key store that you delete cannot contain any AWS KMS customer master keys (CMKs). Before\n deleting the key store, verify that you will never need to use any of the CMKs in the key\n store for any cryptographic operations. Then, use ScheduleKeyDeletion to\n delete the AWS KMS customer master keys (CMKs) from the key store. When the scheduled waiting\n period expires, the ScheduleKeyDeletion operation deletes the CMKs. Then it makes\n a best effort to delete the key material from the associated cluster. However, you might need\n to manually delete the orphaned key\n material from the cluster and its backups.

\n

After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore to\n disconnect the key store from AWS KMS. Then, you can delete the custom key store.

\n

Instead of deleting the custom key store, consider using DisconnectCustomKeyStore to disconnect it from AWS KMS. While the key store is\n disconnected, you cannot create or use the CMKs in the key store. But, you do not need to\n delete CMKs and you can reconnect a disconnected custom key store at any time.

\n

If the operation succeeds, it returns a JSON object with no\nproperties.

\n

This operation is part of the Custom Key Store feature feature in AWS KMS, which\ncombines the convenience and extensive integration of AWS KMS with the isolation and control of a\nsingle-tenant key store.

\n\n

\n Cross-account use: No. You cannot perform this operation on a custom key store in a different AWS account.

\n \n

\n Required permissions: kms:DeleteCustomKeyStore (IAM policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#DeleteCustomKeyStoreRequest": { + "type": "structure", + "members": { + "CustomKeyStoreId": { + "target": "com.amazonaws.kms#CustomKeyStoreIdType", + "traits": { + "smithy.api#documentation": "

Enter the ID of the custom key store you want to delete. To find the ID of a custom key store, use the DescribeCustomKeyStores operation.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#DeleteCustomKeyStoreResponse": { + "type": "structure", + "members": {} + }, + "com.amazonaws.kms#DeleteImportedKeyMaterial": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#DeleteImportedKeyMaterialRequest" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + }, + { + "target": "com.amazonaws.kms#UnsupportedOperationException" + } + ], + "traits": { + "smithy.api#documentation": "

Deletes key material that you previously imported. This operation makes the specified\n customer master key (CMK) unusable. For more information about importing key material into\n AWS KMS, see Importing Key\n Material in the AWS Key Management Service Developer Guide.

\n

When the specified CMK is in the PendingDeletion state, this operation does\n not change the CMK's state. Otherwise, it changes the CMK's state to\n PendingImport.

\n

After you delete key material, you can use ImportKeyMaterial to reimport\n the same key material into the CMK.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.

\n \n

\n Required permissions: kms:DeleteImportedKeyMaterial (key policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#DeleteImportedKeyMaterialRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

Identifies the CMK from which you are deleting imported key material. The\n Origin of the CMK must be EXTERNAL.

\n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#DependencyTimeoutException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The system timed out while trying to fulfill the request. The request can be\n retried.

", + "smithy.api#error": "server", + "smithy.api#httpError": 503 + } + }, + "com.amazonaws.kms#DescribeCustomKeyStores": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#DescribeCustomKeyStoresRequest" + }, + "output": { + "target": "com.amazonaws.kms#DescribeCustomKeyStoresResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#CustomKeyStoreNotFoundException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + } + ], + "traits": { + "smithy.api#documentation": "

Gets information about custom key stores in the account and region.

\n

This operation is part of the Custom Key Store feature feature in AWS KMS, which\ncombines the convenience and extensive integration of AWS KMS with the isolation and control of a\nsingle-tenant key store.

\n

By default, this operation returns information about all custom key\n stores in the account and region. To get only information about a particular custom key store,\n use either the CustomKeyStoreName or CustomKeyStoreId parameter (but\n not both).

\n

To determine whether the custom key store is connected to its AWS CloudHSM cluster, use the\n ConnectionState element in the response. If an attempt to connect the custom\n key store failed, the ConnectionState value is FAILED and the\n ConnectionErrorCode element in the response indicates the cause of the failure.\n For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry.

\n

Custom key stores have a DISCONNECTED connection state if the key store has\n never been connected or you use the DisconnectCustomKeyStore operation to\n disconnect it. If your custom key store state is CONNECTED but you are having\n trouble using it, make sure that its associated AWS CloudHSM cluster is active and contains the\n minimum number of HSMs required for the operation, if any.

\n

For help repairing your custom key store, see the Troubleshooting Custom Key Stores topic in the\n AWS Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on a custom key store in a different AWS account.

\n

\n Required permissions: kms:DescribeCustomKeyStores (IAM policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#DescribeCustomKeyStoresRequest": { + "type": "structure", + "members": { + "CustomKeyStoreId": { + "target": "com.amazonaws.kms#CustomKeyStoreIdType", + "traits": { + "smithy.api#documentation": "

Gets only information about the specified custom key store. Enter the key store ID.

\n

By default, this operation gets information about all custom key stores in the account and\n region. To limit the output to a particular custom key store, you can use either the\n CustomKeyStoreId or CustomKeyStoreName parameter, but not\n both.

" + } + }, + "CustomKeyStoreName": { + "target": "com.amazonaws.kms#CustomKeyStoreNameType", + "traits": { + "smithy.api#documentation": "

Gets only information about the specified custom key store. Enter the friendly name of the\n custom key store.

\n

By default, this operation gets information about all custom key stores in the account and\n region. To limit the output to a particular custom key store, you can use either the\n CustomKeyStoreId or CustomKeyStoreName parameter, but not\n both.

" + } + }, + "Limit": { + "target": "com.amazonaws.kms#LimitType", + "traits": { + "smithy.api#documentation": "

Use this parameter to specify the maximum number of items to return. When this\n value is present, AWS KMS does not return more than the specified number of items, but it might\n return fewer.

" + } + }, + "Marker": { + "target": "com.amazonaws.kms#MarkerType", + "traits": { + "smithy.api#documentation": "

Use this parameter in a subsequent request after you receive a response with\n truncated results. Set it to the value of NextMarker from the truncated response\n you just received.

" + } + } + } + }, + "com.amazonaws.kms#DescribeCustomKeyStoresResponse": { + "type": "structure", + "members": { + "CustomKeyStores": { + "target": "com.amazonaws.kms#CustomKeyStoresList", + "traits": { + "smithy.api#documentation": "

Contains metadata about each custom key store.

" + } + }, + "NextMarker": { + "target": "com.amazonaws.kms#MarkerType", + "traits": { + "smithy.api#documentation": "

When Truncated is true, this element is present and contains the\n value to use for the Marker parameter in a subsequent request.

" + } + }, + "Truncated": { + "target": "com.amazonaws.kms#BooleanType", + "traits": { + "smithy.api#documentation": "

A flag that indicates whether there are more items in the list. When this\n value is true, the list in this response is truncated. To get more items, pass the value of\n the NextMarker element in thisresponse to the Marker parameter in a\n subsequent request.

" + } + } + } + }, + "com.amazonaws.kms#DescribeKey": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#DescribeKeyRequest" + }, + "output": { + "target": "com.amazonaws.kms#DescribeKeyResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Provides detailed information about a customer master key (CMK). You can run\n DescribeKey on a customer managed CMK or an AWS managed\n CMK.

\n

This detailed information includes the key ARN, creation date (and deletion date, if\n applicable), the key state, and the origin and expiration date (if any) of the key material.\n For CMKs in custom key stores, it includes information about the custom key store, such as the\n key store ID and the AWS CloudHSM cluster ID. It includes fields, like KeySpec, that\n help you distinguish symmetric from asymmetric CMKs. It also provides information that is\n particularly important to asymmetric CMKs, such as the key usage (encryption or signing) and\n the encryption algorithms or signing algorithms that the CMK supports.

\n

\n DescribeKey does not return the following information:

\n \n

If you call the DescribeKey operation on a predefined AWS\n alias, that is, an AWS alias with no key ID, AWS KMS creates an AWS managed CMK.\n Then, it associates the alias with the new CMK, and returns the KeyId and\n Arn of the new CMK in the response.

\n

\n Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.

\n \n

\n Required permissions: kms:DescribeKey (key policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#DescribeKeyRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

Describes the specified customer master key (CMK).

\n

If you specify a predefined AWS alias (an AWS alias with no key ID), KMS associates the\n alias with an AWS\n managed CMK and returns its KeyId and Arn in the\n response.

\n

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

", + "smithy.api#required": {} + } + }, + "GrantTokens": { + "target": "com.amazonaws.kms#GrantTokenList", + "traits": { + "smithy.api#documentation": "

A list of grant tokens.

\n

For more information, see Grant Tokens in the\n AWS Key Management Service Developer Guide.

" + } + } + } + }, + "com.amazonaws.kms#DescribeKeyResponse": { + "type": "structure", + "members": { + "KeyMetadata": { + "target": "com.amazonaws.kms#KeyMetadata", + "traits": { + "smithy.api#documentation": "

Metadata associated with the key.

" + } + } + } + }, + "com.amazonaws.kms#DescriptionType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 0, + "max": 8192 + } + } + }, + "com.amazonaws.kms#DisableKey": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#DisableKeyRequest" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Sets the state of a customer master key (CMK) to disabled. This change temporarily\n prevents use of the CMK for cryptographic operations.

\n

For more information about how key state affects the use of a CMK, see How Key State Affects the Use of a\n Customer Master Key in the \n AWS Key Management Service Developer Guide\n .

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.

\n \n

\n Required permissions: kms:DisableKey (key policy)

\n

\n Related operations: EnableKey\n

" + } + }, + "com.amazonaws.kms#DisableKeyRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

A unique identifier for the customer master key (CMK).

\n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#DisableKeyRotation": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#DisableKeyRotationRequest" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#DisabledException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + }, + { + "target": "com.amazonaws.kms#UnsupportedOperationException" + } + ], + "traits": { + "smithy.api#documentation": "

Disables automatic\n rotation of the key material for the specified symmetric customer master key\n (CMK).

\n

You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported key material, or CMKs in a custom key store.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.

\n \n

\n Required permissions: kms:DisableKeyRotation (key policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#DisableKeyRotationRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

Identifies a symmetric customer master key (CMK). You cannot enable or disable automatic\n rotation of asymmetric CMKs, CMKs\n with imported key\n material, or CMKs in a custom key store.

\n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#DisabledException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the specified CMK is not enabled.

", + "smithy.api#error": "client", + "smithy.api#httpError": 409 + } + }, + "com.amazonaws.kms#DisconnectCustomKeyStore": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#DisconnectCustomKeyStoreRequest" + }, + "output": { + "target": "com.amazonaws.kms#DisconnectCustomKeyStoreResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#CustomKeyStoreInvalidStateException" + }, + { + "target": "com.amazonaws.kms#CustomKeyStoreNotFoundException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + } + ], + "traits": { + "smithy.api#documentation": "

Disconnects the custom key store from its associated AWS CloudHSM cluster. While a custom key\n store is disconnected, you can manage the custom key store and its customer master keys\n (CMKs), but you cannot create or use CMKs in the custom key store. You can reconnect the\n custom key store at any time.

\n \n

While a custom key store is disconnected, all attempts to create customer master keys\n (CMKs) in the custom key store or to use existing CMKs in cryptographic operations will\n fail. This action can prevent users from storing and accessing sensitive data.

\n \n

\n

To find the connection state of a custom key store, use the DescribeCustomKeyStores operation. To reconnect a custom key store, use the\n ConnectCustomKeyStore operation.

\n

If the operation succeeds, it returns a JSON object with no\nproperties.

\n

This operation is part of the Custom Key Store feature feature in AWS KMS, which\ncombines the convenience and extensive integration of AWS KMS with the isolation and control of a\nsingle-tenant key store.

\n\n

\n Cross-account use: No. You cannot perform this operation on a custom key store in a different AWS account.

\n \n

\n Required permissions: kms:DisconnectCustomKeyStore (IAM policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#DisconnectCustomKeyStoreRequest": { + "type": "structure", + "members": { + "CustomKeyStoreId": { + "target": "com.amazonaws.kms#CustomKeyStoreIdType", + "traits": { + "smithy.api#documentation": "

Enter the ID of the custom key store you want to disconnect. To find the ID of a custom key store, use the DescribeCustomKeyStores operation.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#DisconnectCustomKeyStoreResponse": { + "type": "structure", + "members": {} + }, + "com.amazonaws.kms#EnableKey": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#EnableKeyRequest" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#LimitExceededException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Sets the key state of a customer master key (CMK) to enabled. This allows you to use the\n CMK for cryptographic operations.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.

\n \n

\n Required permissions: kms:EnableKey (key policy)

\n

\n Related operations: DisableKey\n

" + } + }, + "com.amazonaws.kms#EnableKeyRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

A unique identifier for the customer master key (CMK).

\n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#EnableKeyRotation": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#EnableKeyRotationRequest" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#DisabledException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + }, + { + "target": "com.amazonaws.kms#UnsupportedOperationException" + } + ], + "traits": { + "smithy.api#documentation": "

Enables automatic rotation\n of the key material for the specified symmetric customer master key (CMK).

\n

You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported key material, or CMKs in a custom key store.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.

\n \n

\n Required permissions: kms:EnableKeyRotation (key policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#EnableKeyRotationRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

Identifies a symmetric customer master key (CMK). You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported key material, or CMKs in a custom key store.

\n \n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#Encrypt": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#EncryptRequest" + }, + "output": { + "target": "com.amazonaws.kms#EncryptResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#DisabledException" + }, + { + "target": "com.amazonaws.kms#InvalidGrantTokenException" + }, + { + "target": "com.amazonaws.kms#InvalidKeyUsageException" + }, + { + "target": "com.amazonaws.kms#KeyUnavailableException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Encrypts plaintext into ciphertext by using a customer master key (CMK). The\n Encrypt operation has two primary use cases:

\n \n\n

You don't need to use the Encrypt operation to encrypt a data key. The GenerateDataKey and GenerateDataKeyPair operations return a\n plaintext data key and an encrypted copy of that data key.

\n\n

When you encrypt data, you must specify a symmetric or asymmetric CMK to use in the\n encryption operation. The CMK must have a KeyUsage value of\n ENCRYPT_DECRYPT. To find the KeyUsage of a CMK, use the DescribeKey operation.

\n\n

If you use a symmetric CMK, you can use an encryption context to add additional security\n to your encryption operation. If you specify an EncryptionContext when encrypting\n data, you must specify the same encryption context (a case-sensitive exact match) when\n decrypting the data. Otherwise, the request to decrypt fails with an\n InvalidCiphertextException. For more information, see Encryption\n Context in the AWS Key Management Service Developer Guide.

\n

If you specify an asymmetric CMK, you must also specify the encryption algorithm. The\n algorithm must be compatible with the CMK type.

\n \n

When you use an asymmetric CMK to encrypt or reencrypt data, be sure to record the CMK and encryption algorithm that you choose. You will be required to provide the same CMK and encryption algorithm when you decrypt the data. If the CMK and algorithm do not match the values used to encrypt the data, the decrypt operation fails.

\n

You are not required to supply the CMK ID and encryption algorithm when you decrypt with symmetric CMKs because AWS KMS stores this information in the ciphertext blob. AWS KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.

\n \n\n\n

The maximum size of the data that you can encrypt varies with the type of CMK and the\n encryption algorithm that you choose.

\n \n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.

\n \n

\n Required permissions: kms:Encrypt (key policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#EncryptRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

A unique identifier for the customer master key (CMK).

\n

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

", + "smithy.api#required": {} + } + }, + "Plaintext": { + "target": "com.amazonaws.kms#PlaintextType", + "traits": { + "smithy.api#documentation": "

Data to be encrypted.

", + "smithy.api#required": {} + } + }, + "EncryptionContext": { + "target": "com.amazonaws.kms#EncryptionContextType", + "traits": { + "smithy.api#documentation": "

Specifies the encryption context that will be used to encrypt the data.\n An encryption context is valid only for cryptographic operations with a symmetric CMK. The standard asymmetric encryption algorithms that AWS KMS uses do not support an encryption context.

\n

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

\n

For more information, see\n Encryption\n Context in the AWS Key Management Service Developer Guide.

" + } + }, + "GrantTokens": { + "target": "com.amazonaws.kms#GrantTokenList", + "traits": { + "smithy.api#documentation": "

A list of grant tokens.

\n

For more information, see Grant Tokens in the\n AWS Key Management Service Developer Guide.

" + } + }, + "EncryptionAlgorithm": { + "target": "com.amazonaws.kms#EncryptionAlgorithmSpec", + "traits": { + "smithy.api#documentation": "

Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext message.\n The algorithm must be compatible with the CMK that you specify.

\n

This parameter is required only for asymmetric CMKs. The default value,\n SYMMETRIC_DEFAULT, is the algorithm used for symmetric CMKs. If you are using\n an asymmetric CMK, we recommend RSAES_OAEP_SHA_256.

" + } + } + } + }, + "com.amazonaws.kms#EncryptResponse": { + "type": "structure", + "members": { + "CiphertextBlob": { + "target": "com.amazonaws.kms#CiphertextType", + "traits": { + "smithy.api#documentation": "

The encrypted plaintext. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

" + } + }, + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (key ARN) of the CMK that was used to encrypt the plaintext.

" + } + }, + "EncryptionAlgorithm": { + "target": "com.amazonaws.kms#EncryptionAlgorithmSpec", + "traits": { + "smithy.api#documentation": "

The encryption algorithm that was used to encrypt the plaintext.

" + } + } + } + }, + "com.amazonaws.kms#EncryptionAlgorithmSpec": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "SYMMETRIC_DEFAULT", + "name": "SYMMETRIC_DEFAULT" + }, + { + "value": "RSAES_OAEP_SHA_1", + "name": "RSAES_OAEP_SHA_1" + }, + { + "value": "RSAES_OAEP_SHA_256", + "name": "RSAES_OAEP_SHA_256" + } + ] + } + }, + "com.amazonaws.kms#EncryptionAlgorithmSpecList": { + "type": "list", + "member": { + "target": "com.amazonaws.kms#EncryptionAlgorithmSpec" + } + }, + "com.amazonaws.kms#EncryptionContextKey": { + "type": "string" + }, + "com.amazonaws.kms#EncryptionContextType": { + "type": "map", + "key": { + "target": "com.amazonaws.kms#EncryptionContextKey" + }, + "value": { + "target": "com.amazonaws.kms#EncryptionContextValue" + } + }, + "com.amazonaws.kms#EncryptionContextValue": { + "type": "string" + }, + "com.amazonaws.kms#ErrorMessageType": { + "type": "string" + }, + "com.amazonaws.kms#ExpirationModelType": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "KEY_MATERIAL_EXPIRES", + "name": "KEY_MATERIAL_EXPIRES" + }, + { + "value": "KEY_MATERIAL_DOES_NOT_EXPIRE", + "name": "KEY_MATERIAL_DOES_NOT_EXPIRE" + } + ] + } + }, + "com.amazonaws.kms#ExpiredImportTokenException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the specified import token is expired. Use GetParametersForImport to get a new import token and public key, use the new\n public key to encrypt the key material, and then try the request again.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#GenerateDataKey": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#GenerateDataKeyRequest" + }, + "output": { + "target": "com.amazonaws.kms#GenerateDataKeyResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#DisabledException" + }, + { + "target": "com.amazonaws.kms#InvalidGrantTokenException" + }, + { + "target": "com.amazonaws.kms#InvalidKeyUsageException" + }, + { + "target": "com.amazonaws.kms#KeyUnavailableException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Generates a unique symmetric data key for client-side encryption. This operation returns a\n plaintext copy of the data key and a copy that is encrypted under a customer master key (CMK)\n that you specify. You can use the plaintext key to encrypt your data outside of AWS KMS and\n store the encrypted data key with the encrypted data.

\n\n

\n GenerateDataKey returns a unique data key for each request. The bytes in the\n plaintext key are not related to the caller or the CMK.

\n\n

To generate a data key, specify the symmetric CMK that will be used to encrypt the data\n key. You cannot use an asymmetric CMK to generate data keys. To get the type of your CMK, use\n the DescribeKey operation. You must also specify the length of the data key.\n Use either the KeySpec or NumberOfBytes parameters (but not both).\n For 128-bit and 256-bit data keys, use the KeySpec parameter.

\n\n

To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key pair, use\n the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operation. To get a cryptographically secure\n random byte string, use GenerateRandom.

\n\n

You can use the optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n AWS Key Management Service Developer Guide.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n How to use your data key\n

\n

We recommend that you use the following pattern to encrypt data locally in your application.\n You can write your own code or use a client-side encryption library, such as the AWS Encryption SDK, the Amazon DynamoDB Encryption Client, or\n Amazon S3\n client-side encryption to do these tasks for you.

\n

To encrypt data outside of AWS KMS:

\n
    \n
  1. \n

    Use the GenerateDataKey operation to get a data key.

    \n
    2. \n
  2. \n

    Use the plaintext data key (in the Plaintext field of the response) to\n encrypt your data outside of AWS KMS. Then erase the plaintext data key from memory.

    \n
    3. \n
  3. \n

    Store the encrypted data key (in the CiphertextBlob field of the\n response) with the encrypted data.

    \n
    4. \n
\n

To decrypt data outside of AWS KMS:

\n
    \n
  1. \n

    Use the Decrypt operation to decrypt the encrypted data key. The\n operation returns a plaintext copy of the data key.

    \n
    2. \n
  2. \n

    Use the plaintext data key to decrypt data outside of AWS KMS, then erase the plaintext\n data key from memory.

    \n
    3. \n
\n

\n Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.

\n \n

\n Required permissions: kms:GenerateDataKey (key policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#GenerateDataKeyPair": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#GenerateDataKeyPairRequest" + }, + "output": { + "target": "com.amazonaws.kms#GenerateDataKeyPairResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#DisabledException" + }, + { + "target": "com.amazonaws.kms#InvalidGrantTokenException" + }, + { + "target": "com.amazonaws.kms#InvalidKeyUsageException" + }, + { + "target": "com.amazonaws.kms#KeyUnavailableException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + }, + { + "target": "com.amazonaws.kms#UnsupportedOperationException" + } + ], + "traits": { + "smithy.api#documentation": "

Generates a unique asymmetric data key pair. The GenerateDataKeyPair\n operation returns a plaintext public key, a plaintext private key, and a copy of the private\n key that is encrypted under the symmetric CMK you specify. You can use the data key pair to\n perform asymmetric cryptography outside of AWS KMS.

\n\n

\n GenerateDataKeyPair returns a unique data key pair for each request. The\n bytes in the keys are not related to the caller or the CMK that is used to encrypt the private\n key.

\n\n

You can use the public key that GenerateDataKeyPair returns to encrypt data\n or verify a signature outside of AWS KMS. Then, store the encrypted private key with the data.\n When you are ready to decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.

\n\n

To generate a data key pair, you must specify a symmetric customer master key (CMK) to\n encrypt the private key in a data key pair. You cannot use an asymmetric CMK or a CMK in a\n custom key store. To get the type and origin of your CMK, use the DescribeKey operation.

\n\n

If you are using the data key pair to encrypt data, or for any operation where you don't\n immediately need a private key, consider using the GenerateDataKeyPairWithoutPlaintext operation.\n GenerateDataKeyPairWithoutPlaintext returns a plaintext public key and an\n encrypted private key, but omits the plaintext private key that you need only to decrypt\n ciphertext or sign a message. Later, when you need to decrypt the data or sign a message, use\n the Decrypt operation to decrypt the encrypted private key in the data key\n pair.

\n\n

You can use the optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n AWS Key Management Service Developer Guide.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.

\n \n

\n Required permissions: kms:GenerateDataKeyPair (key policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#GenerateDataKeyPairRequest": { + "type": "structure", + "members": { + "EncryptionContext": { + "target": "com.amazonaws.kms#EncryptionContextType", + "traits": { + "smithy.api#documentation": "

Specifies the encryption context that will be used when encrypting the private key in the\n data key pair.

\n

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

\n

For more information, see\n Encryption\n Context in the AWS Key Management Service Developer Guide.

" + } + }, + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

Specifies the symmetric CMK that encrypts the private key in the data key pair. You cannot\n specify an asymmetric CMK or a CMK in a custom key store. To get the type and origin of your\n CMK, use the DescribeKey operation.

\n

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

", + "smithy.api#required": {} + } + }, + "KeyPairSpec": { + "target": "com.amazonaws.kms#DataKeyPairSpec", + "traits": { + "smithy.api#documentation": "

Determines the type of data key pair that is generated.

\n

The AWS KMS rule that restricts the use of asymmetric RSA CMKs to encrypt and decrypt or to sign and verify (but not both), and the rule that permits you to use ECC CMKs only to sign and verify, are not effective outside of AWS KMS.

", + "smithy.api#required": {} + } + }, + "GrantTokens": { + "target": "com.amazonaws.kms#GrantTokenList", + "traits": { + "smithy.api#documentation": "

A list of grant tokens.

\n

For more information, see Grant Tokens in the\n AWS Key Management Service Developer Guide.

" + } + } + } + }, + "com.amazonaws.kms#GenerateDataKeyPairResponse": { + "type": "structure", + "members": { + "PrivateKeyCiphertextBlob": { + "target": "com.amazonaws.kms#CiphertextType", + "traits": { + "smithy.api#documentation": "

The encrypted copy of the private key. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

" + } + }, + "PrivateKeyPlaintext": { + "target": "com.amazonaws.kms#PlaintextType", + "traits": { + "smithy.api#documentation": "

The plaintext copy of the private key. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

" + } + }, + "PublicKey": { + "target": "com.amazonaws.kms#PublicKeyType", + "traits": { + "smithy.api#documentation": "

The public key (in plaintext).

" + } + }, + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (key ARN) of the CMK that encrypted the private key.

" + } + }, + "KeyPairSpec": { + "target": "com.amazonaws.kms#DataKeyPairSpec", + "traits": { + "smithy.api#documentation": "

The type of data key pair that was generated.

" + } + } + } + }, + "com.amazonaws.kms#GenerateDataKeyPairWithoutPlaintext": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#GenerateDataKeyPairWithoutPlaintextRequest" + }, + "output": { + "target": "com.amazonaws.kms#GenerateDataKeyPairWithoutPlaintextResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#DisabledException" + }, + { + "target": "com.amazonaws.kms#InvalidGrantTokenException" + }, + { + "target": "com.amazonaws.kms#InvalidKeyUsageException" + }, + { + "target": "com.amazonaws.kms#KeyUnavailableException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + }, + { + "target": "com.amazonaws.kms#UnsupportedOperationException" + } + ], + "traits": { + "smithy.api#documentation": "

Generates a unique asymmetric data key pair. The\n GenerateDataKeyPairWithoutPlaintext operation returns a plaintext public key\n and a copy of the private key that is encrypted under the symmetric CMK you specify. Unlike\n GenerateDataKeyPair, this operation does not return a plaintext private\n key.

\n

To generate a data key pair, you must specify a symmetric customer master key (CMK) to\n encrypt the private key in the data key pair. You cannot use an asymmetric CMK or a CMK in a\n custom key store. To get the type and origin of your CMK, use the KeySpec field\n in the DescribeKey response.

\n

You can use the public key that GenerateDataKeyPairWithoutPlaintext returns\n to encrypt data or verify a signature outside of AWS KMS. Then, store the encrypted private key\n with the data. When you are ready to decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.

\n

\n GenerateDataKeyPairWithoutPlaintext returns a unique data key pair for each\n request. The bytes in the key are not related to the caller or CMK that is used to encrypt the\n private key.

\n\n

You can use the optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n AWS Key Management Service Developer Guide.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.

\n \n

\n Required permissions: kms:GenerateDataKeyPairWithoutPlaintext (key policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#GenerateDataKeyPairWithoutPlaintextRequest": { + "type": "structure", + "members": { + "EncryptionContext": { + "target": "com.amazonaws.kms#EncryptionContextType", + "traits": { + "smithy.api#documentation": "

Specifies the encryption context that will be used when encrypting the private key in the\n data key pair.

\n

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

\n

For more information, see\n Encryption\n Context in the AWS Key Management Service Developer Guide.

" + } + }, + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

Specifies the CMK that encrypts the private key in the data key pair. You must specify a\n symmetric CMK. You cannot use an asymmetric CMK or a CMK in a custom key store. To get the\n type and origin of your CMK, use the DescribeKey operation.

\n

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

", + "smithy.api#required": {} + } + }, + "KeyPairSpec": { + "target": "com.amazonaws.kms#DataKeyPairSpec", + "traits": { + "smithy.api#documentation": "

Determines the type of data key pair that is generated.

\n

The AWS KMS rule that restricts the use of asymmetric RSA CMKs to encrypt and decrypt or to sign and verify (but not both), and the rule that permits you to use ECC CMKs only to sign and verify, are not effective outside of AWS KMS.

", + "smithy.api#required": {} + } + }, + "GrantTokens": { + "target": "com.amazonaws.kms#GrantTokenList", + "traits": { + "smithy.api#documentation": "

A list of grant tokens.

\n

For more information, see Grant Tokens in the\n AWS Key Management Service Developer Guide.

" + } + } + } + }, + "com.amazonaws.kms#GenerateDataKeyPairWithoutPlaintextResponse": { + "type": "structure", + "members": { + "PrivateKeyCiphertextBlob": { + "target": "com.amazonaws.kms#CiphertextType", + "traits": { + "smithy.api#documentation": "

The encrypted copy of the private key. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

" + } + }, + "PublicKey": { + "target": "com.amazonaws.kms#PublicKeyType", + "traits": { + "smithy.api#documentation": "

The public key (in plaintext).

" + } + }, + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (key ARN) of the CMK that encrypted the private key.

" + } + }, + "KeyPairSpec": { + "target": "com.amazonaws.kms#DataKeyPairSpec", + "traits": { + "smithy.api#documentation": "

The type of data key pair that was generated.

" + } + } + } + }, + "com.amazonaws.kms#GenerateDataKeyRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

Identifies the symmetric CMK that encrypts the data key.

\n \n

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

", + "smithy.api#required": {} + } + }, + "EncryptionContext": { + "target": "com.amazonaws.kms#EncryptionContextType", + "traits": { + "smithy.api#documentation": "

Specifies the encryption context that will be used when encrypting the data key.

\n

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

\n

For more information, see\n Encryption\n Context in the AWS Key Management Service Developer Guide.

" + } + }, + "NumberOfBytes": { + "target": "com.amazonaws.kms#NumberOfBytesType", + "traits": { + "smithy.api#documentation": "

Specifies the length of the data key in bytes. For example, use the value 64 to generate a\n 512-bit data key (64 bytes is 512 bits). For 128-bit (16-byte) and 256-bit (32-byte) data\n keys, use the KeySpec parameter.

\n

You must specify either the KeySpec or the NumberOfBytes\n parameter (but not both) in every GenerateDataKey request.

" + } + }, + "KeySpec": { + "target": "com.amazonaws.kms#DataKeySpec", + "traits": { + "smithy.api#documentation": "

Specifies the length of the data key. Use AES_128 to generate a 128-bit\n symmetric key, or AES_256 to generate a 256-bit symmetric key.

\n

You must specify either the KeySpec or the NumberOfBytes\n parameter (but not both) in every GenerateDataKey request.

" + } + }, + "GrantTokens": { + "target": "com.amazonaws.kms#GrantTokenList", + "traits": { + "smithy.api#documentation": "

A list of grant tokens.

\n

For more information, see Grant Tokens in the\n AWS Key Management Service Developer Guide.

" + } + } + } + }, + "com.amazonaws.kms#GenerateDataKeyResponse": { + "type": "structure", + "members": { + "CiphertextBlob": { + "target": "com.amazonaws.kms#CiphertextType", + "traits": { + "smithy.api#documentation": "

The encrypted copy of the data key. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

" + } + }, + "Plaintext": { + "target": "com.amazonaws.kms#PlaintextType", + "traits": { + "smithy.api#documentation": "

The plaintext data key. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. Use this data key to encrypt your data outside of\n KMS. Then, remove it from memory as soon as possible.

" + } + }, + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (key ARN) of the CMK that encrypted the data key.

" + } + } + } + }, + "com.amazonaws.kms#GenerateDataKeyWithoutPlaintext": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#GenerateDataKeyWithoutPlaintextRequest" + }, + "output": { + "target": "com.amazonaws.kms#GenerateDataKeyWithoutPlaintextResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#DisabledException" + }, + { + "target": "com.amazonaws.kms#InvalidGrantTokenException" + }, + { + "target": "com.amazonaws.kms#InvalidKeyUsageException" + }, + { + "target": "com.amazonaws.kms#KeyUnavailableException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Generates a unique symmetric data key. This operation returns a data key that is encrypted\n under a customer master key (CMK) that you specify. To request an asymmetric data key pair,\n use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operations.

\n

\n GenerateDataKeyWithoutPlaintext is identical to the GenerateDataKey operation except that returns only the encrypted copy of the\n data key. This operation is useful for systems that need to encrypt data at some point, but\n not immediately. When you need to encrypt the data, you call the Decrypt\n operation on the encrypted copy of the key.

\n

It's also useful in distributed systems with different levels of trust. For example, you\n might store encrypted data in containers. One component of your system creates new containers\n and stores an encrypted data key with each container. Then, a different component puts the\n data into the containers. That component first decrypts the data key, uses the plaintext data\n key to encrypt data, puts the encrypted data into the container, and then destroys the\n plaintext data key. In this system, the component that creates the containers never sees the\n plaintext data key.

\n

\n GenerateDataKeyWithoutPlaintext returns a unique data key for each request.\n The bytes in the keys are not related to the caller or CMK that is used to encrypt the private\n key.

\n\n

To generate a data key, you must specify the symmetric customer master key (CMK) that is\n used to encrypt the data key. You cannot use an asymmetric CMK to generate a data key. To get the type\n of your CMK, use the DescribeKey operation.

\n\n

If the operation succeeds, you will find the encrypted copy of the data key in the\n CiphertextBlob field.

\n\n

You can use the optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n AWS Key Management Service Developer Guide.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.

\n \n

\n Required permissions: kms:GenerateDataKeyWithoutPlaintext (key policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#GenerateDataKeyWithoutPlaintextRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The identifier of the symmetric customer master key (CMK) that encrypts the data\n key.

\n

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

", + "smithy.api#required": {} + } + }, + "EncryptionContext": { + "target": "com.amazonaws.kms#EncryptionContextType", + "traits": { + "smithy.api#documentation": "

Specifies the encryption context that will be used when encrypting the data key.

\n

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

\n

For more information, see\n Encryption\n Context in the AWS Key Management Service Developer Guide.

" + } + }, + "KeySpec": { + "target": "com.amazonaws.kms#DataKeySpec", + "traits": { + "smithy.api#documentation": "

The length of the data key. Use AES_128 to generate a 128-bit symmetric key,\n or AES_256 to generate a 256-bit symmetric key.

" + } + }, + "NumberOfBytes": { + "target": "com.amazonaws.kms#NumberOfBytesType", + "traits": { + "smithy.api#documentation": "

The length of the data key in bytes. For example, use the value 64 to generate a 512-bit\n data key (64 bytes is 512 bits). For common key lengths (128-bit and 256-bit symmetric keys),\n we recommend that you use the KeySpec field instead of this one.

" + } + }, + "GrantTokens": { + "target": "com.amazonaws.kms#GrantTokenList", + "traits": { + "smithy.api#documentation": "

A list of grant tokens.

\n

For more information, see Grant Tokens in the\n AWS Key Management Service Developer Guide.

" + } + } + } + }, + "com.amazonaws.kms#GenerateDataKeyWithoutPlaintextResponse": { + "type": "structure", + "members": { + "CiphertextBlob": { + "target": "com.amazonaws.kms#CiphertextType", + "traits": { + "smithy.api#documentation": "

The encrypted data key. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

" + } + }, + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (key ARN) of the CMK that encrypted the data key.

" + } + } + } + }, + "com.amazonaws.kms#GenerateRandom": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#GenerateRandomRequest" + }, + "output": { + "target": "com.amazonaws.kms#GenerateRandomResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#CustomKeyStoreInvalidStateException" + }, + { + "target": "com.amazonaws.kms#CustomKeyStoreNotFoundException" + }, + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + } + ], + "traits": { + "smithy.api#documentation": "

Returns a random byte string that is cryptographically secure.

\n

By default, the random byte string is generated in AWS KMS. To generate the byte string in\n the AWS CloudHSM cluster that is associated with a custom key store, specify the custom key store\n ID.

\n

For more information about entropy and random number generation, see the AWS Key Management Service\n Cryptographic Details whitepaper.

\n \n

\n Required permissions: kms:GenerateRandom (IAM policy)

" + } + }, + "com.amazonaws.kms#GenerateRandomRequest": { + "type": "structure", + "members": { + "NumberOfBytes": { + "target": "com.amazonaws.kms#NumberOfBytesType", + "traits": { + "smithy.api#documentation": "

The length of the byte string.

" + } + }, + "CustomKeyStoreId": { + "target": "com.amazonaws.kms#CustomKeyStoreIdType", + "traits": { + "smithy.api#documentation": "

Generates the random byte string in the AWS CloudHSM cluster that is associated with the\n specified custom key store. To find the ID of a custom key store, use the DescribeCustomKeyStores operation.

" + } + } + } + }, + "com.amazonaws.kms#GenerateRandomResponse": { + "type": "structure", + "members": { + "Plaintext": { + "target": "com.amazonaws.kms#PlaintextType", + "traits": { + "smithy.api#documentation": "

The random byte string. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

" + } + } + } + }, + "com.amazonaws.kms#GetKeyPolicy": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#GetKeyPolicyRequest" + }, + "output": { + "target": "com.amazonaws.kms#GetKeyPolicyResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Gets a key policy attached to the specified customer master key (CMK).

\n

\n Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.

\n \n

\n Required permissions: kms:GetKeyPolicy (key policy)

\n

\n Related operations: PutKeyPolicy\n

" + } + }, + "com.amazonaws.kms#GetKeyPolicyRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

A unique identifier for the customer master key (CMK).

\n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + }, + "PolicyName": { + "target": "com.amazonaws.kms#PolicyNameType", + "traits": { + "smithy.api#documentation": "

Specifies the name of the key policy. The only valid name is default. To get\n the names of key policies, use ListKeyPolicies.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#GetKeyPolicyResponse": { + "type": "structure", + "members": { + "Policy": { + "target": "com.amazonaws.kms#PolicyType", + "traits": { + "smithy.api#documentation": "

A key policy document in JSON format.

" + } + } + } + }, + "com.amazonaws.kms#GetKeyRotationStatus": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#GetKeyRotationStatusRequest" + }, + "output": { + "target": "com.amazonaws.kms#GetKeyRotationStatusResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + }, + { + "target": "com.amazonaws.kms#UnsupportedOperationException" + } + ], + "traits": { + "smithy.api#documentation": "

Gets a Boolean value that indicates whether automatic rotation of the key material is\n enabled for the specified customer master key (CMK).

\n

You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported key material, or CMKs in a custom key store. The key rotation status for these CMKs is always false.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n \n

\n Cross-account use: Yes. To perform this operation on a CMK in a different AWS account, specify the key\n ARN in the value of the KeyId parameter.

\n \n

\n Required permissions: kms:GetKeyRotationStatus (key policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#GetKeyRotationStatusRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

A unique identifier for the customer master key (CMK).

\n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a\ndifferent AWS account, you must use the key ARN.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#GetKeyRotationStatusResponse": { + "type": "structure", + "members": { + "KeyRotationEnabled": { + "target": "com.amazonaws.kms#BooleanType", + "traits": { + "smithy.api#documentation": "

A Boolean value that specifies whether key rotation is enabled.

" + } + } + } + }, + "com.amazonaws.kms#GetParametersForImport": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#GetParametersForImportRequest" + }, + "output": { + "target": "com.amazonaws.kms#GetParametersForImportResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + }, + { + "target": "com.amazonaws.kms#UnsupportedOperationException" + } + ], + "traits": { + "smithy.api#documentation": "

Returns the items you need to import key material into a symmetric, customer managed\n customer master key (CMK). For more information about importing key material into AWS KMS, see\n Importing Key\n Material in the AWS Key Management Service Developer Guide.

\n

This operation returns a public key and an import token. Use the public key to encrypt the\n symmetric key material. Store the import token to send with a subsequent ImportKeyMaterial request.

\n

You must specify the key ID of the symmetric CMK into which you will import key material.\n This CMK's Origin must be EXTERNAL. You must also specify the\n wrapping algorithm and type of wrapping key (public key) that you will use to encrypt the key\n material. You cannot perform this operation on an asymmetric CMK or on any CMK in a different AWS account.

\n

To import key material, you must use the public key and import token from the same\n response. These items are valid for 24 hours. The expiration date and time appear in the\n GetParametersForImport response. You cannot use an expired token in an ImportKeyMaterial request. If your key and token expire, send another\n GetParametersForImport request.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.

\n \n

\n Required permissions: kms:GetParametersForImport (key policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#GetParametersForImportRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The identifier of the symmetric CMK into which you will import key material. The\n Origin of the CMK must be EXTERNAL.

\n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + }, + "WrappingAlgorithm": { + "target": "com.amazonaws.kms#AlgorithmSpec", + "traits": { + "smithy.api#documentation": "

The algorithm you will use to encrypt the key material before importing it with ImportKeyMaterial. For more information, see Encrypt the Key Material\n in the AWS Key Management Service Developer Guide.

", + "smithy.api#required": {} + } + }, + "WrappingKeySpec": { + "target": "com.amazonaws.kms#WrappingKeySpec", + "traits": { + "smithy.api#documentation": "

The type of wrapping key (public key) to return in the response. Only 2048-bit RSA public\n keys are supported.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#GetParametersForImportResponse": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (key ARN) of the CMK to use in a subsequent ImportKeyMaterial\n request. This is the same CMK specified in the GetParametersForImport\n request.

" + } + }, + "ImportToken": { + "target": "com.amazonaws.kms#CiphertextType", + "traits": { + "smithy.api#documentation": "

The import token to send in a subsequent ImportKeyMaterial\n request.

" + } + }, + "PublicKey": { + "target": "com.amazonaws.kms#PlaintextType", + "traits": { + "smithy.api#documentation": "

The public key to use to encrypt the key material before importing it with ImportKeyMaterial.

" + } + }, + "ParametersValidTo": { + "target": "com.amazonaws.kms#DateType", + "traits": { + "smithy.api#documentation": "

The time at which the import token and public key are no longer valid. After this time,\n you cannot use them to make an ImportKeyMaterial request and you must send\n another GetParametersForImport request to get new ones.

" + } + } + } + }, + "com.amazonaws.kms#GetPublicKey": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#GetPublicKeyRequest" + }, + "output": { + "target": "com.amazonaws.kms#GetPublicKeyResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#DisabledException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#InvalidGrantTokenException" + }, + { + "target": "com.amazonaws.kms#InvalidKeyUsageException" + }, + { + "target": "com.amazonaws.kms#KeyUnavailableException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + }, + { + "target": "com.amazonaws.kms#UnsupportedOperationException" + } + ], + "traits": { + "smithy.api#documentation": "

Returns the public key of an asymmetric CMK. Unlike the private key of a asymmetric CMK,\n which never leaves AWS KMS unencrypted, callers with kms:GetPublicKey permission\n can download the public key of an asymmetric CMK. You can share the public key to allow others\n to encrypt messages and verify signatures outside of AWS KMS. For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.

\n

You do not need to download the public key. Instead, you can use the public key within\n AWS KMS by calling the Encrypt, ReEncrypt, or Verify operations with the identifier of an asymmetric CMK. When you use the\n public key within AWS KMS, you benefit from the authentication, authorization, and logging that\n are part of every AWS KMS operation. You also reduce of risk of encrypting data that cannot be\n decrypted. These features are not effective outside of AWS KMS. For details, see Special Considerations\n for Downloading Public Keys.

\n

To help you use the public key safely outside of AWS KMS, GetPublicKey returns\n important information about the public key in the response, including:

\n \n

Although AWS KMS cannot enforce these restrictions on external operations, it is crucial\n that you use this information to prevent the public key from being used improperly. For\n example, you can prevent a public signing key from being used encrypt data, or prevent a\n public key from being used with an encryption algorithm that is not supported by AWS KMS. You\n can also avoid errors, such as using the wrong signing algorithm in a verification\n operation.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.

\n \n

\n Required permissions: kms:GetPublicKey (key policy)

\n

\n Related operations: CreateKey\n

" + } + }, + "com.amazonaws.kms#GetPublicKeyRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

Identifies the asymmetric CMK that includes the public key.

\n \n

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

", + "smithy.api#required": {} + } + }, + "GrantTokens": { + "target": "com.amazonaws.kms#GrantTokenList", + "traits": { + "smithy.api#documentation": "

A list of grant tokens.

\n

For more information, see Grant Tokens in the\n AWS Key Management Service Developer Guide.

" + } + } + } + }, + "com.amazonaws.kms#GetPublicKeyResponse": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (key ARN) of the asymmetric CMK from which the public key was downloaded.

" + } + }, + "PublicKey": { + "target": "com.amazonaws.kms#PublicKeyType", + "traits": { + "smithy.api#documentation": "

The exported public key.

\n

The value is a DER-encoded X.509 public key, also known as\n SubjectPublicKeyInfo (SPKI), as defined in RFC 5280. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

\n

" + } + }, + "CustomerMasterKeySpec": { + "target": "com.amazonaws.kms#CustomerMasterKeySpec", + "traits": { + "smithy.api#documentation": "

The type of the of the public key that was downloaded.

" + } + }, + "KeyUsage": { + "target": "com.amazonaws.kms#KeyUsageType", + "traits": { + "smithy.api#documentation": "

The permitted use of the public key. Valid values are ENCRYPT_DECRYPT or\n SIGN_VERIFY.

\n

This information is critical. If a public key with SIGN_VERIFY key usage\n encrypts data outside of AWS KMS, the ciphertext cannot be decrypted.

" + } + }, + "EncryptionAlgorithms": { + "target": "com.amazonaws.kms#EncryptionAlgorithmSpecList", + "traits": { + "smithy.api#documentation": "

The encryption algorithms that AWS KMS supports for this key.

\n

This information is critical. If a public key encrypts data outside of AWS KMS by using an\n unsupported encryption algorithm, the ciphertext cannot be decrypted.

\n

This field appears in the response only when the KeyUsage of the public key\n is ENCRYPT_DECRYPT.

" + } + }, + "SigningAlgorithms": { + "target": "com.amazonaws.kms#SigningAlgorithmSpecList", + "traits": { + "smithy.api#documentation": "

The signing algorithms that AWS KMS supports for this key.

\n

This field appears in the response only when the KeyUsage of the public key\n is SIGN_VERIFY.

" + } + } + } + }, + "com.amazonaws.kms#GrantConstraints": { + "type": "structure", + "members": { + "EncryptionContextSubset": { + "target": "com.amazonaws.kms#EncryptionContextType", + "traits": { + "smithy.api#documentation": "

A list of key-value pairs that must be included in the encryption context of the\n cryptographic operation request. The grant allows the cryptographic operation only when the\n encryption context in the request includes the key-value pairs specified in this constraint,\n although it can include additional key-value pairs.

" + } + }, + "EncryptionContextEquals": { + "target": "com.amazonaws.kms#EncryptionContextType", + "traits": { + "smithy.api#documentation": "

A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in the\n request is the same as the encryption context specified in this constraint.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Use this structure to allow cryptographic operations in the grant only when the operation request\n includes the specified encryption context.

\n

AWS KMS applies the grant constraints only to cryptographic operations that support an\n encryption context, that is, all cryptographic operations with a symmetric CMK. Grant\n constraints are not applied to operations that do not support an encryption context, such as\n cryptographic operations with asymmetric CMKs and management operations, such as DescribeKey or RetireGrant.

\n \n

In a cryptographic operation, the encryption context in the decryption operation must be\n an exact, case-sensitive match for the keys and values in the encryption context of the\n encryption operation. Only the order of the pairs can vary.

\n

However, in a grant constraint, the key in each key-value pair is not case sensitive,\n but the value is case sensitive.

\n

To avoid confusion, do not use multiple encryption context pairs that differ only by\n case. To require a fully case-sensitive encryption context, use the\n kms:EncryptionContext: and kms:EncryptionContextKeys conditions\n in an IAM or key policy. For details, see kms:EncryptionContext: in the \n AWS Key Management Service Developer Guide\n .

\n " + } + }, + "com.amazonaws.kms#GrantIdType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 128 + } + } + }, + "com.amazonaws.kms#GrantList": { + "type": "list", + "member": { + "target": "com.amazonaws.kms#GrantListEntry" + } + }, + "com.amazonaws.kms#GrantListEntry": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The unique identifier for the customer master key (CMK) to which the grant applies.

" + } + }, + "GrantId": { + "target": "com.amazonaws.kms#GrantIdType", + "traits": { + "smithy.api#documentation": "

The unique identifier for the grant.

" + } + }, + "Name": { + "target": "com.amazonaws.kms#GrantNameType", + "traits": { + "smithy.api#documentation": "

The friendly name that identifies the grant. If a name was provided in the CreateGrant request, that name is returned. Otherwise this value is null.

" + } + }, + "CreationDate": { + "target": "com.amazonaws.kms#DateType", + "traits": { + "smithy.api#documentation": "

The date and time when the grant was created.

" + } + }, + "GranteePrincipal": { + "target": "com.amazonaws.kms#PrincipalIdType", + "traits": { + "smithy.api#documentation": "

The identity that gets the permissions in the grant.

\n

The GranteePrincipal field in the ListGrants response usually contains the\n user or role designated as the grantee principal in the grant. However, when the grantee\n principal in the grant is an AWS service, the GranteePrincipal field contains\n the service\n principal, which might represent several different grantee principals.

" + } + }, + "RetiringPrincipal": { + "target": "com.amazonaws.kms#PrincipalIdType", + "traits": { + "smithy.api#documentation": "

The principal that can retire the grant.

" + } + }, + "IssuingAccount": { + "target": "com.amazonaws.kms#PrincipalIdType", + "traits": { + "smithy.api#documentation": "

The AWS account under which the grant was issued.

" + } + }, + "Operations": { + "target": "com.amazonaws.kms#GrantOperationList", + "traits": { + "smithy.api#documentation": "

The list of operations permitted by the grant.

" + } + }, + "Constraints": { + "target": "com.amazonaws.kms#GrantConstraints", + "traits": { + "smithy.api#documentation": "

A list of key-value pairs that must be present in the encryption context of certain\n subsequent operations that the grant allows.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Contains information about a grant.

" + } + }, + "com.amazonaws.kms#GrantNameType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 256 + }, + "smithy.api#pattern": "^[a-zA-Z0-9:/_-]+$" + } + }, + "com.amazonaws.kms#GrantOperation": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "Decrypt", + "name": "Decrypt" + }, + { + "value": "Encrypt", + "name": "Encrypt" + }, + { + "value": "GenerateDataKey", + "name": "GenerateDataKey" + }, + { + "value": "GenerateDataKeyWithoutPlaintext", + "name": "GenerateDataKeyWithoutPlaintext" + }, + { + "value": "ReEncryptFrom", + "name": "ReEncryptFrom" + }, + { + "value": "ReEncryptTo", + "name": "ReEncryptTo" + }, + { + "value": "Sign", + "name": "Sign" + }, + { + "value": "Verify", + "name": "Verify" + }, + { + "value": "GetPublicKey", + "name": "GetPublicKey" + }, + { + "value": "CreateGrant", + "name": "CreateGrant" + }, + { + "value": "RetireGrant", + "name": "RetireGrant" + }, + { + "value": "DescribeKey", + "name": "DescribeKey" + }, + { + "value": "GenerateDataKeyPair", + "name": "GenerateDataKeyPair" + }, + { + "value": "GenerateDataKeyPairWithoutPlaintext", + "name": "GenerateDataKeyPairWithoutPlaintext" + } + ] + } + }, + "com.amazonaws.kms#GrantOperationList": { + "type": "list", + "member": { + "target": "com.amazonaws.kms#GrantOperation" + } + }, + "com.amazonaws.kms#GrantTokenList": { + "type": "list", + "member": { + "target": "com.amazonaws.kms#GrantTokenType" + }, + "traits": { + "smithy.api#length": { + "min": 0, + "max": 10 + } + } + }, + "com.amazonaws.kms#GrantTokenType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 8192 + } + } + }, + "com.amazonaws.kms#ImportKeyMaterial": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#ImportKeyMaterialRequest" + }, + "output": { + "target": "com.amazonaws.kms#ImportKeyMaterialResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#ExpiredImportTokenException" + }, + { + "target": "com.amazonaws.kms#IncorrectKeyMaterialException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#InvalidCiphertextException" + }, + { + "target": "com.amazonaws.kms#InvalidImportTokenException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + }, + { + "target": "com.amazonaws.kms#UnsupportedOperationException" + } + ], + "traits": { + "smithy.api#documentation": "

Imports key material into an existing symmetric AWS KMS customer master key (CMK) that was\n created without key material. After you successfully import key material into a CMK, you can\n reimport the same key material into that CMK, but you cannot import different key\n material.

\n

You cannot perform this operation on an asymmetric CMK or on any CMK in a different AWS account. For more information about creating CMKs with no key material and\n then importing key material, see Importing Key Material in the\n AWS Key Management Service Developer Guide.

\n

Before using this operation, call GetParametersForImport. Its response\n includes a public key and an import token. Use the public key to encrypt the key material.\n Then, submit the import token from the same GetParametersForImport\n response.

\n

When calling this operation, you must specify the following values:

\n \n

When this operation is successful, the key state of the CMK changes from\n PendingImport to Enabled, and you can use the CMK.

\n

If this operation fails, use the exception to help determine the problem. If the error is\n related to the key material, the import token, or wrapping key, use GetParametersForImport to get a new public key and import token for the CMK and\n repeat the import procedure. For help, see How To Import Key\n Material in the AWS Key Management Service Developer Guide.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.

\n \n

\n Required permissions: kms:ImportKeyMaterial (key policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#ImportKeyMaterialRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The identifier of the symmetric CMK that receives the imported key material. The CMK's\n Origin must be EXTERNAL. This must be the same CMK specified in\n the KeyID parameter of the corresponding GetParametersForImport\n request.

\n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + }, + "ImportToken": { + "target": "com.amazonaws.kms#CiphertextType", + "traits": { + "smithy.api#documentation": "

The import token that you received in the response to a previous GetParametersForImport request. It must be from the same response that contained\n the public key that you used to encrypt the key material.

", + "smithy.api#required": {} + } + }, + "EncryptedKeyMaterial": { + "target": "com.amazonaws.kms#CiphertextType", + "traits": { + "smithy.api#documentation": "

The encrypted key material to import. The key material must be encrypted with the public\n wrapping key that GetParametersForImport returned, using the wrapping\n algorithm that you specified in the same GetParametersForImport request.

", + "smithy.api#required": {} + } + }, + "ValidTo": { + "target": "com.amazonaws.kms#DateType", + "traits": { + "smithy.api#documentation": "

The time at which the imported key material expires. When the key material expires, AWS KMS\n deletes the key material and the CMK becomes unusable. You must omit this parameter when the\n ExpirationModel parameter is set to KEY_MATERIAL_DOES_NOT_EXPIRE.\n Otherwise it is required.

" + } + }, + "ExpirationModel": { + "target": "com.amazonaws.kms#ExpirationModelType", + "traits": { + "smithy.api#documentation": "

Specifies whether the key material expires. The default is\n KEY_MATERIAL_EXPIRES, in which case you must include the ValidTo\n parameter. When this parameter is set to KEY_MATERIAL_DOES_NOT_EXPIRE, you must\n omit the ValidTo parameter.

" + } + } + } + }, + "com.amazonaws.kms#ImportKeyMaterialResponse": { + "type": "structure", + "members": {} + }, + "com.amazonaws.kms#IncorrectKeyException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the specified CMK cannot decrypt the data. The\n KeyId in a Decrypt request and the SourceKeyId\n in a ReEncrypt request must identify the same CMK that was used to encrypt\n the ciphertext.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#IncorrectKeyMaterialException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the key material in the request is, expired, invalid, or\n is not the same key material that was previously imported into this customer master key\n (CMK).

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#IncorrectTrustAnchorException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the trust anchor certificate in the request is not the\n trust anchor certificate for the specified AWS CloudHSM cluster.

\n

When you initialize the cluster, you create the trust anchor certificate and save it in the\n customerCA.crt file.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#InvalidAliasNameException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the specified alias name is not valid.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#InvalidArnException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because a specified ARN, or an ARN in a key policy, is not\n valid.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#InvalidCiphertextException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

From the Decrypt or ReEncrypt operation, the request\n was rejected because the specified ciphertext, or additional authenticated data incorporated\n into the ciphertext, such as the encryption context, is corrupted, missing, or otherwise\n invalid.

\n

From the ImportKeyMaterial operation, the request was rejected because\n AWS KMS could not decrypt the encrypted (wrapped) key material.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#InvalidGrantIdException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the specified GrantId is not valid.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#InvalidGrantTokenException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the specified grant token is not valid.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#InvalidImportTokenException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the provided import token is invalid or is associated\n with a different customer master key (CMK).

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#InvalidKeyUsageException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected for one of the following reasons:

\n \n

For encrypting, decrypting, re-encrypting, and generating data keys, the\n KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the\n KeyUsage must be SIGN_VERIFY. To find the KeyUsage of\n a CMK, use the DescribeKey operation.

\n

To find the encryption or signing algorithms supported for a particular CMK, use the DescribeKey operation.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#InvalidMarkerException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the marker that specifies where pagination should next\n begin is not valid.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#KMSInternalException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because an internal exception occurred. The request can be\n retried.

", + "smithy.api#error": "server", + "smithy.api#httpError": 500 + } + }, + "com.amazonaws.kms#KMSInvalidSignatureException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the signature verification failed. Signature\n verification fails when it cannot confirm that signature was produced by signing the specified\n message with the specified CMK and signing algorithm.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#KMSInvalidStateException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the state of the specified resource is not valid for this\n request.

\n

For more information about how key state affects the use of a CMK, see How Key State Affects Use of a\n Customer Master Key in the \n AWS Key Management Service Developer Guide\n .

", + "smithy.api#error": "client", + "smithy.api#httpError": 409 + } + }, + "com.amazonaws.kms#KeyIdType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 2048 + } + } + }, + "com.amazonaws.kms#KeyList": { + "type": "list", + "member": { + "target": "com.amazonaws.kms#KeyListEntry" + } + }, + "com.amazonaws.kms#KeyListEntry": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

Unique identifier of the key.

" + } + }, + "KeyArn": { + "target": "com.amazonaws.kms#ArnType", + "traits": { + "smithy.api#documentation": "

ARN of the key.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Contains information about each entry in the key list.

" + } + }, + "com.amazonaws.kms#KeyManagerType": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "AWS", + "name": "AWS" + }, + { + "value": "CUSTOMER", + "name": "CUSTOMER" + } + ] + } + }, + "com.amazonaws.kms#KeyMetadata": { + "type": "structure", + "members": { + "AWSAccountId": { + "target": "com.amazonaws.kms#AWSAccountIdType", + "traits": { + "smithy.api#documentation": "

The twelve-digit account ID of the AWS account that owns the CMK.

" + } + }, + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The globally unique identifier for the CMK.

", + "smithy.api#required": {} + } + }, + "Arn": { + "target": "com.amazonaws.kms#ArnType", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (ARN) of the CMK. For examples, see AWS Key Management Service\n (AWS KMS) in the Example ARNs section of the AWS General\n Reference.

" + } + }, + "CreationDate": { + "target": "com.amazonaws.kms#DateType", + "traits": { + "smithy.api#documentation": "

The date and time when the CMK was created.

" + } + }, + "Enabled": { + "target": "com.amazonaws.kms#BooleanType", + "traits": { + "smithy.api#documentation": "

Specifies whether the CMK is enabled. When KeyState is Enabled\n this value is true, otherwise it is false.

" + } + }, + "Description": { + "target": "com.amazonaws.kms#DescriptionType", + "traits": { + "smithy.api#documentation": "

The description of the CMK.

" + } + }, + "KeyUsage": { + "target": "com.amazonaws.kms#KeyUsageType", + "traits": { + "smithy.api#documentation": "

The cryptographic operations for which you can use the CMK.

" + } + }, + "KeyState": { + "target": "com.amazonaws.kms#KeyState", + "traits": { + "smithy.api#documentation": "

The current status of the CMK.

\n

For more information about how key state affects the use of a CMK, see Key state: Effect on your CMK in the AWS Key Management Service Developer Guide.

" + } + }, + "DeletionDate": { + "target": "com.amazonaws.kms#DateType", + "traits": { + "smithy.api#documentation": "

The date and time after which AWS KMS deletes the CMK. This value is present only when\n KeyState is PendingDeletion.

" + } + }, + "ValidTo": { + "target": "com.amazonaws.kms#DateType", + "traits": { + "smithy.api#documentation": "

The time at which the imported key material expires. When the key material expires, AWS KMS\n deletes the key material and the CMK becomes unusable. This value is present only for CMKs\n whose Origin is EXTERNAL and whose ExpirationModel is\n KEY_MATERIAL_EXPIRES, otherwise this value is omitted.

" + } + }, + "Origin": { + "target": "com.amazonaws.kms#OriginType", + "traits": { + "smithy.api#documentation": "

The source of the CMK's key material. When this value is AWS_KMS, AWS KMS\n created the key material. When this value is EXTERNAL, the key material was\n imported from your existing key management infrastructure or the CMK lacks key material. When\n this value is AWS_CLOUDHSM, the key material was created in the AWS CloudHSM cluster\n associated with a custom key store.

" + } + }, + "CustomKeyStoreId": { + "target": "com.amazonaws.kms#CustomKeyStoreIdType", + "traits": { + "smithy.api#documentation": "

A unique identifier for the custom key store that contains the CMK. This value is present\n only when the CMK is created in a custom key store.

" + } + }, + "CloudHsmClusterId": { + "target": "com.amazonaws.kms#CloudHsmClusterIdType", + "traits": { + "smithy.api#documentation": "

The cluster ID of the AWS CloudHSM cluster that contains the key material for the CMK. When you\n create a CMK in a custom key store, AWS KMS creates the key material for the CMK in the\n associated AWS CloudHSM cluster. This value is present only when the CMK is created in a custom key\n store.

" + } + }, + "ExpirationModel": { + "target": "com.amazonaws.kms#ExpirationModelType", + "traits": { + "smithy.api#documentation": "

Specifies whether the CMK's key material expires. This value is present only when\n Origin is EXTERNAL, otherwise this value is omitted.

" + } + }, + "KeyManager": { + "target": "com.amazonaws.kms#KeyManagerType", + "traits": { + "smithy.api#documentation": "

The manager of the CMK. CMKs in your AWS account are either customer managed or AWS\n managed. For more information about the difference, see Customer Master Keys in the\n AWS Key Management Service Developer Guide.

" + } + }, + "CustomerMasterKeySpec": { + "target": "com.amazonaws.kms#CustomerMasterKeySpec", + "traits": { + "smithy.api#documentation": "

Describes the type of key material in the CMK.

" + } + }, + "EncryptionAlgorithms": { + "target": "com.amazonaws.kms#EncryptionAlgorithmSpecList", + "traits": { + "smithy.api#documentation": "

The encryption algorithms that the CMK supports. You cannot use the CMK with other\n encryption algorithms within AWS KMS.

\n

This field appears only when the KeyUsage of the CMK is\n ENCRYPT_DECRYPT.

" + } + }, + "SigningAlgorithms": { + "target": "com.amazonaws.kms#SigningAlgorithmSpecList", + "traits": { + "smithy.api#documentation": "

The signing algorithms that the CMK supports. You cannot use the CMK with other\n signing algorithms within AWS KMS.

\n

This field appears only when the KeyUsage of the CMK is\n SIGN_VERIFY.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Contains metadata about a customer master key (CMK).

\n

This data type is used as a response element for the CreateKey and DescribeKey operations.

" + } + }, + "com.amazonaws.kms#KeyState": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "Enabled", + "name": "Enabled" + }, + { + "value": "Disabled", + "name": "Disabled" + }, + { + "value": "PendingDeletion", + "name": "PendingDeletion" + }, + { + "value": "PendingImport", + "name": "PendingImport" + }, + { + "value": "Unavailable", + "name": "Unavailable" + } + ] + } + }, + "com.amazonaws.kms#KeyStorePasswordType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 7, + "max": 32 + }, + "smithy.api#sensitive": {} + } + }, + "com.amazonaws.kms#KeyUnavailableException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the specified CMK was not available. You can retry the\n request.

", + "smithy.api#error": "server", + "smithy.api#httpError": 500 + } + }, + "com.amazonaws.kms#KeyUsageType": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "SIGN_VERIFY", + "name": "SIGN_VERIFY" + }, + { + "value": "ENCRYPT_DECRYPT", + "name": "ENCRYPT_DECRYPT" + } + ] + } + }, + "com.amazonaws.kms#LimitExceededException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because a quota was exceeded. For more information, see Quotas in the\n AWS Key Management Service Developer Guide.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#LimitType": { + "type": "integer", + "traits": { + "smithy.api#box": {}, + "smithy.api#range": { + "min": 1, + "max": 1000 + } + } + }, + "com.amazonaws.kms#ListAliases": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#ListAliasesRequest" + }, + "output": { + "target": "com.amazonaws.kms#ListAliasesResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#InvalidMarkerException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Gets a list of aliases in the caller's AWS account and region. For more information about\n aliases, see CreateAlias.

\n

By default, the ListAliases operation returns all aliases in the account and\n region. To get only the aliases associated with a particular customer master key (CMK), use\n the KeyId parameter.

\n

The ListAliases response can include aliases that you created and associated\n with your customer managed CMKs, and aliases that AWS created and associated with AWS managed\n CMKs in your account. You can recognize AWS aliases because their names have the format\n aws/, such as aws/dynamodb.

\n

The response might also include aliases that have no TargetKeyId field. These\n are predefined aliases that AWS has created but has not yet associated with a CMK. Aliases\n that AWS creates in your account, including predefined aliases, do not count against your\n AWS KMS aliases\n quota.

\n

\n Cross-account use: No. ListAliases does not\n return aliases in other AWS accounts.

\n \n \n

\n Required permissions: kms:ListAliases (IAM policy)

\n

For details, see Controlling access to aliases in the AWS Key Management Service Developer Guide.

\n

\n Related operations:\n

\n ", + "smithy.api#paginated": { + "inputToken": "Marker", + "outputToken": "NextMarker", + "items": "Aliases", + "pageSize": "Limit" + } + } + }, + "com.amazonaws.kms#ListAliasesRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

Lists only aliases that are associated with the specified CMK. Enter a CMK in your AWS\n account.

\n

This parameter is optional. If you omit it, ListAliases returns all aliases\n in the account and Region.

\n \n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

" + } + }, + "Limit": { + "target": "com.amazonaws.kms#LimitType", + "traits": { + "smithy.api#documentation": "

Use this parameter to specify the maximum number of items to return. When this\n value is present, AWS KMS does not return more than the specified number of items, but it might\n return fewer.

\n

This value is optional. If you include a value, it must be between 1\n and 100, inclusive. If you do not include a value, it defaults to 50.

" + } + }, + "Marker": { + "target": "com.amazonaws.kms#MarkerType", + "traits": { + "smithy.api#documentation": "

Use this parameter in a subsequent request after you receive a response with\n truncated results. Set it to the value of NextMarker from the truncated response\n you just received.

" + } + } + } + }, + "com.amazonaws.kms#ListAliasesResponse": { + "type": "structure", + "members": { + "Aliases": { + "target": "com.amazonaws.kms#AliasList", + "traits": { + "smithy.api#documentation": "

A list of aliases.

" + } + }, + "NextMarker": { + "target": "com.amazonaws.kms#MarkerType", + "traits": { + "smithy.api#documentation": "

When Truncated is true, this element is present and contains the\n value to use for the Marker parameter in a subsequent request.

" + } + }, + "Truncated": { + "target": "com.amazonaws.kms#BooleanType", + "traits": { + "smithy.api#documentation": "

A flag that indicates whether there are more items in the list. When this\n value is true, the list in this response is truncated. To get more items, pass the value of\n the NextMarker element in thisresponse to the Marker parameter in a\n subsequent request.

" + } + } + } + }, + "com.amazonaws.kms#ListGrants": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#ListGrantsRequest" + }, + "output": { + "target": "com.amazonaws.kms#ListGrantsResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#InvalidMarkerException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Gets a list of all grants for the specified customer master key (CMK).

\n \n

The GranteePrincipal field in the ListGrants response usually contains the\n user or role designated as the grantee principal in the grant. However, when the grantee\n principal in the grant is an AWS service, the GranteePrincipal field contains\n the service\n principal, which might represent several different grantee principals.

\n \n

\n Cross-account use: Yes. To perform this operation on a CMK in a different AWS account, specify the key\n ARN in the value of the KeyId parameter.

\n \n

\n Required permissions: kms:ListGrants (key policy)

\n

\n Related operations:\n

\n ", + "smithy.api#paginated": { + "inputToken": "Marker", + "outputToken": "NextMarker", + "items": "Grants", + "pageSize": "Limit" + } + } + }, + "com.amazonaws.kms#ListGrantsRequest": { + "type": "structure", + "members": { + "Limit": { + "target": "com.amazonaws.kms#LimitType", + "traits": { + "smithy.api#documentation": "

Use this parameter to specify the maximum number of items to return. When this\n value is present, AWS KMS does not return more than the specified number of items, but it might\n return fewer.

\n

This value is optional. If you include a value, it must be between 1\n and 100, inclusive. If you do not include a value, it defaults to 50.

" + } + }, + "Marker": { + "target": "com.amazonaws.kms#MarkerType", + "traits": { + "smithy.api#documentation": "

Use this parameter in a subsequent request after you receive a response with\n truncated results. Set it to the value of NextMarker from the truncated response\n you just received.

" + } + }, + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

A unique identifier for the customer master key (CMK).

\n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a\ndifferent AWS account, you must use the key ARN.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#ListGrantsResponse": { + "type": "structure", + "members": { + "Grants": { + "target": "com.amazonaws.kms#GrantList", + "traits": { + "smithy.api#documentation": "

A list of grants.

" + } + }, + "NextMarker": { + "target": "com.amazonaws.kms#MarkerType", + "traits": { + "smithy.api#documentation": "

When Truncated is true, this element is present and contains the\n value to use for the Marker parameter in a subsequent request.

" + } + }, + "Truncated": { + "target": "com.amazonaws.kms#BooleanType", + "traits": { + "smithy.api#documentation": "

A flag that indicates whether there are more items in the list. When this\n value is true, the list in this response is truncated. To get more items, pass the value of\n the NextMarker element in thisresponse to the Marker parameter in a\n subsequent request.

" + } + } + } + }, + "com.amazonaws.kms#ListKeyPolicies": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#ListKeyPoliciesRequest" + }, + "output": { + "target": "com.amazonaws.kms#ListKeyPoliciesResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Gets the names of the key policies that are attached to a customer master key (CMK). This\n operation is designed to get policy names that you can use in a GetKeyPolicy\n operation. However, the only valid policy name is default.

\n

\n Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.

\n \n

\n Required permissions: kms:ListKeyPolicies (key policy)

\n

\n Related operations:\n

\n ", + "smithy.api#paginated": { + "inputToken": "Marker", + "outputToken": "NextMarker", + "items": "PolicyNames", + "pageSize": "Limit" + } + } + }, + "com.amazonaws.kms#ListKeyPoliciesRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

A unique identifier for the customer master key (CMK).

\n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + }, + "Limit": { + "target": "com.amazonaws.kms#LimitType", + "traits": { + "smithy.api#documentation": "

Use this parameter to specify the maximum number of items to return. When this\n value is present, AWS KMS does not return more than the specified number of items, but it might\n return fewer.

\n

This value is optional. If you include a value, it must be between\n 1 and 1000, inclusive. If you do not include a value, it defaults to 100.

\n

Only one policy can be attached to a key.

" + } + }, + "Marker": { + "target": "com.amazonaws.kms#MarkerType", + "traits": { + "smithy.api#documentation": "

Use this parameter in a subsequent request after you receive a response with\n truncated results. Set it to the value of NextMarker from the truncated response\n you just received.

" + } + } + } + }, + "com.amazonaws.kms#ListKeyPoliciesResponse": { + "type": "structure", + "members": { + "PolicyNames": { + "target": "com.amazonaws.kms#PolicyNameList", + "traits": { + "smithy.api#documentation": "

A list of key policy names. The only valid value is default.

" + } + }, + "NextMarker": { + "target": "com.amazonaws.kms#MarkerType", + "traits": { + "smithy.api#documentation": "

When Truncated is true, this element is present and contains the\n value to use for the Marker parameter in a subsequent request.

" + } + }, + "Truncated": { + "target": "com.amazonaws.kms#BooleanType", + "traits": { + "smithy.api#documentation": "

A flag that indicates whether there are more items in the list. When this\n value is true, the list in this response is truncated. To get more items, pass the value of\n the NextMarker element in thisresponse to the Marker parameter in a\n subsequent request.

" + } + } + } + }, + "com.amazonaws.kms#ListKeys": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#ListKeysRequest" + }, + "output": { + "target": "com.amazonaws.kms#ListKeysResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidMarkerException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + } + ], + "traits": { + "smithy.api#documentation": "

Gets a list of all customer master keys (CMKs) in the caller's AWS account and\n Region.

\n

\n Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.

\n \n

\n Required permissions: kms:ListKeys (IAM policy)

\n

\n Related operations:\n

\n ", + "smithy.api#paginated": { + "inputToken": "Marker", + "outputToken": "NextMarker", + "items": "Keys", + "pageSize": "Limit" + } + } + }, + "com.amazonaws.kms#ListKeysRequest": { + "type": "structure", + "members": { + "Limit": { + "target": "com.amazonaws.kms#LimitType", + "traits": { + "smithy.api#documentation": "

Use this parameter to specify the maximum number of items to return. When this\n value is present, AWS KMS does not return more than the specified number of items, but it might\n return fewer.

\n

This value is optional. If you include a value, it must be between\n 1 and 1000, inclusive. If you do not include a value, it defaults to 100.

" + } + }, + "Marker": { + "target": "com.amazonaws.kms#MarkerType", + "traits": { + "smithy.api#documentation": "

Use this parameter in a subsequent request after you receive a response with\n truncated results. Set it to the value of NextMarker from the truncated response\n you just received.

" + } + } + } + }, + "com.amazonaws.kms#ListKeysResponse": { + "type": "structure", + "members": { + "Keys": { + "target": "com.amazonaws.kms#KeyList", + "traits": { + "smithy.api#documentation": "

A list of customer master keys (CMKs).

" + } + }, + "NextMarker": { + "target": "com.amazonaws.kms#MarkerType", + "traits": { + "smithy.api#documentation": "

When Truncated is true, this element is present and contains the\n value to use for the Marker parameter in a subsequent request.

" + } + }, + "Truncated": { + "target": "com.amazonaws.kms#BooleanType", + "traits": { + "smithy.api#documentation": "

A flag that indicates whether there are more items in the list. When this\n value is true, the list in this response is truncated. To get more items, pass the value of\n the NextMarker element in thisresponse to the Marker parameter in a\n subsequent request.

" + } + } + } + }, + "com.amazonaws.kms#ListResourceTags": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#ListResourceTagsRequest" + }, + "output": { + "target": "com.amazonaws.kms#ListResourceTagsResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#InvalidMarkerException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Returns all tags on the specified customer master key (CMK).

\n

For general information about tags, including the format and syntax, see Tagging AWS resources in\n the Amazon Web Services General Reference. For information about using\n tags in AWS KMS, see Tagging\n keys.

\n

\n Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.

\n \n

\n Required permissions: kms:ListResourceTags (key policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#ListResourceTagsRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

A unique identifier for the customer master key (CMK).

\n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + }, + "Limit": { + "target": "com.amazonaws.kms#LimitType", + "traits": { + "smithy.api#documentation": "

Use this parameter to specify the maximum number of items to return. When this\n value is present, AWS KMS does not return more than the specified number of items, but it might\n return fewer.

\n

This value is optional. If you include a value, it must be between 1 and 50, inclusive. If\n you do not include a value, it defaults to 50.

" + } + }, + "Marker": { + "target": "com.amazonaws.kms#MarkerType", + "traits": { + "smithy.api#documentation": "

Use this parameter in a subsequent request after you receive a response with\n truncated results. Set it to the value of NextMarker from the truncated response\n you just received.

\n

Do not attempt to construct this value. Use only the value of NextMarker from\n the truncated response you just received.

" + } + } + } + }, + "com.amazonaws.kms#ListResourceTagsResponse": { + "type": "structure", + "members": { + "Tags": { + "target": "com.amazonaws.kms#TagList", + "traits": { + "smithy.api#documentation": "

A list of tags. Each tag consists of a tag key and a tag value.

" + } + }, + "NextMarker": { + "target": "com.amazonaws.kms#MarkerType", + "traits": { + "smithy.api#documentation": "

When Truncated is true, this element is present and contains the\n value to use for the Marker parameter in a subsequent request.

\n

Do not assume or infer any information from this value.

" + } + }, + "Truncated": { + "target": "com.amazonaws.kms#BooleanType", + "traits": { + "smithy.api#documentation": "

A flag that indicates whether there are more items in the list. When this\n value is true, the list in this response is truncated. To get more items, pass the value of\n the NextMarker element in thisresponse to the Marker parameter in a\n subsequent request.

" + } + } + } + }, + "com.amazonaws.kms#ListRetirableGrants": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#ListRetirableGrantsRequest" + }, + "output": { + "target": "com.amazonaws.kms#ListGrantsResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#InvalidMarkerException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Returns all grants in which the specified principal is the RetiringPrincipal\n in the grant.

\n

You can specify any principal in your AWS account. The grants that are returned include\n grants for CMKs in your AWS account and other AWS accounts.

\n

You might use this operation to determine which grants you may retire. To retire a grant,\n use the RetireGrant operation.

\n

\n Cross-account use: You must specify a principal in your\n AWS account. However, this operation can return grants in any AWS account. You do not need\n kms:ListRetirableGrants permission (or any other additional permission) in any\n AWS account other than your own.

\n \n

\n Required permissions: kms:ListRetirableGrants (IAM policy) in your AWS\n account.

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#ListRetirableGrantsRequest": { + "type": "structure", + "members": { + "Limit": { + "target": "com.amazonaws.kms#LimitType", + "traits": { + "smithy.api#documentation": "

Use this parameter to specify the maximum number of items to return. When this\n value is present, AWS KMS does not return more than the specified number of items, but it might\n return fewer.

\n

This value is optional. If you include a value, it must be between 1\n and 100, inclusive. If you do not include a value, it defaults to 50.

" + } + }, + "Marker": { + "target": "com.amazonaws.kms#MarkerType", + "traits": { + "smithy.api#documentation": "

Use this parameter in a subsequent request after you receive a response with\n truncated results. Set it to the value of NextMarker from the truncated response\n you just received.

" + } + }, + "RetiringPrincipal": { + "target": "com.amazonaws.kms#PrincipalIdType", + "traits": { + "smithy.api#documentation": "

The retiring principal for which to list grants. Enter a principal in your AWS\n account.

\n

To specify the retiring principal, use the Amazon Resource Name (ARN) of an AWS\n principal. Valid AWS principals include AWS accounts (root), IAM users, federated users, and\n assumed role users. For examples of the ARN syntax for specifying a principal, see AWS\n Identity and Access Management (IAM) in the Example ARNs section of the\n Amazon Web Services General Reference.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#MalformedPolicyDocumentException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the specified policy is not syntactically or semantically\n correct.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#MarkerType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 1024 + }, + "smithy.api#pattern": "[\\u0020-\\u00FF]*" + } + }, + "com.amazonaws.kms#MessageType": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "RAW", + "name": "RAW" + }, + { + "value": "DIGEST", + "name": "DIGEST" + } + ] + } + }, + "com.amazonaws.kms#NotFoundException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the specified entity or resource could not be\n found.

", + "smithy.api#error": "client", + "smithy.api#httpError": 404 + } + }, + "com.amazonaws.kms#NumberOfBytesType": { + "type": "integer", + "traits": { + "smithy.api#box": {}, + "smithy.api#range": { + "min": 1, + "max": 1024 + } + } + }, + "com.amazonaws.kms#OriginType": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "AWS_KMS", + "name": "AWS_KMS" + }, + { + "value": "EXTERNAL", + "name": "EXTERNAL" + }, + { + "value": "AWS_CLOUDHSM", + "name": "AWS_CLOUDHSM" + } + ] + } + }, + "com.amazonaws.kms#PendingWindowInDaysType": { + "type": "integer", + "traits": { + "smithy.api#box": {}, + "smithy.api#range": { + "min": 1, + "max": 365 + } + } + }, + "com.amazonaws.kms#PlaintextType": { + "type": "blob", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 4096 + }, + "smithy.api#sensitive": {} + } + }, + "com.amazonaws.kms#PolicyNameList": { + "type": "list", + "member": { + "target": "com.amazonaws.kms#PolicyNameType" + } + }, + "com.amazonaws.kms#PolicyNameType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 128 + }, + "smithy.api#pattern": "[\\w]+" + } + }, + "com.amazonaws.kms#PolicyType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 131072 + }, + "smithy.api#pattern": "[\\u0009\\u000A\\u000D\\u0020-\\u00FF]+" + } + }, + "com.amazonaws.kms#PrincipalIdType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 256 + }, + "smithy.api#pattern": "^[\\w+=,.@:/-]+$" + } + }, + "com.amazonaws.kms#PublicKeyType": { + "type": "blob", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 8192 + } + } + }, + "com.amazonaws.kms#PutKeyPolicy": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#PutKeyPolicyRequest" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#LimitExceededException" + }, + { + "target": "com.amazonaws.kms#MalformedPolicyDocumentException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + }, + { + "target": "com.amazonaws.kms#UnsupportedOperationException" + } + ], + "traits": { + "smithy.api#documentation": "

Attaches a key policy to the specified customer master key (CMK).

\n

For more information about key policies, see Key Policies in the AWS Key Management Service Developer Guide.\n For help writing and formatting a JSON policy document, see the IAM JSON Policy Reference in the \n IAM User Guide\n . For examples of adding a key policy in multiple programming languages,\n see Setting a key policy in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.

\n \n

\n Required permissions: kms:PutKeyPolicy (key policy)

\n

\n Related operations: GetKeyPolicy\n

" + } + }, + "com.amazonaws.kms#PutKeyPolicyRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

A unique identifier for the customer master key (CMK).

\n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + }, + "PolicyName": { + "target": "com.amazonaws.kms#PolicyNameType", + "traits": { + "smithy.api#documentation": "

The name of the key policy. The only valid value is default.

", + "smithy.api#required": {} + } + }, + "Policy": { + "target": "com.amazonaws.kms#PolicyType", + "traits": { + "smithy.api#documentation": "

The key policy to attach to the CMK.

\n

The key policy must meet the following criteria:

\n \n

The key policy cannot exceed 32 kilobytes (32768 bytes). For more information, see Resource Quotas in the AWS Key Management Service Developer Guide.

", + "smithy.api#required": {} + } + }, + "BypassPolicyLockoutSafetyCheck": { + "target": "com.amazonaws.kms#BooleanType", + "traits": { + "smithy.api#documentation": "

A flag to indicate whether to bypass the key policy lockout safety check.

\n \n

Setting this value to true increases the risk that the CMK becomes unmanageable. Do not\n set this value to true indiscriminately.

\n

For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.

\n \n

Use this parameter only when you intend to prevent the principal that is making the\n request from making a subsequent PutKeyPolicy request on the CMK.

\n

The default value is false.

" + } + } + } + }, + "com.amazonaws.kms#ReEncrypt": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#ReEncryptRequest" + }, + "output": { + "target": "com.amazonaws.kms#ReEncryptResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#DisabledException" + }, + { + "target": "com.amazonaws.kms#IncorrectKeyException" + }, + { + "target": "com.amazonaws.kms#InvalidCiphertextException" + }, + { + "target": "com.amazonaws.kms#InvalidGrantTokenException" + }, + { + "target": "com.amazonaws.kms#InvalidKeyUsageException" + }, + { + "target": "com.amazonaws.kms#KeyUnavailableException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Decrypts ciphertext and then reencrypts it entirely within AWS KMS. You can use this\n operation to change the customer master key (CMK) under which data is encrypted, such as when\n you manually rotate a\n CMK or change the CMK that protects a ciphertext. You can also use it to reencrypt ciphertext\n under the same CMK, such as to change the encryption context of a ciphertext.

\n

The ReEncrypt operation can decrypt ciphertext that was encrypted by using an\n AWS KMS CMK in an AWS KMS operation, such as Encrypt or GenerateDataKey. It can also decrypt ciphertext that was encrypted by using the\n public key of an asymmetric CMK outside of AWS KMS. However, it cannot decrypt ciphertext\n produced by other libraries, such as the AWS Encryption SDK or Amazon S3 client-side encryption.\n These libraries return a ciphertext format that is incompatible with AWS KMS.

\n

When you use the ReEncrypt operation, you need to provide information for the\n decrypt operation and the subsequent encrypt operation.

\n \n \n \n \n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: Yes. The source CMK and destination\n CMK can be in different AWS accounts. Either or both CMKs can be in a different account than\n the caller.

\n\n

\n Required permissions:

\n \n

To permit reencryption from or to a CMK, include the \"kms:ReEncrypt*\"\n permission in your key policy. This permission is\n automatically included in the key policy when you use the console to create a CMK. But you\n must include it manually when you create a CMK programmatically or when you use the PutKeyPolicy operation to set a key policy.

\n \n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#ReEncryptRequest": { + "type": "structure", + "members": { + "CiphertextBlob": { + "target": "com.amazonaws.kms#CiphertextType", + "traits": { + "smithy.api#documentation": "

Ciphertext of the data to reencrypt.

", + "smithy.api#required": {} + } + }, + "SourceEncryptionContext": { + "target": "com.amazonaws.kms#EncryptionContextType", + "traits": { + "smithy.api#documentation": "

Specifies the encryption context to use to decrypt the ciphertext. Enter the same\n encryption context that was used to encrypt the ciphertext.

\n

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

\n

For more information, see\n Encryption\n Context in the AWS Key Management Service Developer Guide.

" + } + }, + "SourceKeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

Specifies the customer master key (CMK) that\n AWS KMS will use to decrypt the ciphertext before it is re-encrypted. Enter a key ID of the CMK\n that was used to encrypt the ciphertext.

\n

This parameter is required only when the ciphertext was encrypted under an asymmetric CMK.\n If you used a symmetric CMK, AWS KMS can get the CMK from metadata that it adds to the\n symmetric ciphertext blob. However, it is always recommended as a best practice. This practice\n ensures that you use the CMK that you intend.

\n \n

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

" + } + }, + "DestinationKeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

A unique identifier for the CMK that is used to reencrypt the data. Specify a symmetric or\n asymmetric CMK with a KeyUsage value of ENCRYPT_DECRYPT. To find the\n KeyUsage value of a CMK, use the DescribeKey\n operation.

\n

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

", + "smithy.api#required": {} + } + }, + "DestinationEncryptionContext": { + "target": "com.amazonaws.kms#EncryptionContextType", + "traits": { + "smithy.api#documentation": "

Specifies that encryption context to use when the reencrypting the data.

\n

A destination encryption context is valid only when the destination CMK is a symmetric\n CMK. The standard ciphertext format for asymmetric CMKs does not include fields for\n metadata.

\n

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

\n

For more information, see\n Encryption\n Context in the AWS Key Management Service Developer Guide.

" + } + }, + "SourceEncryptionAlgorithm": { + "target": "com.amazonaws.kms#EncryptionAlgorithmSpec", + "traits": { + "smithy.api#documentation": "

Specifies the encryption algorithm that AWS KMS will use to decrypt the ciphertext before it\n is reencrypted. The default value, SYMMETRIC_DEFAULT, represents the algorithm\n used for symmetric CMKs.

\n

Specify the same algorithm that was used to encrypt the ciphertext. If you specify a\n different algorithm, the decrypt attempt fails.

\n

This parameter is required only when the ciphertext was encrypted under an asymmetric\n CMK.

" + } + }, + "DestinationEncryptionAlgorithm": { + "target": "com.amazonaws.kms#EncryptionAlgorithmSpec", + "traits": { + "smithy.api#documentation": "

Specifies the encryption algorithm that AWS KMS will use to reecrypt the data after it has\n decrypted it. The default value, SYMMETRIC_DEFAULT, represents the encryption\n algorithm used for symmetric CMKs.

\n

This parameter is required only when the destination CMK is an asymmetric CMK.

" + } + }, + "GrantTokens": { + "target": "com.amazonaws.kms#GrantTokenList", + "traits": { + "smithy.api#documentation": "

A list of grant tokens.

\n

For more information, see Grant Tokens in the\n AWS Key Management Service Developer Guide.

" + } + } + } + }, + "com.amazonaws.kms#ReEncryptResponse": { + "type": "structure", + "members": { + "CiphertextBlob": { + "target": "com.amazonaws.kms#CiphertextType", + "traits": { + "smithy.api#documentation": "

The reencrypted data. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

" + } + }, + "SourceKeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

Unique identifier of the CMK used to originally encrypt the data.

" + } + }, + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (key ARN) of the CMK that was used to reencrypt the data.

" + } + }, + "SourceEncryptionAlgorithm": { + "target": "com.amazonaws.kms#EncryptionAlgorithmSpec", + "traits": { + "smithy.api#documentation": "

The encryption algorithm that was used to decrypt the ciphertext before it was\n reencrypted.

" + } + }, + "DestinationEncryptionAlgorithm": { + "target": "com.amazonaws.kms#EncryptionAlgorithmSpec", + "traits": { + "smithy.api#documentation": "

The encryption algorithm that was used to reencrypt the data.

" + } + } + } + }, + "com.amazonaws.kms#RetireGrant": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#RetireGrantRequest" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#InvalidGrantIdException" + }, + { + "target": "com.amazonaws.kms#InvalidGrantTokenException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Retires a grant. To clean up, you can retire a grant when you're done using it. You should\n revoke a grant when you intend to actively deny operations that depend on it. The following\n are permitted to call this API:

\n \n

You must identify the grant to retire by its grant token or by a combination of the grant\n ID and the Amazon Resource Name (ARN) of the customer master key (CMK). A grant token is a\n unique variable-length base64-encoded string. A grant ID is a 64 character unique identifier\n of a grant. The CreateGrant operation returns both.

\n \n

\n Cross-account use: Yes. You can retire a grant on a CMK\n in a different AWS account.

\n

\n Required permissions:: Permission to retire a grant is\n specified in the grant. You cannot control access to this operation in a policy. For more\n information, see Using\n grants in the AWS Key Management Service Developer Guide.

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#RetireGrantRequest": { + "type": "structure", + "members": { + "GrantToken": { + "target": "com.amazonaws.kms#GrantTokenType", + "traits": { + "smithy.api#documentation": "

Token that identifies the grant to be retired.

" + } + }, + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (ARN) of the CMK associated with the grant.

\n

For example: arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab\n

" + } + }, + "GrantId": { + "target": "com.amazonaws.kms#GrantIdType", + "traits": { + "smithy.api#documentation": "

Unique identifier of the grant to retire. The grant ID is returned in the response to a\n CreateGrant operation.

\n " + } + } + } + }, + "com.amazonaws.kms#RevokeGrant": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#RevokeGrantRequest" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#InvalidGrantIdException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Revokes the specified grant for the specified customer master key (CMK). You can revoke a\n grant to actively deny operations that depend on it.

\n

\n Cross-account use: Yes. To perform this operation on a CMK in a different AWS account, specify the key\n ARN in the value of the KeyId parameter.

\n \n

\n Required permissions: kms:RevokeGrant (key policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#RevokeGrantRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

A unique identifier for the customer master key associated with the grant.

\n \n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a\ndifferent AWS account, you must use the key ARN.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + }, + "GrantId": { + "target": "com.amazonaws.kms#GrantIdType", + "traits": { + "smithy.api#documentation": "

Identifier of the grant to be revoked.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#ScheduleKeyDeletion": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#ScheduleKeyDeletionRequest" + }, + "output": { + "target": "com.amazonaws.kms#ScheduleKeyDeletionResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Schedules the deletion of a customer master key (CMK). You may provide a waiting period,\n specified in days, before deletion occurs. If you do not provide a waiting period, the default\n period of 30 days is used. When this operation is successful, the key state of the CMK changes\n to PendingDeletion. Before the waiting period ends, you can use CancelKeyDeletion to cancel the deletion of the CMK. After the waiting period\n ends, AWS KMS deletes the CMK and all AWS KMS data associated with it, including all aliases that\n refer to it.

\n \n

Deleting a CMK is a destructive and potentially dangerous operation. When a CMK is\n deleted, all data that was encrypted under the CMK is unrecoverable. To prevent the use of a\n CMK without deleting it, use DisableKey.

\n \n

If you schedule deletion of a CMK from a custom key store, when the waiting period\n expires, ScheduleKeyDeletion deletes the CMK from AWS KMS. Then AWS KMS makes a best\n effort to delete the key material from the associated AWS CloudHSM cluster. However, you might need\n to manually delete the orphaned key\n material from the cluster and its backups.

\n

For more information about scheduling a CMK for deletion, see Deleting Customer Master Keys in the\n AWS Key Management Service Developer Guide.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.

\n \n \n

\n Required permissions: kms:ScheduleKeyDeletion (key policy)

\n

\n Related operations\n

\n " + } + }, + "com.amazonaws.kms#ScheduleKeyDeletionRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The unique identifier of the customer master key (CMK) to delete.

\n \n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + }, + "PendingWindowInDays": { + "target": "com.amazonaws.kms#PendingWindowInDaysType", + "traits": { + "smithy.api#documentation": "

The waiting period, specified in number of days. After the waiting period ends, AWS KMS\n deletes the customer master key (CMK).

\n

This value is optional. If you include a value, it must be between 7 and 30, inclusive. If\n you do not include a value, it defaults to 30.

" + } + } + } + }, + "com.amazonaws.kms#ScheduleKeyDeletionResponse": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (key ARN) of the CMK whose deletion is scheduled.

" + } + }, + "DeletionDate": { + "target": "com.amazonaws.kms#DateType", + "traits": { + "smithy.api#documentation": "

The date and time after which AWS KMS deletes the customer master key (CMK).

" + } + } + } + }, + "com.amazonaws.kms#Sign": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#SignRequest" + }, + "output": { + "target": "com.amazonaws.kms#SignResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#DisabledException" + }, + { + "target": "com.amazonaws.kms#InvalidGrantTokenException" + }, + { + "target": "com.amazonaws.kms#InvalidKeyUsageException" + }, + { + "target": "com.amazonaws.kms#KeyUnavailableException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Creates a digital\n signature for a message or message digest by using the private key in an asymmetric\n CMK. To verify the signature, use the Verify operation, or use the public\n key in the same asymmetric CMK outside of AWS KMS. For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.

\n

Digital signatures are generated and verified by using asymmetric key pair, such as an RSA\n or ECC pair that is represented by an asymmetric customer master key (CMK). The key owner (or\n an authorized user) uses their private key to sign a message. Anyone with the public key can\n verify that the message was signed with that particular private key and that the message\n hasn't changed since it was signed.

\n

To use the Sign operation, provide the following information:

\n \n \n

When signing a message, be sure to record the CMK and the signing algorithm. This\n information is required to verify the signature.

\n \n

To verify the signature that this operation generates, use the Verify\n operation. Or use the GetPublicKey operation to download the public key and\n then use the public key to verify the signature outside of AWS KMS.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.

\n \n

\n Required permissions: kms:Sign (key policy)

\n

\n Related operations: Verify\n

" + } + }, + "com.amazonaws.kms#SignRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

Identifies an asymmetric CMK. AWS KMS uses the private key in the asymmetric CMK to sign the\n message. The KeyUsage type of the CMK must be SIGN_VERIFY. To find\n the KeyUsage of a CMK, use the DescribeKey operation.

\n \n

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

", + "smithy.api#required": {} + } + }, + "Message": { + "target": "com.amazonaws.kms#PlaintextType", + "traits": { + "smithy.api#documentation": "

Specifies the message or message digest to sign. Messages can be 0-4096 bytes. To sign a\n larger message, provide the message digest.

\n

If you provide a message, AWS KMS generates a hash digest of the message and then signs\n it.

", + "smithy.api#required": {} + } + }, + "MessageType": { + "target": "com.amazonaws.kms#MessageType", + "traits": { + "smithy.api#documentation": "

Tells AWS KMS whether the value of the Message parameter is a message or\n message digest. The default value, RAW, indicates a message. To indicate a message digest,\n enter DIGEST.

" + } + }, + "GrantTokens": { + "target": "com.amazonaws.kms#GrantTokenList", + "traits": { + "smithy.api#documentation": "

A list of grant tokens.

\n

For more information, see Grant Tokens in the\n AWS Key Management Service Developer Guide.

" + } + }, + "SigningAlgorithm": { + "target": "com.amazonaws.kms#SigningAlgorithmSpec", + "traits": { + "smithy.api#documentation": "

Specifies the signing algorithm to use when signing the message.

\n

Choose an algorithm that is compatible with the type and size of the specified asymmetric\n CMK.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#SignResponse": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (key ARN) of the asymmetric CMK that was used to sign the\n message.

" + } + }, + "Signature": { + "target": "com.amazonaws.kms#CiphertextType", + "traits": { + "smithy.api#documentation": "

The cryptographic signature that was generated for the message.

\n \n

When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

" + } + }, + "SigningAlgorithm": { + "target": "com.amazonaws.kms#SigningAlgorithmSpec", + "traits": { + "smithy.api#documentation": "

The signing algorithm that was used to sign the message.

" + } + } + } + }, + "com.amazonaws.kms#SigningAlgorithmSpec": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "RSASSA_PSS_SHA_256", + "name": "RSASSA_PSS_SHA_256" + }, + { + "value": "RSASSA_PSS_SHA_384", + "name": "RSASSA_PSS_SHA_384" + }, + { + "value": "RSASSA_PSS_SHA_512", + "name": "RSASSA_PSS_SHA_512" + }, + { + "value": "RSASSA_PKCS1_V1_5_SHA_256", + "name": "RSASSA_PKCS1_V1_5_SHA_256" + }, + { + "value": "RSASSA_PKCS1_V1_5_SHA_384", + "name": "RSASSA_PKCS1_V1_5_SHA_384" + }, + { + "value": "RSASSA_PKCS1_V1_5_SHA_512", + "name": "RSASSA_PKCS1_V1_5_SHA_512" + }, + { + "value": "ECDSA_SHA_256", + "name": "ECDSA_SHA_256" + }, + { + "value": "ECDSA_SHA_384", + "name": "ECDSA_SHA_384" + }, + { + "value": "ECDSA_SHA_512", + "name": "ECDSA_SHA_512" + } + ] + } + }, + "com.amazonaws.kms#SigningAlgorithmSpecList": { + "type": "list", + "member": { + "target": "com.amazonaws.kms#SigningAlgorithmSpec" + } + }, + "com.amazonaws.kms#Tag": { + "type": "structure", + "members": { + "TagKey": { + "target": "com.amazonaws.kms#TagKeyType", + "traits": { + "smithy.api#documentation": "

The key of the tag.

", + "smithy.api#required": {} + } + }, + "TagValue": { + "target": "com.amazonaws.kms#TagValueType", + "traits": { + "smithy.api#documentation": "

The value of the tag.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

A key-value pair. A tag consists of a tag key and a tag value. Tag keys and tag values are\n both required, but tag values can be empty (null) strings.

\n

For information about the rules that apply to tag keys and tag values, see User-Defined Tag Restrictions in the AWS Billing and Cost Management User\n Guide.

" + } + }, + "com.amazonaws.kms#TagException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because one or more tags are not valid.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#TagKeyList": { + "type": "list", + "member": { + "target": "com.amazonaws.kms#TagKeyType" + } + }, + "com.amazonaws.kms#TagKeyType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 128 + } + } + }, + "com.amazonaws.kms#TagList": { + "type": "list", + "member": { + "target": "com.amazonaws.kms#Tag" + } + }, + "com.amazonaws.kms#TagResource": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#TagResourceRequest" + }, + "errors": [ + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#LimitExceededException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + }, + { + "target": "com.amazonaws.kms#TagException" + } + ], + "traits": { + "smithy.api#documentation": "

Adds or edits tags on a customer managed CMK.

\n

Each tag consists of a tag key and a tag value, both of which are case-sensitive strings.\n The tag value can be an empty (null) string.

\n

To add a tag, specify a new tag key and a tag value. To edit a tag, specify an existing\n tag key and a new tag value.

\n

You can use this operation to tag a customer managed CMK, but you cannot\n tag an AWS\n managed CMK, an AWS owned CMK, or an alias.

\n

For general information about tags, including the format and syntax, see Tagging AWS resources in\n the Amazon Web Services General Reference. For information about using\n tags in AWS KMS, see Tagging\n keys.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.

\n \n

\n Required permissions: kms:TagResource (key policy)

\n

\n Related operations\n

\n " + } + }, + "com.amazonaws.kms#TagResourceRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

Identifies a customer managed CMK in the account and Region.

\n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + }, + "Tags": { + "target": "com.amazonaws.kms#TagList", + "traits": { + "smithy.api#documentation": "

One or more tags.

\n

Each tag consists of a tag key and a tag value. The tag value can be an empty (null)\n string.

\n

You cannot have more than one tag on a CMK with the same tag key. If you specify an\n existing tag key with a different tag value, AWS KMS replaces the current tag value with the\n specified one.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#TagValueType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 0, + "max": 256 + } + } + }, + "com.amazonaws.kms#TrentService": { + "type": "service", + "version": "2014-11-01", + "operations": [ + { + "target": "com.amazonaws.kms#CancelKeyDeletion" + }, + { + "target": "com.amazonaws.kms#ConnectCustomKeyStore" + }, + { + "target": "com.amazonaws.kms#CreateAlias" + }, + { + "target": "com.amazonaws.kms#CreateCustomKeyStore" + }, + { + "target": "com.amazonaws.kms#CreateGrant" + }, + { + "target": "com.amazonaws.kms#CreateKey" + }, + { + "target": "com.amazonaws.kms#Decrypt" + }, + { + "target": "com.amazonaws.kms#DeleteAlias" + }, + { + "target": "com.amazonaws.kms#DeleteCustomKeyStore" + }, + { + "target": "com.amazonaws.kms#DeleteImportedKeyMaterial" + }, + { + "target": "com.amazonaws.kms#DescribeCustomKeyStores" + }, + { + "target": "com.amazonaws.kms#DescribeKey" + }, + { + "target": "com.amazonaws.kms#DisableKey" + }, + { + "target": "com.amazonaws.kms#DisableKeyRotation" + }, + { + "target": "com.amazonaws.kms#DisconnectCustomKeyStore" + }, + { + "target": "com.amazonaws.kms#EnableKey" + }, + { + "target": "com.amazonaws.kms#EnableKeyRotation" + }, + { + "target": "com.amazonaws.kms#Encrypt" + }, + { + "target": "com.amazonaws.kms#GenerateDataKey" + }, + { + "target": "com.amazonaws.kms#GenerateDataKeyPair" + }, + { + "target": "com.amazonaws.kms#GenerateDataKeyPairWithoutPlaintext" + }, + { + "target": "com.amazonaws.kms#GenerateDataKeyWithoutPlaintext" + }, + { + "target": "com.amazonaws.kms#GenerateRandom" + }, + { + "target": "com.amazonaws.kms#GetKeyPolicy" + }, + { + "target": "com.amazonaws.kms#GetKeyRotationStatus" + }, + { + "target": "com.amazonaws.kms#GetParametersForImport" + }, + { + "target": "com.amazonaws.kms#GetPublicKey" + }, + { + "target": "com.amazonaws.kms#ImportKeyMaterial" + }, + { + "target": "com.amazonaws.kms#ListAliases" + }, + { + "target": "com.amazonaws.kms#ListGrants" + }, + { + "target": "com.amazonaws.kms#ListKeyPolicies" + }, + { + "target": "com.amazonaws.kms#ListKeys" + }, + { + "target": "com.amazonaws.kms#ListResourceTags" + }, + { + "target": "com.amazonaws.kms#ListRetirableGrants" + }, + { + "target": "com.amazonaws.kms#PutKeyPolicy" + }, + { + "target": "com.amazonaws.kms#ReEncrypt" + }, + { + "target": "com.amazonaws.kms#RetireGrant" + }, + { + "target": "com.amazonaws.kms#RevokeGrant" + }, + { + "target": "com.amazonaws.kms#ScheduleKeyDeletion" + }, + { + "target": "com.amazonaws.kms#Sign" + }, + { + "target": "com.amazonaws.kms#TagResource" + }, + { + "target": "com.amazonaws.kms#UntagResource" + }, + { + "target": "com.amazonaws.kms#UpdateAlias" + }, + { + "target": "com.amazonaws.kms#UpdateCustomKeyStore" + }, + { + "target": "com.amazonaws.kms#UpdateKeyDescription" + }, + { + "target": "com.amazonaws.kms#Verify" + } + ], + "traits": { + "aws.api#service": { + "sdkId": "KMS", + "arnNamespace": "kms", + "cloudFormationName": "KMS", + "cloudTrailEventSource": "kms.amazonaws.com" + }, + "aws.auth#sigv4": { + "name": "kms" + }, + "aws.protocols#awsJson1_1": {}, + "smithy.api#documentation": "AWS Key Management Service\n

AWS Key Management Service (AWS KMS) is an encryption and key management web service. This guide describes\n the AWS KMS operations that you can call programmatically. For general information about AWS KMS,\n see the \n AWS Key Management Service Developer Guide\n .

\n \n

AWS provides SDKs that consist of libraries and sample code for various programming\n languages and platforms (Java, Ruby, .Net, macOS, Android, etc.). The SDKs provide a\n convenient way to create programmatic access to AWS KMS and other AWS services. For example,\n the SDKs take care of tasks such as signing requests (see below), managing errors, and\n retrying requests automatically. For more information about the AWS SDKs, including how to\n download and install them, see Tools for Amazon Web\n Services.

\n \n

We recommend that you use the AWS SDKs to make programmatic API calls to AWS KMS.

\n

Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS 1.2. Clients\n must also support cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral\n Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems\n such as Java 7 and later support these modes.

\n

\n Signing Requests\n

\n

Requests must be signed by using an access key ID and a secret access key. We strongly\n recommend that you do not use your AWS account (root) access key ID and\n secret key for everyday work with AWS KMS. Instead, use the access key ID and secret access key\n for an IAM user. You can also use the AWS Security Token Service to generate temporary\n security credentials that you can use to sign requests.

\n

All AWS KMS operations require Signature Version 4.

\n

\n Logging API Requests\n

\n

AWS KMS supports AWS CloudTrail, a service that logs AWS API calls and related events for your AWS\n account and delivers them to an Amazon S3 bucket that you specify. By using the information\n collected by CloudTrail, you can determine what requests were made to AWS KMS, who made the request,\n when it was made, and so on. To learn more about CloudTrail, including how to turn it on and find\n your log files, see the AWS CloudTrail User Guide.

\n

\n Additional Resources\n

\n

For more information about credentials and request signing, see the following:

\n \n

\n Commonly Used API Operations\n

\n

Of the API operations discussed in this guide, the following will prove the most useful\n for most applications. You will likely perform operations other than these, such as creating\n keys and assigning policies, by using the console.

\n ", + "smithy.api#title": "AWS Key Management Service", + "smithy.api#xmlNamespace": { + "uri": "https://trent.amazonaws.com/doc/2014-11-01/" + } + } + }, + "com.amazonaws.kms#TrustAnchorCertificateType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 5000 + } + } + }, + "com.amazonaws.kms#UnsupportedOperationException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.kms#ErrorMessageType" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because a specified parameter is not supported or a specified\n resource is not valid for this operation.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.kms#UntagResource": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#UntagResourceRequest" + }, + "errors": [ + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + }, + { + "target": "com.amazonaws.kms#TagException" + } + ], + "traits": { + "smithy.api#documentation": "

Deletes tags from a customer managed CMK. To delete a tag,\n specify the tag key and the CMK.

\n

When it succeeds, the UntagResource operation doesn't return any output.\n Also, if the specified tag key isn't found on the CMK, it doesn't throw an exception or return\n a response. To confirm that the operation worked, use the ListResourceTags operation.

\n \n

For general information about tags, including the format and syntax, see Tagging AWS resources in\n the Amazon Web Services General Reference. For information about using\n tags in AWS KMS, see Tagging\n keys.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.

\n \n

\n Required permissions: kms:UntagResource (key policy)

\n

\n Related operations\n

\n " + } + }, + "com.amazonaws.kms#UntagResourceRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

Identifies the CMK from which you are removing tags.

\n \n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + }, + "TagKeys": { + "target": "com.amazonaws.kms#TagKeyList", + "traits": { + "smithy.api#documentation": "

One or more tag keys. Specify only the tag keys, not the tag values.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#UpdateAlias": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#UpdateAliasRequest" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#LimitExceededException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Associates an existing AWS KMS alias with a different customer master key (CMK). Each alias\n is associated with only one CMK at a time, although a CMK can have multiple aliases. The alias\n and the CMK must be in the same AWS account and region.

\n

The current and new CMK must be the same type (both symmetric or both asymmetric), and\n they must have the same key usage (ENCRYPT_DECRYPT or SIGN_VERIFY).\n This restriction prevents errors in code that uses aliases. If you must assign an alias to a\n different type of CMK, use DeleteAlias to delete the old alias and CreateAlias to create a new alias.

\n

You cannot use UpdateAlias to change an alias name. To change an alias name,\n use DeleteAlias to delete the old alias and CreateAlias to\n create a new alias.

\n

Because an alias is not a property of a CMK, you can create, update, and delete the\n aliases of a CMK without affecting the CMK. Also, aliases do not appear in the response from\n the DescribeKey operation. To get the aliases of all CMKs in the account,\n use the ListAliases operation.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.

\n

\n Required permissions\n

\n \n

For details, see Controlling access to aliases in the AWS Key Management Service Developer Guide.

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#UpdateAliasRequest": { + "type": "structure", + "members": { + "AliasName": { + "target": "com.amazonaws.kms#AliasNameType", + "traits": { + "smithy.api#documentation": "

Identifies the alias that is changing its CMK. This value must begin with\n alias/ followed by the alias name, such as alias/ExampleAlias. You\n cannot use UpdateAlias to change the alias name.

", + "smithy.api#required": {} + } + }, + "TargetKeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

Identifies the customer managed CMK to associate with the alias. You don't have permission\n to associate an alias with an AWS managed CMK.

\n

The CMK must be in the same AWS account and Region as the alias. Also, the new target CMK\n must be the same type as the current target CMK (both symmetric or both asymmetric) and they\n must have the same key usage.

\n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

\n

To verify that the alias\n is mapped to the correct CMK, use ListAliases.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#UpdateCustomKeyStore": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#UpdateCustomKeyStoreRequest" + }, + "output": { + "target": "com.amazonaws.kms#UpdateCustomKeyStoreResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#CloudHsmClusterInvalidConfigurationException" + }, + { + "target": "com.amazonaws.kms#CloudHsmClusterNotActiveException" + }, + { + "target": "com.amazonaws.kms#CloudHsmClusterNotFoundException" + }, + { + "target": "com.amazonaws.kms#CloudHsmClusterNotRelatedException" + }, + { + "target": "com.amazonaws.kms#CustomKeyStoreInvalidStateException" + }, + { + "target": "com.amazonaws.kms#CustomKeyStoreNameInUseException" + }, + { + "target": "com.amazonaws.kms#CustomKeyStoreNotFoundException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + } + ], + "traits": { + "smithy.api#documentation": "

Changes the properties of a custom key store. Use the CustomKeyStoreId\n parameter to identify the custom key store you want to edit. Use the remaining parameters to\n change the properties of the custom key store.

\n

You can only update a custom key store that is disconnected. To disconnect the custom key\n store, use DisconnectCustomKeyStore. To reconnect the custom key store after\n the update completes, use ConnectCustomKeyStore. To find the connection\n state of a custom key store, use the DescribeCustomKeyStores\n operation.

\n

Use the parameters of UpdateCustomKeyStore to edit your keystore\n settings.

\n \n

If the operation succeeds, it returns a JSON object with no\nproperties.

\n

This operation is part of the Custom Key Store feature feature in AWS KMS, which\ncombines the convenience and extensive integration of AWS KMS with the isolation and control of a\nsingle-tenant key store.

\n\n

\n Cross-account use: No. You cannot perform this operation on a custom key store in a different AWS account.

\n

\n Required permissions: kms:UpdateCustomKeyStore (IAM policy)

\n

\n Related operations:\n

\n " + } + }, + "com.amazonaws.kms#UpdateCustomKeyStoreRequest": { + "type": "structure", + "members": { + "CustomKeyStoreId": { + "target": "com.amazonaws.kms#CustomKeyStoreIdType", + "traits": { + "smithy.api#documentation": "

Identifies the custom key store that you want to update. Enter the ID of the custom key\n store. To find the ID of a custom key store, use the DescribeCustomKeyStores operation.

", + "smithy.api#required": {} + } + }, + "NewCustomKeyStoreName": { + "target": "com.amazonaws.kms#CustomKeyStoreNameType", + "traits": { + "smithy.api#documentation": "

Changes the friendly name of the custom key store to the value that you specify. The\n custom key store name must be unique in the AWS account.

" + } + }, + "KeyStorePassword": { + "target": "com.amazonaws.kms#KeyStorePasswordType", + "traits": { + "smithy.api#documentation": "

Enter the current password of the kmsuser crypto user (CU) in the AWS CloudHSM\n cluster that is associated with the custom key store.

\n

This parameter tells AWS KMS the current password of the kmsuser crypto user\n (CU). It does not set or change the password of any users in the AWS CloudHSM cluster.

" + } + }, + "CloudHsmClusterId": { + "target": "com.amazonaws.kms#CloudHsmClusterIdType", + "traits": { + "smithy.api#documentation": "

Associates the custom key store with a related AWS CloudHSM cluster.

\n

Enter the cluster ID of the cluster that you used to create the custom key store or a\n cluster that shares a backup history and has the same cluster certificate as the original\n cluster. You cannot use this parameter to associate a custom key store with an unrelated\n cluster. In addition, the replacement cluster must fulfill the requirements for\n a cluster associated with a custom key store. To view the cluster certificate of a cluster,\n use the DescribeClusters operation.

" + } + } + } + }, + "com.amazonaws.kms#UpdateCustomKeyStoreResponse": { + "type": "structure", + "members": {} + }, + "com.amazonaws.kms#UpdateKeyDescription": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#UpdateKeyDescriptionRequest" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#InvalidArnException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Updates the description of a customer master key (CMK). To see the description of a CMK,\n use DescribeKey.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.

\n \n

\n Required permissions: kms:UpdateKeyDescription (key policy)

\n

\n Related operations\n

\n " + } + }, + "com.amazonaws.kms#UpdateKeyDescriptionRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

A unique identifier for the customer master key (CMK).

\n

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

", + "smithy.api#required": {} + } + }, + "Description": { + "target": "com.amazonaws.kms#DescriptionType", + "traits": { + "smithy.api#documentation": "

New description for the CMK.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.kms#Verify": { + "type": "operation", + "input": { + "target": "com.amazonaws.kms#VerifyRequest" + }, + "output": { + "target": "com.amazonaws.kms#VerifyResponse" + }, + "errors": [ + { + "target": "com.amazonaws.kms#DependencyTimeoutException" + }, + { + "target": "com.amazonaws.kms#DisabledException" + }, + { + "target": "com.amazonaws.kms#InvalidGrantTokenException" + }, + { + "target": "com.amazonaws.kms#InvalidKeyUsageException" + }, + { + "target": "com.amazonaws.kms#KeyUnavailableException" + }, + { + "target": "com.amazonaws.kms#KMSInternalException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidSignatureException" + }, + { + "target": "com.amazonaws.kms#KMSInvalidStateException" + }, + { + "target": "com.amazonaws.kms#NotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Verifies a digital signature that was generated by the Sign operation.

\n

\n

Verification confirms that an authorized user signed the message with the specified CMK\n and signing algorithm, and the message hasn't changed since it was signed. If the signature is\n verified, the value of the SignatureValid field in the response is\n True. If the signature verification fails, the Verify operation\n fails with an KMSInvalidSignatureException exception.

\n

A digital signature is generated by using the private key in an asymmetric CMK. The\n signature is verified by using the public key in the same asymmetric CMK.\n For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.

\n

To verify a digital signature, you can use the Verify operation. Specify the\n same asymmetric CMK, message, and signing algorithm that were used to produce the\n signature.

\n

You can also verify the digital signature by using the public key of the CMK outside of\n AWS KMS. Use the GetPublicKey operation to download the public key in the\n asymmetric CMK and then use the public key to verify the signature outside of AWS KMS. The\n advantage of using the Verify operation is that it is performed within AWS KMS. As\n a result, it's easy to call, the operation is performed within the FIPS boundary, it is logged\n in AWS CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use\n the CMK to verify signatures.

\n

The CMK that you use for this operation must be in a compatible key state. For\ndetails, see How Key State Affects Use\nof a Customer Master Key in the AWS Key Management Service Developer Guide.

\n

\n Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.

\n \n

\n Required permissions: kms:Verify (key policy)

\n

\n Related operations: Sign\n

" + } + }, + "com.amazonaws.kms#VerifyRequest": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

Identifies the asymmetric CMK that will be used to verify the signature. This must be the\n same CMK that was used to generate the signature. If you specify a different CMK, the\n signature verification fails.

\n \n

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

\n

For example:

\n \n

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

", + "smithy.api#required": {} + } + }, + "Message": { + "target": "com.amazonaws.kms#PlaintextType", + "traits": { + "smithy.api#documentation": "

Specifies the message that was signed. You can submit a raw message of up to 4096 bytes,\n or a hash digest of the message. If you submit a digest, use the MessageType\n parameter with a value of DIGEST.

\n

If the message specified here is different from the message that was signed, the signature\n verification fails. A message and its hash digest are considered to be the same\n message.

", + "smithy.api#required": {} + } + }, + "MessageType": { + "target": "com.amazonaws.kms#MessageType", + "traits": { + "smithy.api#documentation": "

Tells AWS KMS whether the value of the Message parameter is a message or\n message digest. The default value, RAW, indicates a message. To indicate a message digest,\n enter DIGEST.

\n \n

Use the DIGEST value only when the value of the Message\n parameter is a message digest. If you use the DIGEST value with a raw message,\n the security of the verification operation can be compromised.

\n " + } + }, + "Signature": { + "target": "com.amazonaws.kms#CiphertextType", + "traits": { + "smithy.api#documentation": "

The signature that the Sign operation generated.

", + "smithy.api#required": {} + } + }, + "SigningAlgorithm": { + "target": "com.amazonaws.kms#SigningAlgorithmSpec", + "traits": { + "smithy.api#documentation": "

The signing algorithm that was used to sign the message. If you submit a different\n algorithm, the signature verification fails.

", + "smithy.api#required": {} + } + }, + "GrantTokens": { + "target": "com.amazonaws.kms#GrantTokenList", + "traits": { + "smithy.api#documentation": "

A list of grant tokens.

\n

For more information, see Grant Tokens in the\n AWS Key Management Service Developer Guide.

" + } + } + } + }, + "com.amazonaws.kms#VerifyResponse": { + "type": "structure", + "members": { + "KeyId": { + "target": "com.amazonaws.kms#KeyIdType", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (key ARN) of the asymmetric CMK that was used to verify the signature.

" + } + }, + "SignatureValid": { + "target": "com.amazonaws.kms#BooleanType", + "traits": { + "smithy.api#documentation": "

A Boolean value that indicates whether the signature was verified. A value of\n True indicates that the Signature was produced by signing the\n Message with the specified KeyID and\n SigningAlgorithm. If the signature is not verified, the Verify\n operation fails with a KMSInvalidSignatureException exception.

" + } + }, + "SigningAlgorithm": { + "target": "com.amazonaws.kms#SigningAlgorithmSpec", + "traits": { + "smithy.api#documentation": "

The signing algorithm that was used to verify the signature.

" + } + } + } + }, + "com.amazonaws.kms#WrappingKeySpec": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "RSA_2048", + "name": "RSA_2048" + } + ] + } + } + } +} diff --git a/aws/sdk/models/secretsmanager.json b/aws/sdk/models/secretsmanager.json new file mode 100644 index 0000000000000000000000000000000000000000..96aeb6750859081b68c22a0ce7da065049f66938 --- /dev/null +++ b/aws/sdk/models/secretsmanager.json @@ -0,0 +1,2322 @@ +{ + "smithy": "1.0", + "metadata": { + "suppressions": [ + { + "id": "HttpMethodSemantics", + "namespace": "*" + }, + { + "id": "HttpResponseCodeSemantics", + "namespace": "*" + }, + { + "id": "PaginatedTrait", + "namespace": "*" + }, + { + "id": "HttpHeaderTrait", + "namespace": "*" + }, + { + "id": "HttpUriConflict", + "namespace": "*" + }, + { + "id": "Service", + "namespace": "*" + } + ] + }, + "shapes": { + "com.amazonaws.secretsmanager#AutomaticallyRotateAfterDaysType": { + "type": "long", + "traits": { + "smithy.api#range": { + "min": 1, + "max": 1000 + } + } + }, + "com.amazonaws.secretsmanager#BooleanType": { + "type": "boolean" + }, + "com.amazonaws.secretsmanager#CancelRotateSecret": { + "type": "operation", + "input": { + "target": "com.amazonaws.secretsmanager#CancelRotateSecretRequest" + }, + "output": { + "target": "com.amazonaws.secretsmanager#CancelRotateSecretResponse" + }, + "errors": [ + { + "target": "com.amazonaws.secretsmanager#InternalServiceError" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidParameterException" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidRequestException" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Disables automatic scheduled rotation and cancels the rotation of a secret if currently in\n progress.

\n

To re-enable scheduled rotation, call RotateSecret with\n AutomaticallyRotateAfterDays set to a value greater than 0. This immediately\n rotates your secret and then enables the automatic schedule.

\n \n

If you cancel a rotation while in progress, it can leave the VersionStage\n labels in an unexpected state. Depending on the step of the rotation in progress, you might\n need to remove the staging label AWSPENDING from the partially created version, specified\n by the VersionId response value. You should also evaluate the partially rotated\n new version to see if it should be deleted, which you can do by removing all staging labels\n from the new version VersionStage field.

\n \n

To successfully start a rotation, the staging label AWSPENDING must be in one of the\n following states:

\n \n

If the staging label AWSPENDING attached to a different version than the version with\n AWSCURRENT then the attempt to rotate fails.

\n\n

\n Minimum permissions\n

\n

To run this command, you must have the following permissions:

\n \n

\n Related operations\n

\n " + } + }, + "com.amazonaws.secretsmanager#CancelRotateSecretRequest": { + "type": "structure", + "members": { + "SecretId": { + "target": "com.amazonaws.secretsmanager#SecretIdType", + "traits": { + "smithy.api#documentation": "

Specifies the secret to cancel a rotation request. You can specify either the Amazon\n Resource Name (ARN) or the friendly name of the secret.

\n \n

If you specify an ARN, we generally recommend that you specify a complete ARN. You can \n specify a partial ARN too—for example, if you don’t include the final hyphen and six random \n characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN \n match can work as long as it uniquely matches only one secret. However, if your secret has a \n name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six \n characters to the ARN) and you try to use that as a partial ARN, then those characters cause \n Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected \n results. To avoid this situation, we recommend that you don’t create secret names ending \n with a hyphen followed by six characters.

\n

If you specify an incomplete ARN without the random suffix, and instead provide the \n 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, \n you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.

\n ", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.secretsmanager#CancelRotateSecretResponse": { + "type": "structure", + "members": { + "ARN": { + "target": "com.amazonaws.secretsmanager#SecretARNType", + "traits": { + "smithy.api#documentation": "

The ARN of the secret for which rotation was canceled.

" + } + }, + "VersionId": { + "target": "com.amazonaws.secretsmanager#SecretVersionIdType", + "traits": { + "smithy.api#documentation": "

The unique identifier of the version of the secret created during the rotation. This\n version might not be complete, and should be evaluated for possible deletion. At the very\n least, you should remove the VersionStage value AWSPENDING to enable this\n version to be deleted. Failing to clean up a cancelled rotation can block you from\n successfully starting future rotations.

" + } + }, + "Name": { + "target": "com.amazonaws.secretsmanager#SecretNameType", + "traits": { + "smithy.api#documentation": "

The friendly name of the secret for which rotation was canceled.

" + } + } + } + }, + "com.amazonaws.secretsmanager#ClientRequestTokenType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 32, + "max": 64 + } + } + }, + "com.amazonaws.secretsmanager#CreateSecret": { + "type": "operation", + "input": { + "target": "com.amazonaws.secretsmanager#CreateSecretRequest" + }, + "output": { + "target": "com.amazonaws.secretsmanager#CreateSecretResponse" + }, + "errors": [ + { + "target": "com.amazonaws.secretsmanager#EncryptionFailure" + }, + { + "target": "com.amazonaws.secretsmanager#InternalServiceError" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidParameterException" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidRequestException" + }, + { + "target": "com.amazonaws.secretsmanager#LimitExceededException" + }, + { + "target": "com.amazonaws.secretsmanager#MalformedPolicyDocumentException" + }, + { + "target": "com.amazonaws.secretsmanager#PreconditionNotMetException" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceExistsException" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Creates a new secret. A secret in Secrets Manager consists of both the protected secret data and the\n important information needed to manage the secret.

\n

Secrets Manager stores the encrypted secret data in one of a collection of \"versions\"\n associated with the secret. Each version contains a copy of the encrypted secret data. Each\n version is associated with one or more \"staging labels\" that identify where the version is in\n the rotation cycle. The SecretVersionsToStages field of the secret contains the\n mapping of staging labels to the active versions of the secret. Versions without a staging\n label are considered deprecated and not included in the list.

\n

You provide the secret data to be encrypted by putting text in either the\n SecretString parameter or binary data in the SecretBinary\n parameter, but not both. If you include SecretString or SecretBinary\n then Secrets Manager also creates an initial secret version and automatically attaches the staging\n label AWSCURRENT to the new version.

\n \n \n \n

\n

\n Minimum permissions\n

\n

To run this command, you must have the following permissions:

\n \n

\n Related operations\n

\n " + } + }, + "com.amazonaws.secretsmanager#CreateSecretRequest": { + "type": "structure", + "members": { + "Name": { + "target": "com.amazonaws.secretsmanager#NameType", + "traits": { + "smithy.api#documentation": "

Specifies the friendly name of the new secret.

\n

The secret name must be ASCII letters, digits, or the following characters :\n /_+=.@-

\n \n

Do not end your secret name with a hyphen followed by six characters. If you do so, you\n risk confusion and unexpected results when searching for a secret by partial ARN. Secrets Manager\n automatically adds a hyphen and six random characters at the end of the ARN.

\n ", + "smithy.api#required": {} + } + }, + "Tags": { + "target": "com.amazonaws.secretsmanager#TagListType", + "traits": { + "smithy.api#documentation": "

(Optional) Specifies a list of user-defined tags that are attached to the secret. Each tag\n is a \"Key\" and \"Value\" pair of strings. This operation only appends tags to the existing list\n of tags. To remove tags, you must use UntagResource.

\n \n \n \n

This parameter requires a JSON text string argument. For information on how to format a\n JSON parameter for the various command line tool environments, see Using JSON for\n Parameters in the AWS CLI User Guide. For example:

\n

\n [{\"Key\":\"CostCenter\",\"Value\":\"12345\"},{\"Key\":\"environment\",\"Value\":\"production\"}]\n

\n

If your command-line tool or SDK requires quotation marks around the parameter, you should\n use single quotes to avoid confusion with the double quotes required in the JSON text.

\n

The following basic restrictions apply to tags:

\n " + } + }, + "KmsKeyId": { + "target": "com.amazonaws.secretsmanager#KmsKeyIdType", + "traits": { + "smithy.api#documentation": "

(Optional) Specifies the ARN, Key ID, or alias of the AWS KMS customer master key (CMK) to\n be used to encrypt the SecretString or SecretBinary values in the\n versions stored in this secret.

\n

You can specify any of the supported ways to identify a AWS KMS key ID. If you need to\n reference a CMK in a different account, you can use only the key ARN or the alias ARN.

\n

If you don't specify this value, then Secrets Manager defaults to using the AWS account's\n default CMK (the one named aws/secretsmanager). If a AWS KMS CMK with that name doesn't yet\n exist, then Secrets Manager creates it for you automatically the first time it needs to encrypt a\n version's SecretString or SecretBinary fields.

\n \n

You can use the account default CMK to encrypt and decrypt only if you call this\n operation using credentials from the same account that owns the secret. If the secret\n resides in a different account, then you must create a custom CMK and specify the ARN in\n this field.

\n " + } + }, + "Description": { + "target": "com.amazonaws.secretsmanager#DescriptionType", + "traits": { + "smithy.api#documentation": "

(Optional) Specifies a user-provided description of the secret.

" + } + }, + "SecretString": { + "target": "com.amazonaws.secretsmanager#SecretStringType", + "traits": { + "smithy.api#documentation": "

(Optional) Specifies text data that you want to encrypt and store in this new version of\n the secret.

\n

Either SecretString or SecretBinary must have a value, but not\n both. They cannot both be empty.

\n

If you create a secret by using the Secrets Manager console then Secrets Manager puts the protected\n secret text in only the SecretString parameter. The Secrets Manager console stores the\n information as a JSON structure of key/value pairs that the Lambda rotation function knows how\n to parse.

\n

For storing multiple values, we recommend that you use a JSON text string argument and\n specify key/value pairs. For information on how to format a JSON parameter for the various\n command line tool environments, see Using JSON for\n Parameters in the AWS CLI User Guide. For example:

\n

\n {\"username\":\"bob\",\"password\":\"abc123xyz456\"}\n

\n

If your command-line tool or SDK requires quotation marks around the parameter, you should\n use single quotes to avoid confusion with the double quotes required in the JSON text.

" + } + }, + "SecretBinary": { + "target": "com.amazonaws.secretsmanager#SecretBinaryType", + "traits": { + "smithy.api#documentation": "

(Optional) Specifies binary data that you want to encrypt and store in the new version of\n the secret. To use this parameter in the command-line tools, we recommend that you store your\n binary data in a file and then use the appropriate technique for your tool to pass the\n contents of the file as a parameter.

\n

Either SecretString or SecretBinary must have a value, but not\n both. They cannot both be empty.

\n

This parameter is not available using the Secrets Manager console. It can be accessed only by\n using the AWS CLI or one of the AWS SDKs.

" + } + }, + "ClientRequestToken": { + "target": "com.amazonaws.secretsmanager#ClientRequestTokenType", + "traits": { + "smithy.api#documentation": "

(Optional) If you include SecretString or SecretBinary, then an\n initial version is created as part of the secret, and this parameter specifies a unique\n identifier for the new version.

\n \n

If you use the AWS CLI or one of the AWS SDK to call this operation, then you can\n leave this parameter empty. The CLI or SDK generates a random UUID for you and includes it\n as the value for this parameter in the request. If you don't use the SDK and instead\n generate a raw HTTP request to the Secrets Manager service endpoint, then you must generate a\n ClientRequestToken yourself for the new version and include the value in the\n request.

\n \n

This value helps ensure idempotency. Secrets Manager uses this value to prevent the accidental\n creation of duplicate versions if there are failures and retries during a rotation. We\n recommend that you generate a UUID-type value to\n ensure uniqueness of your versions within the specified secret.

\n \n

This value becomes the VersionId of the new version.

", + "smithy.api#idempotencyToken": {} + } + } + } + }, + "com.amazonaws.secretsmanager#CreateSecretResponse": { + "type": "structure", + "members": { + "VersionId": { + "target": "com.amazonaws.secretsmanager#SecretVersionIdType", + "traits": { + "smithy.api#documentation": "

The unique identifier associated with the version of the secret you just\n created.

" + } + }, + "Name": { + "target": "com.amazonaws.secretsmanager#SecretNameType", + "traits": { + "smithy.api#documentation": "

The friendly name of the secret that you just created.

" + } + }, + "ARN": { + "target": "com.amazonaws.secretsmanager#SecretARNType", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (ARN) of the secret that you just created.

\n \n

Secrets Manager automatically adds several random characters to the name at the end of the ARN when\n you initially create a secret. This affects only the ARN and not the actual friendly name. \n This ensures that if you create a new secret with the same name as an old secret that you \n previously deleted, then users with access to the old secret don't \n automatically get access to the new secret because the ARNs are different.

\n " + } + } + } + }, + "com.amazonaws.secretsmanager#CreatedDateType": { + "type": "timestamp" + }, + "com.amazonaws.secretsmanager#DecryptionFailure": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.secretsmanager#ErrorMessage" + } + }, + "traits": { + "smithy.api#documentation": "

Secrets Manager can't decrypt the protected secret text using the provided KMS key.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.secretsmanager#DeleteResourcePolicy": { + "type": "operation", + "input": { + "target": "com.amazonaws.secretsmanager#DeleteResourcePolicyRequest" + }, + "output": { + "target": "com.amazonaws.secretsmanager#DeleteResourcePolicyResponse" + }, + "errors": [ + { + "target": "com.amazonaws.secretsmanager#InternalServiceError" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidRequestException" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Deletes the resource-based permission policy attached to the secret.

\n

\n Minimum permissions\n

\n

To run this command, you must have the following permissions:

\n \n

\n Related operations\n

\n " + } + }, + "com.amazonaws.secretsmanager#DeleteResourcePolicyRequest": { + "type": "structure", + "members": { + "SecretId": { + "target": "com.amazonaws.secretsmanager#SecretIdType", + "traits": { + "smithy.api#documentation": "

Specifies the secret that you want to delete the attached resource-based policy for. You\n can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.

\n \n

If you specify an ARN, we generally recommend that you specify a complete ARN. You can \n specify a partial ARN too—for example, if you don’t include the final hyphen and six random \n characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN \n match can work as long as it uniquely matches only one secret. However, if your secret has a \n name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six \n characters to the ARN) and you try to use that as a partial ARN, then those characters cause \n Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected \n results. To avoid this situation, we recommend that you don’t create secret names ending \n with a hyphen followed by six characters.

\n

If you specify an incomplete ARN without the random suffix, and instead provide the \n 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, \n you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.

\n ", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.secretsmanager#DeleteResourcePolicyResponse": { + "type": "structure", + "members": { + "ARN": { + "target": "com.amazonaws.secretsmanager#SecretARNType", + "traits": { + "smithy.api#documentation": "

The ARN of the secret that the resource-based policy was deleted for.

" + } + }, + "Name": { + "target": "com.amazonaws.secretsmanager#NameType", + "traits": { + "smithy.api#documentation": "

The friendly name of the secret that the resource-based policy was deleted for.

" + } + } + } + }, + "com.amazonaws.secretsmanager#DeleteSecret": { + "type": "operation", + "input": { + "target": "com.amazonaws.secretsmanager#DeleteSecretRequest" + }, + "output": { + "target": "com.amazonaws.secretsmanager#DeleteSecretResponse" + }, + "errors": [ + { + "target": "com.amazonaws.secretsmanager#InternalServiceError" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidParameterException" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidRequestException" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Deletes an entire secret and all of its versions. You can optionally include a recovery\n window during which you can restore the secret. If you don't specify a recovery window value,\n the operation defaults to 30 days. Secrets Manager attaches a DeletionDate stamp to\n the secret that specifies the end of the recovery window. At the end of the recovery window,\n Secrets Manager deletes the secret permanently.

\n

At any time before recovery window ends, you can use RestoreSecret to\n remove the DeletionDate and cancel the deletion of the secret.

\n

You cannot access the encrypted secret information in any secret that is scheduled for\n deletion. If you need to access that information, you must cancel the deletion with RestoreSecret and then retrieve the information.

\n \n \n \n

\n Minimum permissions\n

\n

To run this command, you must have the following permissions:

\n \n

\n Related operations\n

\n " + } + }, + "com.amazonaws.secretsmanager#DeleteSecretRequest": { + "type": "structure", + "members": { + "ForceDeleteWithoutRecovery": { + "target": "com.amazonaws.secretsmanager#BooleanType", + "traits": { + "smithy.api#box": {}, + "smithy.api#documentation": "

(Optional) Specifies that the secret is to be deleted without any recovery window. You\n can't use both this parameter and the RecoveryWindowInDays parameter in the same\n API call.

\n

An asynchronous background process performs the actual deletion, so there can be a short\n delay before the operation completes. If you write code to delete and then immediately\n recreate a secret with the same name, ensure that your code includes appropriate back off and\n retry logic.

\n \n

Use this parameter with caution. This parameter causes the operation to skip the normal\n waiting period before the permanent deletion that AWS would normally impose with the\n RecoveryWindowInDays parameter. If you delete a secret with the\n ForceDeleteWithouRecovery parameter, then you have no opportunity to recover\n the secret. It is permanently lost.

\n " + } + }, + "RecoveryWindowInDays": { + "target": "com.amazonaws.secretsmanager#RecoveryWindowInDaysType", + "traits": { + "smithy.api#box": {}, + "smithy.api#documentation": "

(Optional) Specifies the number of days that Secrets Manager waits before it can delete the secret.\n You can't use both this parameter and the ForceDeleteWithoutRecovery parameter in\n the same API call.

\n

This value can range from 7 to 30 days. The default value is 30.

" + } + }, + "SecretId": { + "target": "com.amazonaws.secretsmanager#SecretIdType", + "traits": { + "smithy.api#documentation": "

Specifies the secret that you want to delete. You can specify either the Amazon Resource\n Name (ARN) or the friendly name of the secret.

\n \n

If you specify an ARN, we generally recommend that you specify a complete ARN. You can \n specify a partial ARN too—for example, if you don’t include the final hyphen and six random \n characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN \n match can work as long as it uniquely matches only one secret. However, if your secret has a \n name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six \n characters to the ARN) and you try to use that as a partial ARN, then those characters cause \n Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected \n results. To avoid this situation, we recommend that you don’t create secret names ending \n with a hyphen followed by six characters.

\n

If you specify an incomplete ARN without the random suffix, and instead provide the \n 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, \n you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.

\n ", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.secretsmanager#DeleteSecretResponse": { + "type": "structure", + "members": { + "ARN": { + "target": "com.amazonaws.secretsmanager#SecretARNType", + "traits": { + "smithy.api#documentation": "

The ARN of the secret that is now scheduled for deletion.

" + } + }, + "Name": { + "target": "com.amazonaws.secretsmanager#SecretNameType", + "traits": { + "smithy.api#documentation": "

The friendly name of the secret that is now scheduled for deletion.

" + } + }, + "DeletionDate": { + "target": "com.amazonaws.secretsmanager#DeletionDateType", + "traits": { + "smithy.api#documentation": "

The date and time after which this secret can be deleted by Secrets Manager and can no longer be\n restored. This value is the date and time of the delete request plus the number of days\n specified in RecoveryWindowInDays.

" + } + } + } + }, + "com.amazonaws.secretsmanager#DeletedDateType": { + "type": "timestamp" + }, + "com.amazonaws.secretsmanager#DeletionDateType": { + "type": "timestamp" + }, + "com.amazonaws.secretsmanager#DescribeSecret": { + "type": "operation", + "input": { + "target": "com.amazonaws.secretsmanager#DescribeSecretRequest" + }, + "output": { + "target": "com.amazonaws.secretsmanager#DescribeSecretResponse" + }, + "errors": [ + { + "target": "com.amazonaws.secretsmanager#InternalServiceError" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Retrieves the details of a secret. It does not include the encrypted fields. Secrets\n Manager only returns fields populated with a value in the response.

\n

\n Minimum permissions\n

\n

To run this command, you must have the following permissions:

\n \n

\n Related operations\n

\n " + } + }, + "com.amazonaws.secretsmanager#DescribeSecretRequest": { + "type": "structure", + "members": { + "SecretId": { + "target": "com.amazonaws.secretsmanager#SecretIdType", + "traits": { + "smithy.api#documentation": "

The identifier of the secret whose details you want to retrieve. You can specify either\n the Amazon Resource Name (ARN) or the friendly name of the secret.

\n \n

If you specify an ARN, we generally recommend that you specify a complete ARN. You can \n specify a partial ARN too—for example, if you don’t include the final hyphen and six random \n characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN \n match can work as long as it uniquely matches only one secret. However, if your secret has a \n name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six \n characters to the ARN) and you try to use that as a partial ARN, then those characters cause \n Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected \n results. To avoid this situation, we recommend that you don’t create secret names ending \n with a hyphen followed by six characters.

\n

If you specify an incomplete ARN without the random suffix, and instead provide the \n 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, \n you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.

\n ", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.secretsmanager#DescribeSecretResponse": { + "type": "structure", + "members": { + "LastRotatedDate": { + "target": "com.amazonaws.secretsmanager#LastRotatedDateType", + "traits": { + "smithy.api#documentation": "

The most recent date and time that the Secrets Manager rotation process was successfully\n completed. This value is null if the secret has never rotated.

" + } + }, + "Description": { + "target": "com.amazonaws.secretsmanager#DescriptionType", + "traits": { + "smithy.api#documentation": "

The user-provided description of the secret.

" + } + }, + "KmsKeyId": { + "target": "com.amazonaws.secretsmanager#KmsKeyIdType", + "traits": { + "smithy.api#documentation": "

The ARN or alias of the AWS KMS customer master key (CMK) that's used to encrypt the\n SecretString or SecretBinary fields in each version of the secret.\n If you don't provide a key, then Secrets Manager defaults to encrypting the secret fields with the\n default AWS KMS CMK (the one named awssecretsmanager) for this account.

" + } + }, + "VersionIdsToStages": { + "target": "com.amazonaws.secretsmanager#SecretVersionsToStagesMapType", + "traits": { + "smithy.api#documentation": "

A list of all of the currently assigned VersionStage staging labels and the\n VersionId that each is attached to. Staging labels are used to keep track of\n the different versions during the rotation process.

\n \n

A version that does not have any staging labels attached is considered deprecated and\n subject to deletion. Such versions are not included in this list.

\n " + } + }, + "LastChangedDate": { + "target": "com.amazonaws.secretsmanager#LastChangedDateType", + "traits": { + "smithy.api#documentation": "

The last date and time that this secret was modified in any way.

" + } + }, + "RotationRules": { + "target": "com.amazonaws.secretsmanager#RotationRulesType", + "traits": { + "smithy.api#documentation": "

A structure that contains the rotation configuration for this secret.

" + } + }, + "Name": { + "target": "com.amazonaws.secretsmanager#SecretNameType", + "traits": { + "smithy.api#documentation": "

The user-provided friendly name of the secret.

" + } + }, + "RotationEnabled": { + "target": "com.amazonaws.secretsmanager#RotationEnabledType", + "traits": { + "smithy.api#box": {}, + "smithy.api#documentation": "

Specifies whether automatic rotation is enabled for this secret.

\n

To enable rotation, use RotateSecret with\n AutomaticallyRotateAfterDays set to a value greater than 0. To disable\n rotation, use CancelRotateSecret.

" + } + }, + "LastAccessedDate": { + "target": "com.amazonaws.secretsmanager#LastAccessedDateType", + "traits": { + "smithy.api#documentation": "

The last date that this secret was accessed. This value is truncated to midnight of the\n date and therefore shows only the date, not the time.

" + } + }, + "CreatedDate": { + "target": "com.amazonaws.secretsmanager#TimestampType", + "traits": { + "smithy.api#documentation": "

The date that the secret was created.

" + } + }, + "DeletedDate": { + "target": "com.amazonaws.secretsmanager#DeletedDateType", + "traits": { + "smithy.api#documentation": "

This value exists if the secret is scheduled for deletion. Some time after the specified\n date and time, Secrets Manager deletes the secret and all of its versions.

\n

If a secret is scheduled for deletion, then its details, including the encrypted secret\n information, is not accessible. To cancel a scheduled deletion and restore access, use RestoreSecret.

" + } + }, + "ARN": { + "target": "com.amazonaws.secretsmanager#SecretARNType", + "traits": { + "smithy.api#documentation": "

The ARN of the secret.

" + } + }, + "OwningService": { + "target": "com.amazonaws.secretsmanager#OwningServiceType", + "traits": { + "smithy.api#documentation": "

Returns the name of the service that created this secret.

" + } + }, + "RotationLambdaARN": { + "target": "com.amazonaws.secretsmanager#RotationLambdaARNType", + "traits": { + "smithy.api#documentation": "

The ARN of a Lambda function that's invoked by Secrets Manager to rotate the\n secret either automatically per the schedule or manually by a call to\n RotateSecret.

" + } + }, + "Tags": { + "target": "com.amazonaws.secretsmanager#TagListType", + "traits": { + "smithy.api#documentation": "

The list of user-defined tags that are associated with the secret. To add tags to a\n secret, use TagResource. To remove tags, use UntagResource.

" + } + } + } + }, + "com.amazonaws.secretsmanager#DescriptionType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 0, + "max": 2048 + } + } + }, + "com.amazonaws.secretsmanager#EncryptionFailure": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.secretsmanager#ErrorMessage" + } + }, + "traits": { + "smithy.api#documentation": "

Secrets Manager can't encrypt the protected secret text using the provided KMS key. Check that the\n customer master key (CMK) is available, enabled, and not in an invalid state. For more\n information, see How Key State Affects Use of a\n Customer Master Key.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.secretsmanager#ErrorMessage": { + "type": "string" + }, + "com.amazonaws.secretsmanager#ExcludeCharactersType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 0, + "max": 4096 + } + } + }, + "com.amazonaws.secretsmanager#ExcludeLowercaseType": { + "type": "boolean" + }, + "com.amazonaws.secretsmanager#ExcludeNumbersType": { + "type": "boolean" + }, + "com.amazonaws.secretsmanager#ExcludePunctuationType": { + "type": "boolean" + }, + "com.amazonaws.secretsmanager#ExcludeUppercaseType": { + "type": "boolean" + }, + "com.amazonaws.secretsmanager#Filter": { + "type": "structure", + "members": { + "Key": { + "target": "com.amazonaws.secretsmanager#FilterNameStringType", + "traits": { + "smithy.api#documentation": "

Filters your list of secrets by a specific key.

" + } + }, + "Values": { + "target": "com.amazonaws.secretsmanager#FilterValuesStringList", + "traits": { + "smithy.api#documentation": "

Filters your list of secrets by a specific value.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Allows you to filter your list of secrets.

" + } + }, + "com.amazonaws.secretsmanager#FilterNameStringType": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "description" + }, + { + "value": "name" + }, + { + "value": "tag-key" + }, + { + "value": "tag-value" + }, + { + "value": "all" + } + ] + } + }, + "com.amazonaws.secretsmanager#FilterValueStringType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 512 + }, + "smithy.api#pattern": "[a-zA-Z0-9 :_@\\/\\+\\=\\.\\-]+" + } + }, + "com.amazonaws.secretsmanager#FilterValuesStringList": { + "type": "list", + "member": { + "target": "com.amazonaws.secretsmanager#FilterValueStringType" + }, + "traits": { + "smithy.api#length": { + "min": 1, + "max": 10 + } + } + }, + "com.amazonaws.secretsmanager#FiltersListType": { + "type": "list", + "member": { + "target": "com.amazonaws.secretsmanager#Filter" + }, + "traits": { + "smithy.api#length": { + "min": 0, + "max": 10 + } + } + }, + "com.amazonaws.secretsmanager#GetRandomPassword": { + "type": "operation", + "input": { + "target": "com.amazonaws.secretsmanager#GetRandomPasswordRequest" + }, + "output": { + "target": "com.amazonaws.secretsmanager#GetRandomPasswordResponse" + }, + "errors": [ + { + "target": "com.amazonaws.secretsmanager#InternalServiceError" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidParameterException" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidRequestException" + } + ], + "traits": { + "smithy.api#documentation": "

Generates a random password of the specified complexity. This operation is intended for\n use in the Lambda rotation function. Per best practice, we recommend that you specify the\n maximum length and include every character type that the system you are generating a password\n for can support.

\n

\n Minimum permissions\n

\n

To run this command, you must have the following permissions:

\n " + } + }, + "com.amazonaws.secretsmanager#GetRandomPasswordRequest": { + "type": "structure", + "members": { + "ExcludeNumbers": { + "target": "com.amazonaws.secretsmanager#ExcludeNumbersType", + "traits": { + "smithy.api#box": {}, + "smithy.api#documentation": "

Specifies that the generated password should not include digits. The default if you do not\n include this switch parameter is that digits can be included.

" + } + }, + "ExcludeCharacters": { + "target": "com.amazonaws.secretsmanager#ExcludeCharactersType", + "traits": { + "smithy.api#documentation": "

A string that includes characters that should not be included in the generated password.\n The default is that all characters from the included sets can be used.

" + } + }, + "PasswordLength": { + "target": "com.amazonaws.secretsmanager#PasswordLengthType", + "traits": { + "smithy.api#box": {}, + "smithy.api#documentation": "

The desired length of the generated password. The default value if you do not include this\n parameter is 32 characters.

" + } + }, + "RequireEachIncludedType": { + "target": "com.amazonaws.secretsmanager#RequireEachIncludedTypeType", + "traits": { + "smithy.api#box": {}, + "smithy.api#documentation": "

A boolean value that specifies whether the generated password must include at least one of\n every allowed character type. The default value is True and the operation\n requires at least one of every character type.

" + } + }, + "IncludeSpace": { + "target": "com.amazonaws.secretsmanager#IncludeSpaceType", + "traits": { + "smithy.api#box": {}, + "smithy.api#documentation": "

Specifies that the generated password can include the space character. The default if you\n do not include this switch parameter is that the space character is not included.

" + } + }, + "ExcludePunctuation": { + "target": "com.amazonaws.secretsmanager#ExcludePunctuationType", + "traits": { + "smithy.api#box": {}, + "smithy.api#documentation": "

Specifies that the generated password should not include punctuation characters. The\n default if you do not include this switch parameter is that punctuation characters can be\n included.

\n

The following are the punctuation characters that can be included in\n the generated password if you don't explicitly exclude them with\n ExcludeCharacters or ExcludePunctuation:

\n

\n ! \" # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \\ ] ^ _ ` { | }\n ~\n

" + } + }, + "ExcludeLowercase": { + "target": "com.amazonaws.secretsmanager#ExcludeLowercaseType", + "traits": { + "smithy.api#box": {}, + "smithy.api#documentation": "

Specifies that the generated password should not include lowercase letters. The default if\n you do not include this switch parameter is that lowercase letters can be included.

" + } + }, + "ExcludeUppercase": { + "target": "com.amazonaws.secretsmanager#ExcludeUppercaseType", + "traits": { + "smithy.api#box": {}, + "smithy.api#documentation": "

Specifies that the generated password should not include uppercase letters. The default if\n you do not include this switch parameter is that uppercase letters can be included.

" + } + } + } + }, + "com.amazonaws.secretsmanager#GetRandomPasswordResponse": { + "type": "structure", + "members": { + "RandomPassword": { + "target": "com.amazonaws.secretsmanager#RandomPasswordType", + "traits": { + "smithy.api#documentation": "

A string with the generated password.

" + } + } + } + }, + "com.amazonaws.secretsmanager#GetResourcePolicy": { + "type": "operation", + "input": { + "target": "com.amazonaws.secretsmanager#GetResourcePolicyRequest" + }, + "output": { + "target": "com.amazonaws.secretsmanager#GetResourcePolicyResponse" + }, + "errors": [ + { + "target": "com.amazonaws.secretsmanager#InternalServiceError" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidRequestException" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Retrieves the JSON text of the resource-based policy document attached to the\n specified secret. The JSON request string input and response output displays formatted code\n with white space and line breaks for better readability. Submit your input as a single line \n JSON string.

\n

\n Minimum permissions\n

\n

To run this command, you must have the following permissions:

\n \n

\n Related operations\n

\n " + } + }, + "com.amazonaws.secretsmanager#GetResourcePolicyRequest": { + "type": "structure", + "members": { + "SecretId": { + "target": "com.amazonaws.secretsmanager#SecretIdType", + "traits": { + "smithy.api#documentation": "

Specifies the secret that you want to retrieve the attached resource-based policy for. You\n can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.

\n \n

If you specify an ARN, we generally recommend that you specify a complete ARN. You can \n specify a partial ARN too—for example, if you don’t include the final hyphen and six random \n characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN \n match can work as long as it uniquely matches only one secret. However, if your secret has a \n name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six \n characters to the ARN) and you try to use that as a partial ARN, then those characters cause \n Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected \n results. To avoid this situation, we recommend that you don’t create secret names ending \n with a hyphen followed by six characters.

\n

If you specify an incomplete ARN without the random suffix, and instead provide the \n 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, \n you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.

\n ", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.secretsmanager#GetResourcePolicyResponse": { + "type": "structure", + "members": { + "ResourcePolicy": { + "target": "com.amazonaws.secretsmanager#NonEmptyResourcePolicyType", + "traits": { + "smithy.api#documentation": "

A JSON-formatted string that describes the permissions that are associated with the\n attached secret. These permissions are combined with any permissions that are associated with\n the user or role that attempts to access this secret. The combined permissions specify who can\n access the secret and what actions they can perform. For more information, see Authentication and Access Control for\n AWS Secrets Manager in the AWS Secrets Manager User Guide.

" + } + }, + "Name": { + "target": "com.amazonaws.secretsmanager#NameType", + "traits": { + "smithy.api#documentation": "

The friendly name of the secret that the resource-based policy was retrieved for.

" + } + }, + "ARN": { + "target": "com.amazonaws.secretsmanager#SecretARNType", + "traits": { + "smithy.api#documentation": "

The ARN of the secret that the resource-based policy was retrieved for.

" + } + } + } + }, + "com.amazonaws.secretsmanager#GetSecretValue": { + "type": "operation", + "input": { + "target": "com.amazonaws.secretsmanager#GetSecretValueRequest" + }, + "output": { + "target": "com.amazonaws.secretsmanager#GetSecretValueResponse" + }, + "errors": [ + { + "target": "com.amazonaws.secretsmanager#DecryptionFailure" + }, + { + "target": "com.amazonaws.secretsmanager#InternalServiceError" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidParameterException" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidRequestException" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Retrieves the contents of the encrypted fields SecretString or\n SecretBinary from the specified version of a secret, whichever contains\n content.

\n

\n Minimum permissions\n

\n

To run this command, you must have the following permissions:

\n \n

\n Related operations\n

\n " + } + }, + "com.amazonaws.secretsmanager#GetSecretValueRequest": { + "type": "structure", + "members": { + "SecretId": { + "target": "com.amazonaws.secretsmanager#SecretIdType", + "traits": { + "smithy.api#documentation": "

Specifies the secret containing the version that you want to retrieve. You can specify\n either the Amazon Resource Name (ARN) or the friendly name of the secret.

\n \n

If you specify an ARN, we generally recommend that you specify a complete ARN. You can \n specify a partial ARN too—for example, if you don’t include the final hyphen and six random \n characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN \n match can work as long as it uniquely matches only one secret. However, if your secret has a \n name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six \n characters to the ARN) and you try to use that as a partial ARN, then those characters cause \n Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected \n results. To avoid this situation, we recommend that you don’t create secret names ending \n with a hyphen followed by six characters.

\n

If you specify an incomplete ARN without the random suffix, and instead provide the \n 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, \n you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.

\n ", + "smithy.api#required": {} + } + }, + "VersionStage": { + "target": "com.amazonaws.secretsmanager#SecretVersionStageType", + "traits": { + "smithy.api#documentation": "

Specifies the secret version that you want to retrieve by the staging label attached to\n the version.

\n

Staging labels are used to keep track of different versions during the rotation process.\n If you use this parameter then don't specify VersionId. If you don't\n specify either a VersionStage or VersionId, then the default is to\n perform the operation on the version with the VersionStage value of\n AWSCURRENT.

" + } + }, + "VersionId": { + "target": "com.amazonaws.secretsmanager#SecretVersionIdType", + "traits": { + "smithy.api#documentation": "

Specifies the unique identifier of the version of the secret that you want to retrieve. If\n you specify this parameter then don't specify VersionStage. If you\n don't specify either a VersionStage or VersionId then the\n default is to perform the operation on the version with the VersionStage value of\n AWSCURRENT.

\n

This value is typically a UUID-type value with\n 32 hexadecimal digits.

" + } + } + } + }, + "com.amazonaws.secretsmanager#GetSecretValueResponse": { + "type": "structure", + "members": { + "VersionId": { + "target": "com.amazonaws.secretsmanager#SecretVersionIdType", + "traits": { + "smithy.api#documentation": "

The unique identifier of this version of the secret.

" + } + }, + "CreatedDate": { + "target": "com.amazonaws.secretsmanager#CreatedDateType", + "traits": { + "smithy.api#documentation": "

The date and time that this version of the secret was created.

" + } + }, + "SecretString": { + "target": "com.amazonaws.secretsmanager#SecretStringType", + "traits": { + "smithy.api#documentation": "

The decrypted part of the protected secret information that was originally provided as a\n string.

\n

If you create this secret by using the Secrets Manager console then only the\n SecretString parameter contains data. Secrets Manager stores the information as a\n JSON structure of key/value pairs that the Lambda rotation function knows how to parse.

\n

If you store custom information in the secret by using the CreateSecret,\n UpdateSecret, or PutSecretValue API operations instead\n of the Secrets Manager console, or by using the Other secret type in\n the console, then you must code your Lambda rotation function to parse and interpret those\n values.

" + } + }, + "SecretBinary": { + "target": "com.amazonaws.secretsmanager#SecretBinaryType", + "traits": { + "smithy.api#documentation": "

The decrypted part of the protected secret information that was originally provided as\n binary data in the form of a byte array. The response parameter represents the binary data as\n a base64-encoded\n string.

\n

This parameter is not used if the secret is created by the Secrets Manager console.

\n

If you store custom information in this field of the secret, then you must code your\n Lambda rotation function to parse and interpret whatever you store in the\n SecretString or SecretBinary fields.

" + } + }, + "VersionStages": { + "target": "com.amazonaws.secretsmanager#SecretVersionStagesType", + "traits": { + "smithy.api#documentation": "

A list of all of the staging labels currently attached to this version of the\n secret.

" + } + }, + "Name": { + "target": "com.amazonaws.secretsmanager#SecretNameType", + "traits": { + "smithy.api#documentation": "

The friendly name of the secret.

" + } + }, + "ARN": { + "target": "com.amazonaws.secretsmanager#SecretARNType", + "traits": { + "smithy.api#documentation": "

The ARN of the secret.

" + } + } + } + }, + "com.amazonaws.secretsmanager#IncludeSpaceType": { + "type": "boolean" + }, + "com.amazonaws.secretsmanager#InternalServiceError": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.secretsmanager#ErrorMessage" + } + }, + "traits": { + "smithy.api#documentation": "

An error occurred on the server side.

", + "smithy.api#error": "server" + } + }, + "com.amazonaws.secretsmanager#InvalidNextTokenException": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.secretsmanager#ErrorMessage" + } + }, + "traits": { + "smithy.api#documentation": "

You provided an invalid NextToken value.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.secretsmanager#InvalidParameterException": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.secretsmanager#ErrorMessage" + } + }, + "traits": { + "smithy.api#documentation": "

You provided an invalid value for a parameter.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.secretsmanager#InvalidRequestException": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.secretsmanager#ErrorMessage" + } + }, + "traits": { + "smithy.api#documentation": "

You provided a parameter value that is not valid for the current state of the\n resource.

\n

Possible causes:

\n ", + "smithy.api#error": "client" + } + }, + "com.amazonaws.secretsmanager#KmsKeyIdType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 0, + "max": 2048 + } + } + }, + "com.amazonaws.secretsmanager#LastAccessedDateType": { + "type": "timestamp" + }, + "com.amazonaws.secretsmanager#LastChangedDateType": { + "type": "timestamp" + }, + "com.amazonaws.secretsmanager#LastRotatedDateType": { + "type": "timestamp" + }, + "com.amazonaws.secretsmanager#LimitExceededException": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.secretsmanager#ErrorMessage" + } + }, + "traits": { + "smithy.api#documentation": "

The request failed because it would exceed one of the Secrets Manager internal limits.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.secretsmanager#ListSecretVersionIds": { + "type": "operation", + "input": { + "target": "com.amazonaws.secretsmanager#ListSecretVersionIdsRequest" + }, + "output": { + "target": "com.amazonaws.secretsmanager#ListSecretVersionIdsResponse" + }, + "errors": [ + { + "target": "com.amazonaws.secretsmanager#InternalServiceError" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidNextTokenException" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Lists all of the versions attached to the specified secret. The output does not include\n the SecretString or SecretBinary fields. By default, the list\n includes only versions that have at least one staging label in VersionStage\n attached.

\n \n

Always check the NextToken response parameter \n when calling any of the List* operations. These operations can occasionally return \n an empty or shorter than expected list of results even when there more results become available. \n When this happens, the NextToken response parameter contains a value to pass to the \n next call to the same API to request the next part of the list.

\n \n

\n Minimum\n permissions\n

\n

To run this command, you must have the following permissions:

\n \n

\n Related operations\n

\n ", + "smithy.api#paginated": { + "inputToken": "NextToken", + "outputToken": "NextToken", + "pageSize": "MaxResults" + } + } + }, + "com.amazonaws.secretsmanager#ListSecretVersionIdsRequest": { + "type": "structure", + "members": { + "MaxResults": { + "target": "com.amazonaws.secretsmanager#MaxResultsType", + "traits": { + "smithy.api#box": {}, + "smithy.api#documentation": "

(Optional) Limits the number of results you want to include in \n the response. If you don't include this parameter, it defaults to a value that's \n specific to the operation. If additional items exist beyond the maximum you specify, the \n NextToken response element is present and has a value (isn't null). Include\n that value as the NextToken request parameter in the next call to the operation to \n get the next part of the results. Note that Secrets Manager might return fewer results than the maximum \n even when there are more results available. You should check NextToken after every \n operation to ensure that you receive all of the results.

" + } + }, + "SecretId": { + "target": "com.amazonaws.secretsmanager#SecretIdType", + "traits": { + "smithy.api#documentation": "

The identifier for the secret containing the versions you want to list. You can specify\n either the Amazon Resource Name (ARN) or the friendly name of the secret.

\n \n

If you specify an ARN, we generally recommend that you specify a complete ARN. You can \n specify a partial ARN too—for example, if you don’t include the final hyphen and six random \n characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN \n match can work as long as it uniquely matches only one secret. However, if your secret has a \n name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six \n characters to the ARN) and you try to use that as a partial ARN, then those characters cause \n Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected \n results. To avoid this situation, we recommend that you don’t create secret names ending \n with a hyphen followed by six characters.

\n

If you specify an incomplete ARN without the random suffix, and instead provide the \n 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, \n you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.

\n ", + "smithy.api#required": {} + } + }, + "NextToken": { + "target": "com.amazonaws.secretsmanager#NextTokenType", + "traits": { + "smithy.api#documentation": "

(Optional) Use this parameter in a request if you receive a \n NextToken response in a previous request indicating there's more\n output available. In a subsequent call, set it to the value of the previous call \n NextToken response to indicate where the output should continue from.

" + } + }, + "IncludeDeprecated": { + "target": "com.amazonaws.secretsmanager#BooleanType", + "traits": { + "smithy.api#box": {}, + "smithy.api#documentation": "

(Optional) Specifies that you want the results to include versions that do not have any\n staging labels attached to them. Such versions are considered deprecated and are subject to\n deletion by Secrets Manager as needed.

" + } + } + } + }, + "com.amazonaws.secretsmanager#ListSecretVersionIdsResponse": { + "type": "structure", + "members": { + "NextToken": { + "target": "com.amazonaws.secretsmanager#NextTokenType", + "traits": { + "smithy.api#documentation": "

If present in the response, this value indicates that \n there's more output available than included in the current response. This can \n occur even when the response includes no values at all, such as when you ask for a filtered view \n of a very long list. Use this value in the NextToken request parameter in a \n subsequent call to the operation to continue processing and get the next part of the output. You \n should repeat this until the NextToken response element comes back empty (as \n null).

" + } + }, + "Versions": { + "target": "com.amazonaws.secretsmanager#SecretVersionsListType", + "traits": { + "smithy.api#documentation": "

The list of the currently available versions of the specified secret.

" + } + }, + "ARN": { + "target": "com.amazonaws.secretsmanager#SecretARNType", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (ARN) for the secret.

\n \n

Secrets Manager automatically adds several random characters to the name at the end of the ARN when\n you initially create a secret. This affects only the ARN and not the actual friendly name. \n This ensures that if you create a new secret with the same name as an old secret that you \n previously deleted, then users with access to the old secret don't \n automatically get access to the new secret because the ARNs are different.

\n " + } + }, + "Name": { + "target": "com.amazonaws.secretsmanager#SecretNameType", + "traits": { + "smithy.api#documentation": "

The friendly name of the secret.

" + } + } + } + }, + "com.amazonaws.secretsmanager#ListSecrets": { + "type": "operation", + "input": { + "target": "com.amazonaws.secretsmanager#ListSecretsRequest" + }, + "output": { + "target": "com.amazonaws.secretsmanager#ListSecretsResponse" + }, + "errors": [ + { + "target": "com.amazonaws.secretsmanager#InternalServiceError" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidNextTokenException" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidParameterException" + } + ], + "traits": { + "smithy.api#documentation": "

Lists all of the secrets that are stored by Secrets Manager in the AWS account. To list the\n versions currently stored for a specific secret, use ListSecretVersionIds.\n The encrypted fields SecretString and SecretBinary are not included\n in the output. To get that information, call the GetSecretValue\n operation.

\n \n

Always check the NextToken response parameter \n when calling any of the List* operations. These operations can occasionally return \n an empty or shorter than expected list of results even when there more results become available. \n When this happens, the NextToken response parameter contains a value to pass to the \n next call to the same API to request the next part of the list.

\n \n

\n Minimum\n permissions\n

\n

To run this command, you must have the following permissions:

\n \n

\n Related operations\n

\n ", + "smithy.api#paginated": { + "inputToken": "NextToken", + "outputToken": "NextToken", + "pageSize": "MaxResults" + } + } + }, + "com.amazonaws.secretsmanager#ListSecretsRequest": { + "type": "structure", + "members": { + "MaxResults": { + "target": "com.amazonaws.secretsmanager#MaxResultsType", + "traits": { + "smithy.api#box": {}, + "smithy.api#documentation": "

(Optional) Limits the number of results you want to include in \n the response. If you don't include this parameter, it defaults to a value that's \n specific to the operation. If additional items exist beyond the maximum you specify, the \n NextToken response element is present and has a value (isn't null). Include\n that value as the NextToken request parameter in the next call to the operation to \n get the next part of the results. Note that Secrets Manager might return fewer results than the maximum \n even when there are more results available. You should check NextToken after every \n operation to ensure that you receive all of the results.

" + } + }, + "SortOrder": { + "target": "com.amazonaws.secretsmanager#SortOrderType", + "traits": { + "smithy.api#documentation": "

Lists secrets in the requested order.

" + } + }, + "NextToken": { + "target": "com.amazonaws.secretsmanager#NextTokenType", + "traits": { + "smithy.api#documentation": "

(Optional) Use this parameter in a request if you receive a \n NextToken response in a previous request indicating there's more\n output available. In a subsequent call, set it to the value of the previous call \n NextToken response to indicate where the output should continue from.

" + } + }, + "Filters": { + "target": "com.amazonaws.secretsmanager#FiltersListType", + "traits": { + "smithy.api#documentation": "

Lists the secret request filters.

" + } + } + } + }, + "com.amazonaws.secretsmanager#ListSecretsResponse": { + "type": "structure", + "members": { + "SecretList": { + "target": "com.amazonaws.secretsmanager#SecretListType", + "traits": { + "smithy.api#documentation": "

A list of the secrets in the account.

" + } + }, + "NextToken": { + "target": "com.amazonaws.secretsmanager#NextTokenType", + "traits": { + "smithy.api#documentation": "

If present in the response, this value indicates that \n there's more output available than included in the current response. This can \n occur even when the response includes no values at all, such as when you ask for a filtered view \n of a very long list. Use this value in the NextToken request parameter in a \n subsequent call to the operation to continue processing and get the next part of the output. You \n should repeat this until the NextToken response element comes back empty (as \n null).

" + } + } + } + }, + "com.amazonaws.secretsmanager#MalformedPolicyDocumentException": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.secretsmanager#ErrorMessage" + } + }, + "traits": { + "smithy.api#documentation": "

The policy document that you provided isn't valid.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.secretsmanager#MaxResultsType": { + "type": "integer", + "traits": { + "smithy.api#range": { + "min": 1, + "max": 100 + } + } + }, + "com.amazonaws.secretsmanager#NameType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 512 + } + } + }, + "com.amazonaws.secretsmanager#NextTokenType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 4096 + } + } + }, + "com.amazonaws.secretsmanager#NonEmptyResourcePolicyType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 20480 + } + } + }, + "com.amazonaws.secretsmanager#OwningServiceType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 128 + } + } + }, + "com.amazonaws.secretsmanager#PasswordLengthType": { + "type": "long", + "traits": { + "smithy.api#range": { + "min": 1, + "max": 4096 + } + } + }, + "com.amazonaws.secretsmanager#PreconditionNotMetException": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.secretsmanager#ErrorMessage" + } + }, + "traits": { + "smithy.api#documentation": "

The request failed because you did not complete all the prerequisite steps.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.secretsmanager#PublicPolicyException": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.secretsmanager#ErrorMessage" + } + }, + "traits": { + "smithy.api#documentation": "

The resource policy did not prevent broad access to the secret.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.secretsmanager#PutResourcePolicy": { + "type": "operation", + "input": { + "target": "com.amazonaws.secretsmanager#PutResourcePolicyRequest" + }, + "output": { + "target": "com.amazonaws.secretsmanager#PutResourcePolicyResponse" + }, + "errors": [ + { + "target": "com.amazonaws.secretsmanager#InternalServiceError" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidParameterException" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidRequestException" + }, + { + "target": "com.amazonaws.secretsmanager#MalformedPolicyDocumentException" + }, + { + "target": "com.amazonaws.secretsmanager#PublicPolicyException" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Attaches the contents of the specified resource-based permission policy to a secret. A\n resource-based policy is optional. Alternatively, you can use IAM identity-based policies\n that specify the secret's Amazon Resource Name (ARN) in the policy statement's\n Resources element. You can also use a combination of both identity-based and\n resource-based policies. The affected users and roles receive the permissions that are\n permitted by all of the relevant policies. For more information, see Using Resource-Based\n Policies for AWS Secrets Manager. For the complete description of the AWS policy syntax and\n grammar, see IAM JSON\n Policy Reference in the IAM User Guide.

\n

\n Minimum permissions\n

\n

To run this command, you must have the following permissions:

\n \n

\n Related operations\n

\n " + } + }, + "com.amazonaws.secretsmanager#PutResourcePolicyRequest": { + "type": "structure", + "members": { + "ResourcePolicy": { + "target": "com.amazonaws.secretsmanager#NonEmptyResourcePolicyType", + "traits": { + "smithy.api#documentation": "

A JSON-formatted string that's constructed according to the grammar and syntax for an\n AWS resource-based policy. The policy in the string identifies who can access or manage this\n secret and its versions. For information on how to format a JSON parameter for the various\n command line tool environments, see Using\n JSON for Parameters in the AWS CLI User Guide.

", + "smithy.api#required": {} + } + }, + "BlockPublicPolicy": { + "target": "com.amazonaws.secretsmanager#BooleanType", + "traits": { + "smithy.api#box": {}, + "smithy.api#documentation": "

Makes an optional API call to Zelkova to validate the Resource Policy to prevent broad access to your secret.

" + } + }, + "SecretId": { + "target": "com.amazonaws.secretsmanager#SecretIdType", + "traits": { + "smithy.api#documentation": "

Specifies the secret that you want to attach the resource-based policy to. You can specify\n either the ARN or the friendly name of the secret.

\n \n

If you specify an ARN, we generally recommend that you specify a complete ARN. You can \n specify a partial ARN too—for example, if you don’t include the final hyphen and six random \n characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN \n match can work as long as it uniquely matches only one secret. However, if your secret has a \n name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six \n characters to the ARN) and you try to use that as a partial ARN, then those characters cause \n Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected \n results. To avoid this situation, we recommend that you don’t create secret names ending \n with a hyphen followed by six characters.

\n

If you specify an incomplete ARN without the random suffix, and instead provide the \n 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, \n you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.

\n ", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.secretsmanager#PutResourcePolicyResponse": { + "type": "structure", + "members": { + "ARN": { + "target": "com.amazonaws.secretsmanager#SecretARNType", + "traits": { + "smithy.api#documentation": "

The ARN of the secret retrieved by the resource-based policy.

" + } + }, + "Name": { + "target": "com.amazonaws.secretsmanager#NameType", + "traits": { + "smithy.api#documentation": "

The friendly name of the secret that the retrieved by the resource-based policy.

" + } + } + } + }, + "com.amazonaws.secretsmanager#PutSecretValue": { + "type": "operation", + "input": { + "target": "com.amazonaws.secretsmanager#PutSecretValueRequest" + }, + "output": { + "target": "com.amazonaws.secretsmanager#PutSecretValueResponse" + }, + "errors": [ + { + "target": "com.amazonaws.secretsmanager#EncryptionFailure" + }, + { + "target": "com.amazonaws.secretsmanager#InternalServiceError" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidParameterException" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidRequestException" + }, + { + "target": "com.amazonaws.secretsmanager#LimitExceededException" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceExistsException" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Stores a new encrypted secret value in the specified secret. To do this, the operation\n creates a new version and attaches it to the secret. The version can contain a new\n SecretString value or a new SecretBinary value. You can also\n specify the staging labels that are initially attached to the new version.

\n \n

The Secrets Manager console uses only the SecretString field. To add binary data to a\n secret with the SecretBinary field you must use the AWS CLI or one of the\n AWS SDKs.

\n \n \n \n \n \n

\n Minimum permissions\n

\n

To run this command, you must have the following permissions:

\n \n

\n Related operations\n

\n " + } + }, + "com.amazonaws.secretsmanager#PutSecretValueRequest": { + "type": "structure", + "members": { + "ClientRequestToken": { + "target": "com.amazonaws.secretsmanager#ClientRequestTokenType", + "traits": { + "smithy.api#documentation": "

(Optional) Specifies a unique identifier for the new version of the secret.

\n \n

If you use the AWS CLI or one of the AWS SDK to call this operation, then you can\n leave this parameter empty. The CLI or SDK generates a random UUID for you and includes that\n in the request. If you don't use the SDK and instead generate a raw HTTP request to the\n Secrets Manager service endpoint, then you must generate a ClientRequestToken yourself\n for new versions and include that value in the request.

\n \n

This value helps ensure idempotency. Secrets Manager uses this value to prevent the accidental\n creation of duplicate versions if there are failures and retries during the Lambda rotation\n function's processing. We recommend that you generate a UUID-type value to\n ensure uniqueness within the specified secret.

\n \n

This value becomes the VersionId of the new version.

", + "smithy.api#idempotencyToken": {} + } + }, + "SecretId": { + "target": "com.amazonaws.secretsmanager#SecretIdType", + "traits": { + "smithy.api#documentation": "

Specifies the secret to which you want to add a new version. You can specify either the\n Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already\n exist.

\n \n

If you specify an ARN, we generally recommend that you specify a complete ARN. You can \n specify a partial ARN too—for example, if you don’t include the final hyphen and six random \n characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN \n match can work as long as it uniquely matches only one secret. However, if your secret has a \n name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six \n characters to the ARN) and you try to use that as a partial ARN, then those characters cause \n Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected \n results. To avoid this situation, we recommend that you don’t create secret names ending \n with a hyphen followed by six characters.

\n

If you specify an incomplete ARN without the random suffix, and instead provide the \n 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, \n you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.

\n ", + "smithy.api#required": {} + } + }, + "SecretString": { + "target": "com.amazonaws.secretsmanager#SecretStringType", + "traits": { + "smithy.api#documentation": "

(Optional) Specifies text data that you want to encrypt and store in this new version of\n the secret. Either SecretString or SecretBinary must have a value,\n but not both. They cannot both be empty.

\n \n

If you create this secret by using the Secrets Manager console then Secrets Manager puts the\n protected secret text in only the SecretString parameter. The Secrets Manager console\n stores the information as a JSON structure of key/value pairs that the default Lambda rotation\n function knows how to parse.

\n

For storing multiple values, we recommend that you use a JSON text string argument and\n specify key/value pairs. For information on how to format a JSON parameter for the various\n command line tool environments, see Using JSON for\n Parameters in the AWS CLI User Guide.

\n

For example:

\n

\n [{\"username\":\"bob\"},{\"password\":\"abc123xyz456\"}]\n

\n

If your command-line tool or SDK requires quotation marks around the parameter, you should\n use single quotes to avoid confusion with the double quotes required in the JSON text.

" + } + }, + "SecretBinary": { + "target": "com.amazonaws.secretsmanager#SecretBinaryType", + "traits": { + "smithy.api#documentation": "

(Optional) Specifies binary data that you want to encrypt and store in the new version of\n the secret. To use this parameter in the command-line tools, we recommend that you store your\n binary data in a file and then use the appropriate technique for your tool to pass the\n contents of the file as a parameter. Either SecretBinary or\n SecretString must have a value, but not both. They cannot both be empty.

\n \n

This parameter is not accessible if the secret using the Secrets Manager console.

\n

" + } + }, + "VersionStages": { + "target": "com.amazonaws.secretsmanager#SecretVersionStagesType", + "traits": { + "smithy.api#documentation": "

(Optional) Specifies a list of staging labels that are attached to this version of the\n secret. These staging labels are used to track the versions through the rotation process by\n the Lambda rotation function.

\n

A staging label must be unique to a single version of the secret. If you specify a staging\n label that's already associated with a different version of the same secret then that staging\n label is automatically removed from the other version and attached to this version.

\n

If you do not specify a value for VersionStages then Secrets Manager automatically\n moves the staging label AWSCURRENT to this new version.

" + } + } + } + }, + "com.amazonaws.secretsmanager#PutSecretValueResponse": { + "type": "structure", + "members": { + "ARN": { + "target": "com.amazonaws.secretsmanager#SecretARNType", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (ARN) for the secret for which you just created a version.

" + } + }, + "VersionStages": { + "target": "com.amazonaws.secretsmanager#SecretVersionStagesType", + "traits": { + "smithy.api#documentation": "

The list of staging labels that are currently attached to this version of the secret.\n Staging labels are used to track a version as it progresses through the secret rotation\n process.

" + } + }, + "Name": { + "target": "com.amazonaws.secretsmanager#SecretNameType", + "traits": { + "smithy.api#documentation": "

The friendly name of the secret for which you just created or updated a version.

" + } + }, + "VersionId": { + "target": "com.amazonaws.secretsmanager#SecretVersionIdType", + "traits": { + "smithy.api#documentation": "

The unique identifier of the version of the secret you just created or updated.

" + } + } + } + }, + "com.amazonaws.secretsmanager#RandomPasswordType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 0, + "max": 4096 + }, + "smithy.api#sensitive": {} + } + }, + "com.amazonaws.secretsmanager#RecoveryWindowInDaysType": { + "type": "long" + }, + "com.amazonaws.secretsmanager#RequireEachIncludedTypeType": { + "type": "boolean" + }, + "com.amazonaws.secretsmanager#ResourceExistsException": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.secretsmanager#ErrorMessage" + } + }, + "traits": { + "smithy.api#documentation": "

A resource with the ID you requested already exists.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.secretsmanager#ResourceNotFoundException": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.secretsmanager#ErrorMessage" + } + }, + "traits": { + "smithy.api#documentation": "

We can't find the resource that you asked for.

", + "smithy.api#error": "client" + } + }, + "com.amazonaws.secretsmanager#RestoreSecret": { + "type": "operation", + "input": { + "target": "com.amazonaws.secretsmanager#RestoreSecretRequest" + }, + "output": { + "target": "com.amazonaws.secretsmanager#RestoreSecretResponse" + }, + "errors": [ + { + "target": "com.amazonaws.secretsmanager#InternalServiceError" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidParameterException" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidRequestException" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Cancels the scheduled deletion of a secret by removing the DeletedDate time\n stamp. This makes the secret accessible to query once again.

\n

\n Minimum permissions\n

\n

To run this command, you must have the following permissions:

\n \n

\n Related operations\n

\n " + } + }, + "com.amazonaws.secretsmanager#RestoreSecretRequest": { + "type": "structure", + "members": { + "SecretId": { + "target": "com.amazonaws.secretsmanager#SecretIdType", + "traits": { + "smithy.api#documentation": "

Specifies the secret that you want to restore from a previously scheduled deletion. You\n can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.

\n \n

If you specify an ARN, we generally recommend that you specify a complete ARN. You can \n specify a partial ARN too—for example, if you don’t include the final hyphen and six random \n characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN \n match can work as long as it uniquely matches only one secret. However, if your secret has a \n name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six \n characters to the ARN) and you try to use that as a partial ARN, then those characters cause \n Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected \n results. To avoid this situation, we recommend that you don’t create secret names ending \n with a hyphen followed by six characters.

\n

If you specify an incomplete ARN without the random suffix, and instead provide the \n 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, \n you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.

\n ", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.secretsmanager#RestoreSecretResponse": { + "type": "structure", + "members": { + "ARN": { + "target": "com.amazonaws.secretsmanager#SecretARNType", + "traits": { + "smithy.api#documentation": "

The ARN of the secret that was restored.

" + } + }, + "Name": { + "target": "com.amazonaws.secretsmanager#SecretNameType", + "traits": { + "smithy.api#documentation": "

The friendly name of the secret that was restored.

" + } + } + } + }, + "com.amazonaws.secretsmanager#RotateSecret": { + "type": "operation", + "input": { + "target": "com.amazonaws.secretsmanager#RotateSecretRequest" + }, + "output": { + "target": "com.amazonaws.secretsmanager#RotateSecretResponse" + }, + "errors": [ + { + "target": "com.amazonaws.secretsmanager#InternalServiceError" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidParameterException" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidRequestException" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Configures and starts the asynchronous process of rotating this secret. If you include the\n configuration parameters, the operation sets those values for the secret and then immediately\n starts a rotation. If you do not include the configuration parameters, the operation starts a\n rotation with the values already stored in the secret. After the rotation completes, the\n protected service and its clients all use the new version of the secret.

\n

This required configuration information includes the ARN of an AWS Lambda function and\n the time between scheduled rotations. The Lambda rotation function creates a new version of\n the secret and creates or updates the credentials on the protected service to match. After\n testing the new credentials, the function marks the new secret with the staging label\n AWSCURRENT so that your clients all immediately begin to use the new version. For more\n information about rotating secrets and how to configure a Lambda function to rotate the\n secrets for your protected service, see Rotating Secrets in AWS Secrets Manager in the\n AWS Secrets Manager User Guide.

\n

Secrets Manager schedules the next rotation when the previous \n one completes. Secrets Manager schedules the date by adding the rotation interval (number of days) to the \n actual date of the last rotation. The service chooses the hour within that 24-hour date window \n randomly. The minute is also chosen somewhat randomly, but weighted towards the top of the hour \n and influenced by a variety of factors that help distribute load.

\n

The\n rotation function must end with the versions of the secret in one of two states:

\n \n

If the AWSPENDING staging label is present but not attached to the same version as\n AWSCURRENT then any later invocation of RotateSecret assumes that a previous\n rotation request is still in progress and returns an error.

\n

\n Minimum permissions\n

\n

To run this command, you must have the following permissions:

\n \n

\n Related operations\n

\n " + } + }, + "com.amazonaws.secretsmanager#RotateSecretRequest": { + "type": "structure", + "members": { + "SecretId": { + "target": "com.amazonaws.secretsmanager#SecretIdType", + "traits": { + "smithy.api#documentation": "

Specifies the secret that you want to rotate. You can specify either the Amazon Resource\n Name (ARN) or the friendly name of the secret.

\n \n

If you specify an ARN, we generally recommend that you specify a complete ARN. You can \n specify a partial ARN too—for example, if you don’t include the final hyphen and six random \n characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN \n match can work as long as it uniquely matches only one secret. However, if your secret has a \n name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six \n characters to the ARN) and you try to use that as a partial ARN, then those characters cause \n Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected \n results. To avoid this situation, we recommend that you don’t create secret names ending \n with a hyphen followed by six characters.

\n

If you specify an incomplete ARN without the random suffix, and instead provide the \n 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, \n you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.

\n ", + "smithy.api#required": {} + } + }, + "ClientRequestToken": { + "target": "com.amazonaws.secretsmanager#ClientRequestTokenType", + "traits": { + "smithy.api#documentation": "

(Optional) Specifies a unique identifier for the new version of the secret that helps\n ensure idempotency.

\n

If you use the AWS CLI or one of the AWS SDK to call this operation, then you can\n leave this parameter empty. The CLI or SDK generates a random UUID for you and includes that\n in the request for this parameter. If you don't use the SDK and instead generate a raw HTTP\n request to the Secrets Manager service endpoint, then you must generate a\n ClientRequestToken yourself for new versions and include that value in the\n request.

\n

You only need to specify your own value if you implement your own retry logic and want to\n ensure that a given secret is not created twice. We recommend that you generate a UUID-type value to\n ensure uniqueness within the specified secret.

\n

Secrets Manager uses this value to prevent the accidental creation of duplicate versions if\n there are failures and retries during the function's processing. This value becomes the\n VersionId of the new version.

", + "smithy.api#idempotencyToken": {} + } + }, + "RotationRules": { + "target": "com.amazonaws.secretsmanager#RotationRulesType", + "traits": { + "smithy.api#documentation": "

A structure that defines the rotation configuration for this secret.

" + } + }, + "RotationLambdaARN": { + "target": "com.amazonaws.secretsmanager#RotationLambdaARNType", + "traits": { + "smithy.api#documentation": "

(Optional) Specifies the ARN of the Lambda function that can rotate the secret.

" + } + } + } + }, + "com.amazonaws.secretsmanager#RotateSecretResponse": { + "type": "structure", + "members": { + "ARN": { + "target": "com.amazonaws.secretsmanager#SecretARNType", + "traits": { + "smithy.api#documentation": "

The ARN of the secret.

" + } + }, + "Name": { + "target": "com.amazonaws.secretsmanager#SecretNameType", + "traits": { + "smithy.api#documentation": "

The friendly name of the secret.

" + } + }, + "VersionId": { + "target": "com.amazonaws.secretsmanager#SecretVersionIdType", + "traits": { + "smithy.api#documentation": "

The ID of the new version of the secret created by the rotation started by this\n request.

" + } + } + } + }, + "com.amazonaws.secretsmanager#RotationEnabledType": { + "type": "boolean" + }, + "com.amazonaws.secretsmanager#RotationLambdaARNType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 0, + "max": 2048 + } + } + }, + "com.amazonaws.secretsmanager#RotationRulesType": { + "type": "structure", + "members": { + "AutomaticallyAfterDays": { + "target": "com.amazonaws.secretsmanager#AutomaticallyRotateAfterDaysType", + "traits": { + "smithy.api#box": {}, + "smithy.api#documentation": "

Specifies the number of days between automatic scheduled rotations of the secret.

\n

Secrets Manager schedules the next rotation when the previous \n one is complete. Secrets Manager schedules the date by adding the rotation interval (number of days) to the \n actual date of the last rotation. The service chooses the hour within that 24-hour date window \n randomly. The minute is also chosen somewhat randomly, but weighted towards the top of the hour \n and influenced by a variety of factors that help distribute load.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

A structure that defines the rotation configuration for the secret.

" + } + }, + "com.amazonaws.secretsmanager#SecretARNType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 20, + "max": 2048 + } + } + }, + "com.amazonaws.secretsmanager#SecretBinaryType": { + "type": "blob", + "traits": { + "smithy.api#length": { + "min": 0, + "max": 65536 + }, + "smithy.api#sensitive": {} + } + }, + "com.amazonaws.secretsmanager#SecretIdType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 2048 + } + } + }, + "com.amazonaws.secretsmanager#SecretListEntry": { + "type": "structure", + "members": { + "LastRotatedDate": { + "target": "com.amazonaws.secretsmanager#LastRotatedDateType", + "traits": { + "smithy.api#documentation": "

The last date and time that the rotation process for this secret was invoked.

" + } + }, + "Description": { + "target": "com.amazonaws.secretsmanager#DescriptionType", + "traits": { + "smithy.api#documentation": "

The user-provided description of the secret.

" + } + }, + "KmsKeyId": { + "target": "com.amazonaws.secretsmanager#KmsKeyIdType", + "traits": { + "smithy.api#documentation": "

The ARN or alias of the AWS KMS customer master key (CMK) used to encrypt the\n SecretString and SecretBinary fields in each version of the\n secret. If you don't provide a key, then Secrets Manager defaults to encrypting the secret fields with\n the default KMS CMK, the key named awssecretsmanager, for this account.

" + } + }, + "SecretVersionsToStages": { + "target": "com.amazonaws.secretsmanager#SecretVersionsToStagesMapType", + "traits": { + "smithy.api#documentation": "

A list of all of the currently assigned SecretVersionStage staging labels and\n the SecretVersionId attached to each one. Staging labels are used to keep\n track of the different versions during the rotation process.

\n \n

A version that does not have any SecretVersionStage is considered\n deprecated and subject to deletion. Such versions are not included in this list.

\n " + } + }, + "CreatedDate": { + "target": "com.amazonaws.secretsmanager#TimestampType", + "traits": { + "smithy.api#documentation": "

The date and time when a secret was created.

" + } + }, + "DeletedDate": { + "target": "com.amazonaws.secretsmanager#DeletedDateType", + "traits": { + "smithy.api#documentation": "

The date and time the deletion of the secret occurred. Not present on active secrets. The\n secret can be recovered until the number of days in the recovery window has passed, as\n specified in the RecoveryWindowInDays parameter of the DeleteSecret operation.

" + } + }, + "ARN": { + "target": "com.amazonaws.secretsmanager#SecretARNType", + "traits": { + "smithy.api#documentation": "

The Amazon Resource Name (ARN) of the secret.

\n

For more information about ARNs in Secrets Manager, see Policy Resources in the\n AWS Secrets Manager User Guide.

" + } + }, + "OwningService": { + "target": "com.amazonaws.secretsmanager#OwningServiceType", + "traits": { + "smithy.api#documentation": "

Returns the name of the service that created the secret.

" + } + }, + "RotationLambdaARN": { + "target": "com.amazonaws.secretsmanager#RotationLambdaARNType", + "traits": { + "smithy.api#documentation": "

The ARN of an AWS Lambda function invoked by Secrets Manager to rotate and expire the\n secret either automatically per the schedule or manually by a call to RotateSecret.

" + } + }, + "Tags": { + "target": "com.amazonaws.secretsmanager#TagListType", + "traits": { + "smithy.api#documentation": "

The list of user-defined tags associated with the secret. To add tags to a\n secret, use TagResource. To remove tags, use UntagResource.

" + } + }, + "RotationEnabled": { + "target": "com.amazonaws.secretsmanager#RotationEnabledType", + "traits": { + "smithy.api#box": {}, + "smithy.api#documentation": "

Indicates whether automatic, scheduled rotation is enabled for this secret.

" + } + }, + "LastAccessedDate": { + "target": "com.amazonaws.secretsmanager#LastAccessedDateType", + "traits": { + "smithy.api#documentation": "

The last date that this secret was accessed. This value is truncated to midnight of the\n date and therefore shows only the date, not the time.

" + } + }, + "LastChangedDate": { + "target": "com.amazonaws.secretsmanager#LastChangedDateType", + "traits": { + "smithy.api#documentation": "

The last date and time that this secret was modified in any way.

" + } + }, + "RotationRules": { + "target": "com.amazonaws.secretsmanager#RotationRulesType", + "traits": { + "smithy.api#documentation": "

A structure that defines the rotation configuration for the secret.

" + } + }, + "Name": { + "target": "com.amazonaws.secretsmanager#SecretNameType", + "traits": { + "smithy.api#documentation": "

The friendly name of the secret. You can use forward slashes in the name to represent a\n path hierarchy. For example, /prod/databases/dbserver1 could represent the secret\n for a server named dbserver1 in the folder databases in the folder\n prod.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

A structure that contains the details about a secret. It does not include the encrypted\n SecretString and SecretBinary values. To get those values, use the\n GetSecretValue operation.

" + } + }, + "com.amazonaws.secretsmanager#SecretListType": { + "type": "list", + "member": { + "target": "com.amazonaws.secretsmanager#SecretListEntry" + } + }, + "com.amazonaws.secretsmanager#SecretNameType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 256 + } + } + }, + "com.amazonaws.secretsmanager#SecretStringType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 0, + "max": 65536 + }, + "smithy.api#sensitive": {} + } + }, + "com.amazonaws.secretsmanager#SecretVersionIdType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 32, + "max": 64 + } + } + }, + "com.amazonaws.secretsmanager#SecretVersionStageType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 256 + } + } + }, + "com.amazonaws.secretsmanager#SecretVersionStagesType": { + "type": "list", + "member": { + "target": "com.amazonaws.secretsmanager#SecretVersionStageType" + }, + "traits": { + "smithy.api#length": { + "min": 1, + "max": 20 + } + } + }, + "com.amazonaws.secretsmanager#SecretVersionsListEntry": { + "type": "structure", + "members": { + "VersionStages": { + "target": "com.amazonaws.secretsmanager#SecretVersionStagesType", + "traits": { + "smithy.api#documentation": "

An array of staging labels that are currently associated with this version of the\n secret.

" + } + }, + "CreatedDate": { + "target": "com.amazonaws.secretsmanager#CreatedDateType", + "traits": { + "smithy.api#documentation": "

The date and time this version of the secret was created.

" + } + }, + "VersionId": { + "target": "com.amazonaws.secretsmanager#SecretVersionIdType", + "traits": { + "smithy.api#documentation": "

The unique version identifier of this version of the secret.

" + } + }, + "LastAccessedDate": { + "target": "com.amazonaws.secretsmanager#LastAccessedDateType", + "traits": { + "smithy.api#documentation": "

The date that this version of the secret was last accessed. Note that the resolution of\n this field is at the date level and does not include the time.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

A structure that contains information about one version of a secret.

" + } + }, + "com.amazonaws.secretsmanager#SecretVersionsListType": { + "type": "list", + "member": { + "target": "com.amazonaws.secretsmanager#SecretVersionsListEntry" + } + }, + "com.amazonaws.secretsmanager#SecretVersionsToStagesMapType": { + "type": "map", + "key": { + "target": "com.amazonaws.secretsmanager#SecretVersionIdType" + }, + "value": { + "target": "com.amazonaws.secretsmanager#SecretVersionStagesType" + } + }, + "com.amazonaws.secretsmanager#SortOrderType": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "asc", + "name": "asc" + }, + { + "value": "desc", + "name": "desc" + } + ] + } + }, + "com.amazonaws.secretsmanager#Tag": { + "type": "structure", + "members": { + "Value": { + "target": "com.amazonaws.secretsmanager#TagValueType", + "traits": { + "smithy.api#documentation": "

The string value associated with the key of the tag.

" + } + }, + "Key": { + "target": "com.amazonaws.secretsmanager#TagKeyType", + "traits": { + "smithy.api#documentation": "

The key identifier, or name, of the tag.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

A structure that contains information about a tag.

" + } + }, + "com.amazonaws.secretsmanager#TagKeyListType": { + "type": "list", + "member": { + "target": "com.amazonaws.secretsmanager#TagKeyType" + } + }, + "com.amazonaws.secretsmanager#TagKeyType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 128 + } + } + }, + "com.amazonaws.secretsmanager#TagListType": { + "type": "list", + "member": { + "target": "com.amazonaws.secretsmanager#Tag" + } + }, + "com.amazonaws.secretsmanager#TagResource": { + "type": "operation", + "input": { + "target": "com.amazonaws.secretsmanager#TagResourceRequest" + }, + "errors": [ + { + "target": "com.amazonaws.secretsmanager#InternalServiceError" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidParameterException" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidRequestException" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Attaches one or more tags, each consisting of a key name and a value, to the specified\n secret. Tags are part of the secret's overall metadata, and are not associated with any\n specific version of the secret. This operation only appends tags to the existing list of tags.\n To remove tags, you must use UntagResource.

\n

The following basic restrictions apply to tags:

\n \n \n

If you use tags as part of your security strategy, then adding or removing a tag can\n change permissions. If successfully completing this operation would result in you losing\n your permissions for this secret, then the operation is blocked and returns an Access Denied\n error.

\n \n

\n Minimum permissions\n

\n

To run this command, you must have the following permissions:

\n \n

\n Related operations\n

\n " + } + }, + "com.amazonaws.secretsmanager#TagResourceRequest": { + "type": "structure", + "members": { + "SecretId": { + "target": "com.amazonaws.secretsmanager#SecretIdType", + "traits": { + "smithy.api#documentation": "

The identifier for the secret that you want to attach tags to. You can specify either the\n Amazon Resource Name (ARN) or the friendly name of the secret.

\n \n

If you specify an ARN, we generally recommend that you specify a complete ARN. You can \n specify a partial ARN too—for example, if you don’t include the final hyphen and six random \n characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN \n match can work as long as it uniquely matches only one secret. However, if your secret has a \n name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six \n characters to the ARN) and you try to use that as a partial ARN, then those characters cause \n Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected \n results. To avoid this situation, we recommend that you don’t create secret names ending \n with a hyphen followed by six characters.

\n

If you specify an incomplete ARN without the random suffix, and instead provide the \n 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, \n you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.

\n ", + "smithy.api#required": {} + } + }, + "Tags": { + "target": "com.amazonaws.secretsmanager#TagListType", + "traits": { + "smithy.api#documentation": "

The tags to attach to the secret. Each element in the list consists of a Key\n and a Value.

\n

This parameter to the API requires a JSON text string argument. For information on how to\n format a JSON parameter for the various command line tool environments, see Using JSON for Parameters in the AWS CLI User Guide. For the\n AWS CLI, you can also use the syntax: --Tags\n Key=\"Key1\",Value=\"Value1\",Key=\"Key2\",Value=\"Value2\"[,…]\n

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.secretsmanager#TagValueType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 0, + "max": 256 + } + } + }, + "com.amazonaws.secretsmanager#TimestampType": { + "type": "timestamp" + }, + "com.amazonaws.secretsmanager#UntagResource": { + "type": "operation", + "input": { + "target": "com.amazonaws.secretsmanager#UntagResourceRequest" + }, + "errors": [ + { + "target": "com.amazonaws.secretsmanager#InternalServiceError" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidParameterException" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidRequestException" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Removes one or more tags from the specified secret.

\n

This operation is idempotent. If a requested tag is not attached to the secret, no error\n is returned and the secret metadata is unchanged.

\n \n

If you use tags as part of your security strategy, then removing a tag can change\n permissions. If successfully completing this operation would result in you losing your\n permissions for this secret, then the operation is blocked and returns an Access Denied\n error.

\n \n

\n Minimum permissions\n

\n

To run this command, you must have the following permissions:

\n \n

\n Related operations\n

\n " + } + }, + "com.amazonaws.secretsmanager#UntagResourceRequest": { + "type": "structure", + "members": { + "TagKeys": { + "target": "com.amazonaws.secretsmanager#TagKeyListType", + "traits": { + "smithy.api#documentation": "

A list of tag key names to remove from the secret. You don't specify the value. Both the\n key and its associated value are removed.

\n

This parameter to the API requires a JSON text string argument. For information on how to\n format a JSON parameter for the various command line tool environments, see Using JSON for Parameters in the AWS CLI User Guide.

", + "smithy.api#required": {} + } + }, + "SecretId": { + "target": "com.amazonaws.secretsmanager#SecretIdType", + "traits": { + "smithy.api#documentation": "

The identifier for the secret that you want to remove tags from. You can specify either\n the Amazon Resource Name (ARN) or the friendly name of the secret.

\n \n

If you specify an ARN, we generally recommend that you specify a complete ARN. You can \n specify a partial ARN too—for example, if you don’t include the final hyphen and six random \n characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN \n match can work as long as it uniquely matches only one secret. However, if your secret has a \n name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six \n characters to the ARN) and you try to use that as a partial ARN, then those characters cause \n Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected \n results. To avoid this situation, we recommend that you don’t create secret names ending \n with a hyphen followed by six characters.

\n

If you specify an incomplete ARN without the random suffix, and instead provide the \n 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, \n you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.

\n ", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.secretsmanager#UpdateSecret": { + "type": "operation", + "input": { + "target": "com.amazonaws.secretsmanager#UpdateSecretRequest" + }, + "output": { + "target": "com.amazonaws.secretsmanager#UpdateSecretResponse" + }, + "errors": [ + { + "target": "com.amazonaws.secretsmanager#EncryptionFailure" + }, + { + "target": "com.amazonaws.secretsmanager#InternalServiceError" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidParameterException" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidRequestException" + }, + { + "target": "com.amazonaws.secretsmanager#LimitExceededException" + }, + { + "target": "com.amazonaws.secretsmanager#MalformedPolicyDocumentException" + }, + { + "target": "com.amazonaws.secretsmanager#PreconditionNotMetException" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceExistsException" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Modifies many of the details of the specified secret. If you include a\n ClientRequestToken and either\n SecretString or SecretBinary then it also creates a new version\n attached to the secret.

\n

To modify the rotation configuration of a secret, use RotateSecret\n instead.

\n \n

The Secrets Manager console uses only the SecretString parameter and therefore limits\n you to encrypting and storing only a text string. To encrypt and store binary data as part\n of the version of a secret, you must use either the AWS CLI or one of the AWS\n SDKs.

\n \n \n \n \n \n

\n Minimum permissions\n

\n

To run this command, you must have the following permissions:

\n \n

\n Related operations\n

\n " + } + }, + "com.amazonaws.secretsmanager#UpdateSecretRequest": { + "type": "structure", + "members": { + "SecretString": { + "target": "com.amazonaws.secretsmanager#SecretStringType", + "traits": { + "smithy.api#documentation": "

(Optional) Specifies updated text data that you want to encrypt and store in this new\n version of the secret. Either SecretBinary or SecretString must have\n a value, but not both. They cannot both be empty.

\n

If you create this secret by using the Secrets Manager console then Secrets Manager puts the\n protected secret text in only the SecretString parameter. The Secrets Manager console\n stores the information as a JSON structure of key/value pairs that the default Lambda rotation\n function knows how to parse.

\n

For storing multiple values, we recommend that you use a JSON text string argument and\n specify key/value pairs. For information on how to format a JSON parameter for the various\n command line tool environments, see Using JSON for\n Parameters in the AWS CLI User Guide. For example:

\n

\n [{\"username\":\"bob\"},{\"password\":\"abc123xyz456\"}]\n

\n

If your command-line tool or SDK requires quotation marks around the parameter, you should\n use single quotes to avoid confusion with the double quotes required in the JSON text. You can\n also 'escape' the double quote character in the embedded JSON text by prefacing each with a\n backslash. For example, the following string is surrounded by double-quotes. All of the\n embedded double quotes are escaped:

\n

\n \"[{\\\"username\\\":\\\"bob\\\"},{\\\"password\\\":\\\"abc123xyz456\\\"}]\"\n

" + } + }, + "KmsKeyId": { + "target": "com.amazonaws.secretsmanager#KmsKeyIdType", + "traits": { + "smithy.api#documentation": "

(Optional) Specifies an updated ARN or alias of the AWS KMS customer master key (CMK) to be\n used to encrypt the protected text in new versions of this secret.

\n \n

You can only use the account's default CMK to encrypt and decrypt if you call this\n operation using credentials from the same account that owns the secret. If the secret is in\n a different account, then you must create a custom CMK and provide the ARN of that CMK in\n this field. The user making the call must have permissions to both the secret and the CMK in\n their respective accounts.

\n " + } + }, + "SecretId": { + "target": "com.amazonaws.secretsmanager#SecretIdType", + "traits": { + "smithy.api#documentation": "

Specifies the secret that you want to modify or to which you want to add a new version.\n You can specify either the Amazon Resource Name (ARN) or the friendly name of the\n secret.

\n \n

If you specify an ARN, we generally recommend that you specify a complete ARN. You can \n specify a partial ARN too—for example, if you don’t include the final hyphen and six random \n characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN \n match can work as long as it uniquely matches only one secret. However, if your secret has a \n name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six \n characters to the ARN) and you try to use that as a partial ARN, then those characters cause \n Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected \n results. To avoid this situation, we recommend that you don’t create secret names ending \n with a hyphen followed by six characters.

\n

If you specify an incomplete ARN without the random suffix, and instead provide the \n 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, \n you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.

\n ", + "smithy.api#required": {} + } + }, + "Description": { + "target": "com.amazonaws.secretsmanager#DescriptionType", + "traits": { + "smithy.api#documentation": "

(Optional) Specifies an updated user-provided description of the secret.

" + } + }, + "ClientRequestToken": { + "target": "com.amazonaws.secretsmanager#ClientRequestTokenType", + "traits": { + "smithy.api#documentation": "

(Optional) If you want to add a new version to the secret, this parameter specifies a\n unique identifier for the new version that helps ensure idempotency.

\n

If you use the AWS CLI or one of the AWS SDK to call this operation, then you can\n leave this parameter empty. The CLI or SDK generates a random UUID for you and includes that\n in the request. If you don't use the SDK and instead generate a raw HTTP request to the Secrets Manager\n service endpoint, then you must generate a ClientRequestToken yourself for new\n versions and include that value in the request.

\n

You typically only need to interact with this value if you implement your own retry logic\n and want to ensure that a given secret is not created twice. We recommend that you generate a\n UUID-type\n value to ensure uniqueness within the specified secret.

\n

Secrets Manager uses this value to prevent the accidental creation of duplicate versions if\n there are failures and retries during the Lambda rotation function's processing.

\n \n

This value becomes the VersionId of the new version.

", + "smithy.api#idempotencyToken": {} + } + }, + "SecretBinary": { + "target": "com.amazonaws.secretsmanager#SecretBinaryType", + "traits": { + "smithy.api#documentation": "

(Optional) Specifies updated binary data that you want to encrypt and store in the new\n version of the secret. To use this parameter in the command-line tools, we recommend that you\n store your binary data in a file and then use the appropriate technique for your tool to pass\n the contents of the file as a parameter. Either SecretBinary or\n SecretString must have a value, but not both. They cannot both be empty.

\n

This parameter is not accessible using the Secrets Manager console.

" + } + } + } + }, + "com.amazonaws.secretsmanager#UpdateSecretResponse": { + "type": "structure", + "members": { + "Name": { + "target": "com.amazonaws.secretsmanager#SecretNameType", + "traits": { + "smithy.api#documentation": "

The friendly name of the secret that was updated.

" + } + }, + "VersionId": { + "target": "com.amazonaws.secretsmanager#SecretVersionIdType", + "traits": { + "smithy.api#documentation": "

If a new version of the secret was created by this operation, then VersionId\n contains the unique identifier of the new version.

" + } + }, + "ARN": { + "target": "com.amazonaws.secretsmanager#SecretARNType", + "traits": { + "smithy.api#documentation": "

The ARN of the secret that was updated.

\n \n

Secrets Manager automatically adds several random characters to the name at the end of the ARN when\n you initially create a secret. This affects only the ARN and not the actual friendly name. \n This ensures that if you create a new secret with the same name as an old secret that you \n previously deleted, then users with access to the old secret don't \n automatically get access to the new secret because the ARNs are different.

\n " + } + } + } + }, + "com.amazonaws.secretsmanager#UpdateSecretVersionStage": { + "type": "operation", + "input": { + "target": "com.amazonaws.secretsmanager#UpdateSecretVersionStageRequest" + }, + "output": { + "target": "com.amazonaws.secretsmanager#UpdateSecretVersionStageResponse" + }, + "errors": [ + { + "target": "com.amazonaws.secretsmanager#InternalServiceError" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidParameterException" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidRequestException" + }, + { + "target": "com.amazonaws.secretsmanager#LimitExceededException" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Modifies the staging labels attached to a version of a secret. Staging labels are used to\n track a version as it progresses through the secret rotation process. You can attach a staging\n label to only one version of a secret at a time. If a staging label to be added is already\n attached to another version, then it is moved--removed from the other version first and\n then attached to this one. For more information about staging labels, see Staging\n Labels in the AWS Secrets Manager User Guide.

\n

The staging labels that you specify in the VersionStage parameter are added\n to the existing list of staging labels--they don't replace it.

\n

You can move the AWSCURRENT staging label to this version by including it in this\n call.

\n \n

Whenever you move AWSCURRENT, Secrets Manager automatically moves the label AWSPREVIOUS\n to the version that AWSCURRENT was removed from.

\n \n

If this action results in the last label being removed from a version, then the version is\n considered to be 'deprecated' and can be deleted by Secrets Manager.

\n

\n Minimum permissions\n

\n

To run this command, you must have the following permissions:

\n \n

\n Related operations\n

\n " + } + }, + "com.amazonaws.secretsmanager#UpdateSecretVersionStageRequest": { + "type": "structure", + "members": { + "MoveToVersionId": { + "target": "com.amazonaws.secretsmanager#SecretVersionIdType", + "traits": { + "smithy.api#documentation": "

(Optional) The secret version ID that you want to add the staging label. If you want to\n remove a label from a version, then do not specify this parameter.

\n

If the staging label is already attached to a different version of the secret, then you\n must also specify the RemoveFromVersionId parameter.

" + } + }, + "SecretId": { + "target": "com.amazonaws.secretsmanager#SecretIdType", + "traits": { + "smithy.api#documentation": "

Specifies the secret with the version with the list of staging labels you want to modify.\n You can specify either the Amazon Resource Name (ARN) or the friendly name of the\n secret.

\n \n

If you specify an ARN, we generally recommend that you specify a complete ARN. You can \n specify a partial ARN too—for example, if you don’t include the final hyphen and six random \n characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN \n match can work as long as it uniquely matches only one secret. However, if your secret has a \n name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six \n characters to the ARN) and you try to use that as a partial ARN, then those characters cause \n Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected \n results. To avoid this situation, we recommend that you don’t create secret names ending \n with a hyphen followed by six characters.

\n

If you specify an incomplete ARN without the random suffix, and instead provide the \n 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, \n you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.

\n ", + "smithy.api#required": {} + } + }, + "RemoveFromVersionId": { + "target": "com.amazonaws.secretsmanager#SecretVersionIdType", + "traits": { + "smithy.api#documentation": "

Specifies the secret version ID of the version that the staging label is to be removed\n from. If the staging label you are trying to attach to one version is already attached to a\n different version, then you must include this parameter and specify the version that the label\n is to be removed from. If the label is attached and you either do not specify this parameter,\n or the version ID does not match, then the operation fails.

" + } + }, + "VersionStage": { + "target": "com.amazonaws.secretsmanager#SecretVersionStageType", + "traits": { + "smithy.api#documentation": "

The staging label to add to this version.

", + "smithy.api#required": {} + } + } + } + }, + "com.amazonaws.secretsmanager#UpdateSecretVersionStageResponse": { + "type": "structure", + "members": { + "ARN": { + "target": "com.amazonaws.secretsmanager#SecretARNType", + "traits": { + "smithy.api#documentation": "

The ARN of the secret with the modified staging label.

" + } + }, + "Name": { + "target": "com.amazonaws.secretsmanager#SecretNameType", + "traits": { + "smithy.api#documentation": "

The friendly name of the secret with the modified staging label.

" + } + } + } + }, + "com.amazonaws.secretsmanager#ValidateResourcePolicy": { + "type": "operation", + "input": { + "target": "com.amazonaws.secretsmanager#ValidateResourcePolicyRequest" + }, + "output": { + "target": "com.amazonaws.secretsmanager#ValidateResourcePolicyResponse" + }, + "errors": [ + { + "target": "com.amazonaws.secretsmanager#InternalServiceError" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidParameterException" + }, + { + "target": "com.amazonaws.secretsmanager#InvalidRequestException" + }, + { + "target": "com.amazonaws.secretsmanager#MalformedPolicyDocumentException" + }, + { + "target": "com.amazonaws.secretsmanager#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "

Validates the JSON text of the resource-based policy document attached to the\n specified secret. The JSON request string input and response output displays formatted code\n with white space and line breaks for better readability. Submit your input as a single line \n JSON string. A resource-based\n policy is optional.

" + } + }, + "com.amazonaws.secretsmanager#ValidateResourcePolicyRequest": { + "type": "structure", + "members": { + "ResourcePolicy": { + "target": "com.amazonaws.secretsmanager#NonEmptyResourcePolicyType", + "traits": { + "smithy.api#documentation": "

Identifies the Resource Policy attached to the secret.

", + "smithy.api#required": {} + } + }, + "SecretId": { + "target": "com.amazonaws.secretsmanager#SecretIdType", + "traits": { + "smithy.api#documentation": "

The identifier for the secret that you want to validate a resource policy. You can specify either\n the Amazon Resource Name (ARN) or the friendly name of the secret.

\n \n

If you specify an ARN, we generally recommend that you specify a complete ARN. You can \n specify a partial ARN too—for example, if you don’t include the final hyphen and six random \n characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN \n match can work as long as it uniquely matches only one secret. However, if your secret has a \n name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six \n characters to the ARN) and you try to use that as a partial ARN, then those characters cause \n Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected \n results. To avoid this situation, we recommend that you don’t create secret names ending \n with a hyphen followed by six characters.

\n

If you specify an incomplete ARN without the random suffix, and instead provide the \n 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, \n you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.

\n " + } + } + } + }, + "com.amazonaws.secretsmanager#ValidateResourcePolicyResponse": { + "type": "structure", + "members": { + "ValidationErrors": { + "target": "com.amazonaws.secretsmanager#ValidationErrorsType", + "traits": { + "smithy.api#documentation": "

Returns an error message if your policy doesn't pass validatation.

" + } + }, + "PolicyValidationPassed": { + "target": "com.amazonaws.secretsmanager#BooleanType", + "traits": { + "smithy.api#documentation": "

Returns a message stating that your Reource Policy passed validation.

" + } + } + } + }, + "com.amazonaws.secretsmanager#ValidationErrorsEntry": { + "type": "structure", + "members": { + "ErrorMessage": { + "target": "com.amazonaws.secretsmanager#ErrorMessage", + "traits": { + "smithy.api#documentation": "

Displays error messages if validation encounters problems during validation of the resource policy.

" + } + }, + "CheckName": { + "target": "com.amazonaws.secretsmanager#NameType", + "traits": { + "smithy.api#documentation": "

Checks the name of the policy.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Displays errors that occurred during validation of the resource policy.

" + } + }, + "com.amazonaws.secretsmanager#ValidationErrorsType": { + "type": "list", + "member": { + "target": "com.amazonaws.secretsmanager#ValidationErrorsEntry" + } + }, + "com.amazonaws.secretsmanager#secretsmanager": { + "type": "service", + "version": "2017-10-17", + "operations": [ + { + "target": "com.amazonaws.secretsmanager#CancelRotateSecret" + }, + { + "target": "com.amazonaws.secretsmanager#CreateSecret" + }, + { + "target": "com.amazonaws.secretsmanager#DeleteResourcePolicy" + }, + { + "target": "com.amazonaws.secretsmanager#DeleteSecret" + }, + { + "target": "com.amazonaws.secretsmanager#DescribeSecret" + }, + { + "target": "com.amazonaws.secretsmanager#GetRandomPassword" + }, + { + "target": "com.amazonaws.secretsmanager#GetResourcePolicy" + }, + { + "target": "com.amazonaws.secretsmanager#GetSecretValue" + }, + { + "target": "com.amazonaws.secretsmanager#ListSecrets" + }, + { + "target": "com.amazonaws.secretsmanager#ListSecretVersionIds" + }, + { + "target": "com.amazonaws.secretsmanager#PutResourcePolicy" + }, + { + "target": "com.amazonaws.secretsmanager#PutSecretValue" + }, + { + "target": "com.amazonaws.secretsmanager#RestoreSecret" + }, + { + "target": "com.amazonaws.secretsmanager#RotateSecret" + }, + { + "target": "com.amazonaws.secretsmanager#TagResource" + }, + { + "target": "com.amazonaws.secretsmanager#UntagResource" + }, + { + "target": "com.amazonaws.secretsmanager#UpdateSecret" + }, + { + "target": "com.amazonaws.secretsmanager#UpdateSecretVersionStage" + }, + { + "target": "com.amazonaws.secretsmanager#ValidateResourcePolicy" + } + ], + "traits": { + "aws.api#service": { + "sdkId": "Secrets Manager", + "arnNamespace": "secretsmanager", + "cloudFormationName": "SecretsManager", + "cloudTrailEventSource": "secretsmanager.amazonaws.com" + }, + "aws.auth#sigv4": { + "name": "secretsmanager" + }, + "aws.protocols#awsJson1_1": {}, + "smithy.api#documentation": "AWS Secrets Manager API Reference\n

AWS Secrets Manager provides a service to enable you to store, manage, and retrieve, secrets.

\n\n

This guide provides descriptions of the Secrets Manager API. For more information about using this\n service, see the AWS Secrets Manager User Guide.

\n\n

\n API Version\n

\n\n

This version of the Secrets Manager API Reference documents the Secrets Manager API version 2017-10-17.

\n \n

As an alternative to using the API, you can use one of the AWS SDKs, which consist of\n libraries and sample code for various programming languages and platforms such as Java,\n Ruby, .NET, iOS, and Android. The SDKs provide a convenient way to create programmatic\n access to AWS Secrets Manager. For example, the SDKs provide cryptographically signing requests,\n managing errors, and retrying requests automatically. For more information about the AWS\n SDKs, including downloading and installing them, see Tools for Amazon Web Services.

\n \n

We recommend you use the AWS SDKs to make programmatic API calls to Secrets Manager. However, you\n also can use the Secrets Manager HTTP Query API to make direct calls to the Secrets Manager web service. To learn\n more about the Secrets Manager HTTP Query API, see Making Query Requests in the\n AWS Secrets Manager User Guide.

\n

Secrets Manager API supports GET and POST requests for all actions, and doesn't require you to use\n GET for some actions and POST for others. However, GET requests are subject to the limitation\n size of a URL. Therefore, for operations that require larger sizes, use a POST request.

\n\n \n\n \n \n \n\n

\n Support and Feedback for AWS Secrets Manager\n

\n\n

We welcome your feedback. Send your comments to awssecretsmanager-feedback@amazon.com, or post your feedback and questions in the AWS Secrets Manager Discussion Forum. For more\n information about the AWS Discussion Forums, see Forums\n Help.

\n\n

\n How examples are presented\n

\n\n

The JSON that AWS Secrets Manager expects as your request parameters and the service returns as a\n response to HTTP query requests contain single, long strings without line breaks or white\n space formatting. The JSON shown in the examples displays the code formatted with both line\n breaks and white space to improve readability. When example input parameters can also cause\n long strings extending beyond the screen, you can insert line breaks to enhance readability.\n You should always submit the input as a single JSON text string.

\n\n\n

\n Logging API Requests\n

\n

AWS Secrets Manager supports AWS CloudTrail, a service that records AWS API calls for your AWS\n account and delivers log files to an Amazon S3 bucket. By using information that's collected\n by AWS CloudTrail, you can determine the requests successfully made to Secrets Manager, who made the\n request, when it was made, and so on. For more about AWS Secrets Manager and support for AWS\n CloudTrail, see Logging\n AWS Secrets Manager Events with AWS CloudTrail in the AWS Secrets Manager User Guide.\n To learn more about CloudTrail, including enabling it and find your log files, see the AWS CloudTrail User Guide.

", + "smithy.api#title": "AWS Secrets Manager" + } + } + } +} diff --git a/codegen/src/main/kotlin/software/amazon/smithy/rust/codegen/smithy/generators/LibRsGenerator.kt b/codegen/src/main/kotlin/software/amazon/smithy/rust/codegen/smithy/generators/LibRsGenerator.kt index 07a78be9c1fbdf913e0ad98344e0dc79f51997b4..3e3afd86d97a1f56bae6dbd9192151d15f716426 100644 --- a/codegen/src/main/kotlin/software/amazon/smithy/rust/codegen/smithy/generators/LibRsGenerator.kt +++ b/codegen/src/main/kotlin/software/amazon/smithy/rust/codegen/smithy/generators/LibRsGenerator.kt @@ -7,10 +7,11 @@ package software.amazon.smithy.rust.codegen.smithy.generators import software.amazon.smithy.rust.codegen.rustlang.RustModule import software.amazon.smithy.rust.codegen.rustlang.RustWriter +import software.amazon.smithy.rust.codegen.rustlang.escape class LibRsGenerator(private val libraryDocs: String, private val modules: List) { fun render(writer: RustWriter) { - writer.setHeaderDocs(libraryDocs) + writer.setHeaderDocs(writer.escape(libraryDocs)) modules.forEach { it.render(writer) } } }