/** * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * SPDX-License-Identifier: Apache-2.0. */ #pragma once #include #include #include #include #include #include #include #include #include namespace Aws { namespace KMS { namespace Model { /** */ class CreateKeyRequest : public KMSRequest { public: AWS_KMS_API CreateKeyRequest(); // Service request name is the Operation name which will send this request out, // each operation should has unique request name, so that we can get operation's name from this request. // Note: this is not true for response, multiple operations may have the same response name, // so we can not get operation's name from response. inline virtual const char* GetServiceRequestName() const override { return "CreateKey"; } AWS_KMS_API Aws::String SerializePayload() const override; AWS_KMS_API Aws::Http::HeaderValueCollection GetRequestSpecificHeaders() const override; /** *

The key policy to attach to the KMS key.

If you provide a key policy, * it must meet the following criteria:

The key policy must allow * the calling principal to make a subsequent PutKeyPolicy request on * the KMS key. This reduces the risk that the KMS key becomes unmanageable. For * more information, see Default * key policy in the Key Management Service Developer Guide. (To omit * this condition, set BypassPolicyLockoutSafetyCheck to true.)
*
Each statement in the key policy must contain one or more * principals. The principals in the key policy must exist and be visible to KMS. * When you create a new Amazon Web Services principal, you might need to enforce a * delay before including the new principal in a key policy because the new * principal might not be immediately visible to KMS. For more information, see Changes * that I make are not always immediately visible in the Amazon Web Services * Identity and Access Management User Guide.

If you do not * provide a key policy, KMS attaches a default key policy to the KMS key. For more * information, see Default * key policy in the Key Management Service Developer Guide.

The * key policy size quota is 32 kilobytes (32768 bytes).

For help writing and * formatting a JSON policy document, see the IAM * JSON Policy Reference in the Identity and Access Management User * Guide .

*/ inline const Aws::String& GetPolicy() const{ return m_policy; } /** *

The key policy to attach to the KMS key.

If you provide a key policy, * it must meet the following criteria:

The key policy must allow * the calling principal to make a subsequent PutKeyPolicy request on * the KMS key. This reduces the risk that the KMS key becomes unmanageable. For * more information, see Default * key policy in the Key Management Service Developer Guide. (To omit * this condition, set BypassPolicyLockoutSafetyCheck to true.)
*
Each statement in the key policy must contain one or more * principals. The principals in the key policy must exist and be visible to KMS. * When you create a new Amazon Web Services principal, you might need to enforce a * delay before including the new principal in a key policy because the new * principal might not be immediately visible to KMS. For more information, see Changes * that I make are not always immediately visible in the Amazon Web Services * Identity and Access Management User Guide.

If you do not * provide a key policy, KMS attaches a default key policy to the KMS key. For more * information, see Default * key policy in the Key Management Service Developer Guide.

The * key policy size quota is 32 kilobytes (32768 bytes).

For help writing and * formatting a JSON policy document, see the IAM * JSON Policy Reference in the Identity and Access Management User * Guide .

*/ inline bool PolicyHasBeenSet() const { return m_policyHasBeenSet; } /** *

The key policy to attach to the KMS key.

If you provide a key policy, * it must meet the following criteria:

The key policy must allow * the calling principal to make a subsequent PutKeyPolicy request on * the KMS key. This reduces the risk that the KMS key becomes unmanageable. For * more information, see Default * key policy in the Key Management Service Developer Guide. (To omit * this condition, set BypassPolicyLockoutSafetyCheck to true.)
*
Each statement in the key policy must contain one or more * principals. The principals in the key policy must exist and be visible to KMS. * When you create a new Amazon Web Services principal, you might need to enforce a * delay before including the new principal in a key policy because the new * principal might not be immediately visible to KMS. For more information, see Changes * that I make are not always immediately visible in the Amazon Web Services * Identity and Access Management User Guide.

If you do not * provide a key policy, KMS attaches a default key policy to the KMS key. For more * information, see Default * key policy in the Key Management Service Developer Guide.

The * key policy size quota is 32 kilobytes (32768 bytes).

For help writing and * formatting a JSON policy document, see the IAM * JSON Policy Reference in the Identity and Access Management User * Guide .

*/ inline void SetPolicy(const Aws::String& value) { m_policyHasBeenSet = true; m_policy = value; } /** *

The key policy to attach to the KMS key.

If you provide a key policy, * it must meet the following criteria:

The key policy must allow * the calling principal to make a subsequent PutKeyPolicy request on * the KMS key. This reduces the risk that the KMS key becomes unmanageable. For * more information, see Default * key policy in the Key Management Service Developer Guide. (To omit * this condition, set BypassPolicyLockoutSafetyCheck to true.)
*
Each statement in the key policy must contain one or more * principals. The principals in the key policy must exist and be visible to KMS. * When you create a new Amazon Web Services principal, you might need to enforce a * delay before including the new principal in a key policy because the new * principal might not be immediately visible to KMS. For more information, see Changes * that I make are not always immediately visible in the Amazon Web Services * Identity and Access Management User Guide.

If you do not * provide a key policy, KMS attaches a default key policy to the KMS key. For more * information, see Default * key policy in the Key Management Service Developer Guide.

The * key policy size quota is 32 kilobytes (32768 bytes).

For help writing and * formatting a JSON policy document, see the IAM * JSON Policy Reference in the Identity and Access Management User * Guide .

*/ inline void SetPolicy(Aws::String&& value) { m_policyHasBeenSet = true; m_policy = std::move(value); } /** *

The key policy to attach to the KMS key.

If you provide a key policy, * it must meet the following criteria:

The key policy must allow * the calling principal to make a subsequent PutKeyPolicy request on * the KMS key. This reduces the risk that the KMS key becomes unmanageable. For * more information, see Default * key policy in the Key Management Service Developer Guide. (To omit * this condition, set BypassPolicyLockoutSafetyCheck to true.)
*
Each statement in the key policy must contain one or more * principals. The principals in the key policy must exist and be visible to KMS. * When you create a new Amazon Web Services principal, you might need to enforce a * delay before including the new principal in a key policy because the new * principal might not be immediately visible to KMS. For more information, see Changes * that I make are not always immediately visible in the Amazon Web Services * Identity and Access Management User Guide.

If you do not * provide a key policy, KMS attaches a default key policy to the KMS key. For more * information, see Default * key policy in the Key Management Service Developer Guide.

The * key policy size quota is 32 kilobytes (32768 bytes).

For help writing and * formatting a JSON policy document, see the IAM * JSON Policy Reference in the Identity and Access Management User * Guide .

*/ inline void SetPolicy(const char* value) { m_policyHasBeenSet = true; m_policy.assign(value); } /** *

The key policy to attach to the KMS key.

If you provide a key policy, * it must meet the following criteria:

The key policy must allow * the calling principal to make a subsequent PutKeyPolicy request on * the KMS key. This reduces the risk that the KMS key becomes unmanageable. For * more information, see Default * key policy in the Key Management Service Developer Guide. (To omit * this condition, set BypassPolicyLockoutSafetyCheck to true.)
*
Each statement in the key policy must contain one or more * principals. The principals in the key policy must exist and be visible to KMS. * When you create a new Amazon Web Services principal, you might need to enforce a * delay before including the new principal in a key policy because the new * principal might not be immediately visible to KMS. For more information, see Changes * that I make are not always immediately visible in the Amazon Web Services * Identity and Access Management User Guide.

If you do not * provide a key policy, KMS attaches a default key policy to the KMS key. For more * information, see Default * key policy in the Key Management Service Developer Guide.

The * key policy size quota is 32 kilobytes (32768 bytes).

For help writing and * formatting a JSON policy document, see the IAM * JSON Policy Reference in the Identity and Access Management User * Guide .

*/ inline CreateKeyRequest& WithPolicy(const Aws::String& value) { SetPolicy(value); return *this;} /** *

The key policy to attach to the KMS key.

If you provide a key policy, * it must meet the following criteria:

The key policy must allow * the calling principal to make a subsequent PutKeyPolicy request on * the KMS key. This reduces the risk that the KMS key becomes unmanageable. For * more information, see Default * key policy in the Key Management Service Developer Guide. (To omit * this condition, set BypassPolicyLockoutSafetyCheck to true.)
*
Each statement in the key policy must contain one or more * principals. The principals in the key policy must exist and be visible to KMS. * When you create a new Amazon Web Services principal, you might need to enforce a * delay before including the new principal in a key policy because the new * principal might not be immediately visible to KMS. For more information, see Changes * that I make are not always immediately visible in the Amazon Web Services * Identity and Access Management User Guide.

If you do not * provide a key policy, KMS attaches a default key policy to the KMS key. For more * information, see Default * key policy in the Key Management Service Developer Guide.

The * key policy size quota is 32 kilobytes (32768 bytes).

For help writing and * formatting a JSON policy document, see the IAM * JSON Policy Reference in the Identity and Access Management User * Guide .

*/ inline CreateKeyRequest& WithPolicy(Aws::String&& value) { SetPolicy(std::move(value)); return *this;} /** *

The key policy to attach to the KMS key.

If you provide a key policy, * it must meet the following criteria:

The key policy must allow * the calling principal to make a subsequent PutKeyPolicy request on * the KMS key. This reduces the risk that the KMS key becomes unmanageable. For * more information, see Default * key policy in the Key Management Service Developer Guide. (To omit * this condition, set BypassPolicyLockoutSafetyCheck to true.)
*
Each statement in the key policy must contain one or more * principals. The principals in the key policy must exist and be visible to KMS. * When you create a new Amazon Web Services principal, you might need to enforce a * delay before including the new principal in a key policy because the new * principal might not be immediately visible to KMS. For more information, see Changes * that I make are not always immediately visible in the Amazon Web Services * Identity and Access Management User Guide.

If you do not * provide a key policy, KMS attaches a default key policy to the KMS key. For more * information, see Default * key policy in the Key Management Service Developer Guide.

The * key policy size quota is 32 kilobytes (32768 bytes).

For help writing and * formatting a JSON policy document, see the IAM * JSON Policy Reference in the Identity and Access Management User * Guide .

*/ inline CreateKeyRequest& WithPolicy(const char* value) { SetPolicy(value); return *this;} /** *

A description of the KMS key. Use a description that helps you decide whether * the KMS key is appropriate for a task. The default value is an empty string (no * description).

Do not include confidential or sensitive * information in this field. This field may be displayed in plaintext in * CloudTrail logs and other output.

To set or change the * description after the key is created, use UpdateKeyDescription.

*/ inline const Aws::String& GetDescription() const{ return m_description; } /** *

A description of the KMS key. Use a description that helps you decide whether * the KMS key is appropriate for a task. The default value is an empty string (no * description).

Do not include confidential or sensitive * information in this field. This field may be displayed in plaintext in * CloudTrail logs and other output.

To set or change the * description after the key is created, use UpdateKeyDescription.

*/ inline bool DescriptionHasBeenSet() const { return m_descriptionHasBeenSet; } /** *

A description of the KMS key. Use a description that helps you decide whether * the KMS key is appropriate for a task. The default value is an empty string (no * description).

Do not include confidential or sensitive * information in this field. This field may be displayed in plaintext in * CloudTrail logs and other output.

To set or change the * description after the key is created, use UpdateKeyDescription.

*/ inline void SetDescription(const Aws::String& value) { m_descriptionHasBeenSet = true; m_description = value; } /** *

A description of the KMS key. Use a description that helps you decide whether * the KMS key is appropriate for a task. The default value is an empty string (no * description).

Do not include confidential or sensitive * information in this field. This field may be displayed in plaintext in * CloudTrail logs and other output.

To set or change the * description after the key is created, use UpdateKeyDescription.

*/ inline void SetDescription(Aws::String&& value) { m_descriptionHasBeenSet = true; m_description = std::move(value); } /** *

A description of the KMS key. Use a description that helps you decide whether * the KMS key is appropriate for a task. The default value is an empty string (no * description).

Do not include confidential or sensitive * information in this field. This field may be displayed in plaintext in * CloudTrail logs and other output.

To set or change the * description after the key is created, use UpdateKeyDescription.

*/ inline void SetDescription(const char* value) { m_descriptionHasBeenSet = true; m_description.assign(value); } /** *

A description of the KMS key. Use a description that helps you decide whether * the KMS key is appropriate for a task. The default value is an empty string (no * description).

Do not include confidential or sensitive * information in this field. This field may be displayed in plaintext in * CloudTrail logs and other output.

To set or change the * description after the key is created, use UpdateKeyDescription.

*/ inline CreateKeyRequest& WithDescription(const Aws::String& value) { SetDescription(value); return *this;} /** *

A description of the KMS key. Use a description that helps you decide whether * the KMS key is appropriate for a task. The default value is an empty string (no * description).

Do not include confidential or sensitive * information in this field. This field may be displayed in plaintext in * CloudTrail logs and other output.

To set or change the * description after the key is created, use UpdateKeyDescription.

*/ inline CreateKeyRequest& WithDescription(Aws::String&& value) { SetDescription(std::move(value)); return *this;} /** *

A description of the KMS key. Use a description that helps you decide whether * the KMS key is appropriate for a task. The default value is an empty string (no * description).

Do not include confidential or sensitive * information in this field. This field may be displayed in plaintext in * CloudTrail logs and other output.

To set or change the * description after the key is created, use UpdateKeyDescription.

*/ inline CreateKeyRequest& WithDescription(const char* value) { SetDescription(value); return *this;} /** *

Determines the cryptographic * operations for which you can use the KMS key. The default value is * ENCRYPT_DECRYPT. This parameter is optional when you are creating a * symmetric encryption KMS key; otherwise, it is required. You can't change the * KeyUsage value after the KMS key is created.

Select only one * valid value.

For symmetric encryption KMS keys, omit the * parameter or specify ENCRYPT_DECRYPT.
For HMAC * KMS keys (symmetric), specify GENERATE_VERIFY_MAC.
*
For asymmetric KMS keys with RSA key material, specify * ENCRYPT_DECRYPT or SIGN_VERIFY.
For * asymmetric KMS keys with ECC key material, specify SIGN_VERIFY.
*
For asymmetric KMS keys with SM2 key material (China Regions * only), specify ENCRYPT_DECRYPT or SIGN_VERIFY.
*

*/ inline const KeyUsageType& GetKeyUsage() const{ return m_keyUsage; } /** *

Select only one * valid value.

For symmetric encryption KMS keys, omit the * parameter or specify ENCRYPT_DECRYPT.
For HMAC * KMS keys (symmetric), specify GENERATE_VERIFY_MAC.
*
For asymmetric KMS keys with RSA key material, specify * ENCRYPT_DECRYPT or SIGN_VERIFY.
For * asymmetric KMS keys with ECC key material, specify SIGN_VERIFY.
*
For asymmetric KMS keys with SM2 key material (China Regions * only), specify ENCRYPT_DECRYPT or SIGN_VERIFY.
*

*/ inline bool KeyUsageHasBeenSet() const { return m_keyUsageHasBeenSet; } /** *

Select only one * valid value.

For symmetric encryption KMS keys, omit the * parameter or specify ENCRYPT_DECRYPT.
For HMAC * KMS keys (symmetric), specify GENERATE_VERIFY_MAC.
*
For asymmetric KMS keys with RSA key material, specify * ENCRYPT_DECRYPT or SIGN_VERIFY.
For * asymmetric KMS keys with ECC key material, specify SIGN_VERIFY.
*
For asymmetric KMS keys with SM2 key material (China Regions * only), specify ENCRYPT_DECRYPT or SIGN_VERIFY.
*

*/ inline void SetKeyUsage(const KeyUsageType& value) { m_keyUsageHasBeenSet = true; m_keyUsage = value; } /** *

Select only one * valid value.

For symmetric encryption KMS keys, omit the * parameter or specify ENCRYPT_DECRYPT.
For HMAC * KMS keys (symmetric), specify GENERATE_VERIFY_MAC.
*
For asymmetric KMS keys with RSA key material, specify * ENCRYPT_DECRYPT or SIGN_VERIFY.
For * asymmetric KMS keys with ECC key material, specify SIGN_VERIFY.
*
For asymmetric KMS keys with SM2 key material (China Regions * only), specify ENCRYPT_DECRYPT or SIGN_VERIFY.
*

*/ inline void SetKeyUsage(KeyUsageType&& value) { m_keyUsageHasBeenSet = true; m_keyUsage = std::move(value); } /** *

Select only one * valid value.

For symmetric encryption KMS keys, omit the * parameter or specify ENCRYPT_DECRYPT.
For HMAC * KMS keys (symmetric), specify GENERATE_VERIFY_MAC.
*
For asymmetric KMS keys with RSA key material, specify * ENCRYPT_DECRYPT or SIGN_VERIFY.
For * asymmetric KMS keys with ECC key material, specify SIGN_VERIFY.
*
For asymmetric KMS keys with SM2 key material (China Regions * only), specify ENCRYPT_DECRYPT or SIGN_VERIFY.
*

*/ inline CreateKeyRequest& WithKeyUsage(const KeyUsageType& value) { SetKeyUsage(value); return *this;} /** *

Select only one * valid value.

For symmetric encryption KMS keys, omit the * parameter or specify ENCRYPT_DECRYPT.
For HMAC * KMS keys (symmetric), specify GENERATE_VERIFY_MAC.
*
For asymmetric KMS keys with RSA key material, specify * ENCRYPT_DECRYPT or SIGN_VERIFY.
For * asymmetric KMS keys with ECC key material, specify SIGN_VERIFY.
*
For asymmetric KMS keys with SM2 key material (China Regions * only), specify ENCRYPT_DECRYPT or SIGN_VERIFY.
*

*/ inline CreateKeyRequest& WithKeyUsage(KeyUsageType&& value) { SetKeyUsage(std::move(value)); return *this;} /** *

Specifies the type of KMS key to create. The default value, * SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit AES-GCM key * that is used for encryption and decryption, except in China Regions, where it * creates a 128-bit symmetric key that uses SM4 encryption. For help choosing a * key spec for your KMS key, see Choosing * a KMS key type in the Key Management Service Developer Guide * .

The KeySpec determines whether the KMS key contains a * symmetric key or an asymmetric key pair. It also determines the algorithms that * the KMS key supports. You can't change the KeySpec after the KMS * key is created. To further restrict the algorithms that can be used with the KMS * key, use a condition key in its key policy or IAM policy. For more information, * see kms:EncryptionAlgorithm, * kms:MacAlgorithm * or kms:Signing * Algorithm in the Key Management Service Developer Guide .

Amazon Web * Services services that are integrated with KMS use symmetric encryption KMS * keys to protect your data. These services do not support asymmetric KMS keys or * HMAC KMS keys.

KMS supports the following key specs for KMS * keys:

Symmetric encryption key (default)
- * SYMMETRIC_DEFAULT
HMAC keys * (symmetric)
- HMAC_224
- * HMAC_256
- HMAC_384
- *
  HMAC_512
Asymmetric RSA key * pairs
- RSA_2048
- * RSA_3072
- RSA_4096
*
Asymmetric NIST-recommended elliptic curve key pairs
- *
  ECC_NIST_P256 (secp256r1)
- * ECC_NIST_P384 (secp384r1)
- * ECC_NIST_P521 (secp521r1)
Other * asymmetric elliptic curve key pairs
- * ECC_SECG_P256K1 (secp256k1), commonly used for * cryptocurrencies.
SM2 key pairs (China Regions * only)
- SM2

*/ inline const KeySpec& GetKeySpec() const{ return m_keySpec; } /** *

Amazon Web * Services services that are integrated with KMS use symmetric encryption KMS * keys to protect your data. These services do not support asymmetric KMS keys or * HMAC KMS keys.

KMS supports the following key specs for KMS * keys:

Symmetric encryption key (default)
- * SYMMETRIC_DEFAULT
HMAC keys * (symmetric)
- HMAC_224
- * HMAC_256
- HMAC_384
- *
  HMAC_512
Asymmetric RSA key * pairs
- RSA_2048
- * RSA_3072
- RSA_4096
*
Asymmetric NIST-recommended elliptic curve key pairs
- *
  ECC_NIST_P256 (secp256r1)
- * ECC_NIST_P384 (secp384r1)
- * ECC_NIST_P521 (secp521r1)
Other * asymmetric elliptic curve key pairs
- * ECC_SECG_P256K1 (secp256k1), commonly used for * cryptocurrencies.
SM2 key pairs (China Regions * only)
- SM2

*/ inline bool KeySpecHasBeenSet() const { return m_keySpecHasBeenSet; } /** *

Amazon Web * Services services that are integrated with KMS use symmetric encryption KMS * keys to protect your data. These services do not support asymmetric KMS keys or * HMAC KMS keys.

KMS supports the following key specs for KMS * keys:

Symmetric encryption key (default)
- * SYMMETRIC_DEFAULT
HMAC keys * (symmetric)
- HMAC_224
- * HMAC_256
- HMAC_384
- *
  HMAC_512
Asymmetric RSA key * pairs
- RSA_2048
- * RSA_3072
- RSA_4096
*
Asymmetric NIST-recommended elliptic curve key pairs
- *
  ECC_NIST_P256 (secp256r1)
- * ECC_NIST_P384 (secp384r1)
- * ECC_NIST_P521 (secp521r1)
Other * asymmetric elliptic curve key pairs
- * ECC_SECG_P256K1 (secp256k1), commonly used for * cryptocurrencies.
SM2 key pairs (China Regions * only)
- SM2

*/ inline void SetKeySpec(const KeySpec& value) { m_keySpecHasBeenSet = true; m_keySpec = value; } /** *

Amazon Web * Services services that are integrated with KMS use symmetric encryption KMS * keys to protect your data. These services do not support asymmetric KMS keys or * HMAC KMS keys.

KMS supports the following key specs for KMS * keys:

Symmetric encryption key (default)
- * SYMMETRIC_DEFAULT
HMAC keys * (symmetric)
- HMAC_224
- * HMAC_256
- HMAC_384
- *
  HMAC_512
Asymmetric RSA key * pairs
- RSA_2048
- * RSA_3072
- RSA_4096
*
Asymmetric NIST-recommended elliptic curve key pairs
- *
  ECC_NIST_P256 (secp256r1)
- * ECC_NIST_P384 (secp384r1)
- * ECC_NIST_P521 (secp521r1)
Other * asymmetric elliptic curve key pairs
- * ECC_SECG_P256K1 (secp256k1), commonly used for * cryptocurrencies.
SM2 key pairs (China Regions * only)
- SM2

*/ inline void SetKeySpec(KeySpec&& value) { m_keySpecHasBeenSet = true; m_keySpec = std::move(value); } /** *

Amazon Web * Services services that are integrated with KMS use symmetric encryption KMS * keys to protect your data. These services do not support asymmetric KMS keys or * HMAC KMS keys.

KMS supports the following key specs for KMS * keys:

Symmetric encryption key (default)
- * SYMMETRIC_DEFAULT
HMAC keys * (symmetric)
- HMAC_224
- * HMAC_256
- HMAC_384
- *
  HMAC_512
Asymmetric RSA key * pairs
- RSA_2048
- * RSA_3072
- RSA_4096
*
Asymmetric NIST-recommended elliptic curve key pairs
- *
  ECC_NIST_P256 (secp256r1)
- * ECC_NIST_P384 (secp384r1)
- * ECC_NIST_P521 (secp521r1)
Other * asymmetric elliptic curve key pairs
- * ECC_SECG_P256K1 (secp256k1), commonly used for * cryptocurrencies.
SM2 key pairs (China Regions * only)
- SM2

*/ inline CreateKeyRequest& WithKeySpec(const KeySpec& value) { SetKeySpec(value); return *this;} /** *

Amazon Web * Services services that are integrated with KMS use symmetric encryption KMS * keys to protect your data. These services do not support asymmetric KMS keys or * HMAC KMS keys.

KMS supports the following key specs for KMS * keys:

Symmetric encryption key (default)
- * SYMMETRIC_DEFAULT
HMAC keys * (symmetric)
- HMAC_224
- * HMAC_256
- HMAC_384
- *
  HMAC_512
Asymmetric RSA key * pairs
- RSA_2048
- * RSA_3072
- RSA_4096
*
Asymmetric NIST-recommended elliptic curve key pairs
- *
  ECC_NIST_P256 (secp256r1)
- * ECC_NIST_P384 (secp384r1)
- * ECC_NIST_P521 (secp521r1)
Other * asymmetric elliptic curve key pairs
- * ECC_SECG_P256K1 (secp256k1), commonly used for * cryptocurrencies.
SM2 key pairs (China Regions * only)
- SM2

*/ inline CreateKeyRequest& WithKeySpec(KeySpec&& value) { SetKeySpec(std::move(value)); return *this;} /** *

The source of the key material for the KMS key. You cannot change the origin * after you create the KMS key. The default is AWS_KMS, which means * that KMS creates the key material.

To create * a KMS key with no key material (for imported key material), set this value * to EXTERNAL. For more information about importing key material into * KMS, see Importing * Key Material in the Key Management Service Developer Guide. The * EXTERNAL origin value is valid only for symmetric KMS keys.

To create * a KMS key in an CloudHSM key store and create its key material in the * associated CloudHSM cluster, set this value to AWS_CLOUDHSM. You * must also use the CustomKeyStoreId parameter to identify the * CloudHSM key store. The KeySpec value must be * SYMMETRIC_DEFAULT.

To create * a KMS key in an external key store, set this value to * EXTERNAL_KEY_STORE. You must also use the * CustomKeyStoreId parameter to identify the external key store and * the XksKeyId parameter to identify the associated external key. The * KeySpec value must be SYMMETRIC_DEFAULT.

*/ inline const OriginType& GetOrigin() const{ return m_origin; } /** *

The source of the key material for the KMS key. You cannot change the origin * after you create the KMS key. The default is AWS_KMS, which means * that KMS creates the key material.

*/ inline bool OriginHasBeenSet() const { return m_originHasBeenSet; } /** *

The source of the key material for the KMS key. You cannot change the origin * after you create the KMS key. The default is AWS_KMS, which means * that KMS creates the key material.

*/ inline void SetOrigin(const OriginType& value) { m_originHasBeenSet = true; m_origin = value; } /** *

The source of the key material for the KMS key. You cannot change the origin * after you create the KMS key. The default is AWS_KMS, which means * that KMS creates the key material.

*/ inline void SetOrigin(OriginType&& value) { m_originHasBeenSet = true; m_origin = std::move(value); } /** *

The source of the key material for the KMS key. You cannot change the origin * after you create the KMS key. The default is AWS_KMS, which means * that KMS creates the key material.

*/ inline CreateKeyRequest& WithOrigin(const OriginType& value) { SetOrigin(value); return *this;} /** *

The source of the key material for the KMS key. You cannot change the origin * after you create the KMS key. The default is AWS_KMS, which means * that KMS creates the key material.

*/ inline CreateKeyRequest& WithOrigin(OriginType&& value) { SetOrigin(std::move(value)); return *this;} /** *

Creates the KMS key in the specified custom * key store. The ConnectionState of the custom key store must be * CONNECTED. To find the CustomKeyStoreID and ConnectionState use the * DescribeCustomKeyStores operation.

This parameter is valid only * for symmetric encryption KMS keys in a single Region. You cannot create any * other type of KMS key in a custom key store.

When you create a KMS key in * an CloudHSM key store, KMS generates a non-exportable 256-bit symmetric key in * its associated CloudHSM cluster and associates it with the KMS key. When you * create a KMS key in an external key store, you must use the * XksKeyId parameter to specify an external key that serves as key * material for the KMS key.

*/ inline const Aws::String& GetCustomKeyStoreId() const{ return m_customKeyStoreId; } /** *

This parameter is valid only * for symmetric encryption KMS keys in a single Region. You cannot create any * other type of KMS key in a custom key store.

*/ inline bool CustomKeyStoreIdHasBeenSet() const { return m_customKeyStoreIdHasBeenSet; } /** *

This parameter is valid only * for symmetric encryption KMS keys in a single Region. You cannot create any * other type of KMS key in a custom key store.

*/ inline void SetCustomKeyStoreId(const Aws::String& value) { m_customKeyStoreIdHasBeenSet = true; m_customKeyStoreId = value; } /** *

This parameter is valid only * for symmetric encryption KMS keys in a single Region. You cannot create any * other type of KMS key in a custom key store.

*/ inline void SetCustomKeyStoreId(Aws::String&& value) { m_customKeyStoreIdHasBeenSet = true; m_customKeyStoreId = std::move(value); } /** *

This parameter is valid only * for symmetric encryption KMS keys in a single Region. You cannot create any * other type of KMS key in a custom key store.

*/ inline void SetCustomKeyStoreId(const char* value) { m_customKeyStoreIdHasBeenSet = true; m_customKeyStoreId.assign(value); } /** *

This parameter is valid only * for symmetric encryption KMS keys in a single Region. You cannot create any * other type of KMS key in a custom key store.

*/ inline CreateKeyRequest& WithCustomKeyStoreId(const Aws::String& value) { SetCustomKeyStoreId(value); return *this;} /** *

This parameter is valid only * for symmetric encryption KMS keys in a single Region. You cannot create any * other type of KMS key in a custom key store.

*/ inline CreateKeyRequest& WithCustomKeyStoreId(Aws::String&& value) { SetCustomKeyStoreId(std::move(value)); return *this;} /** *

This parameter is valid only * for symmetric encryption KMS keys in a single Region. You cannot create any * other type of KMS key in a custom key store.

*/ inline CreateKeyRequest& WithCustomKeyStoreId(const char* value) { SetCustomKeyStoreId(value); return *this;} /** *

Skips ("bypasses") the key policy lockout safety check. The default value is * false.

Setting this value to true increases the risk that the * KMS key becomes unmanageable. Do not set this value to true * indiscriminately.

For more information, see Default * key policy in the Key Management Service Developer Guide.

Use this parameter only when you intend to prevent the principal * that is making the request from making a subsequent PutKeyPolicy request * on the KMS key.

*/ inline bool GetBypassPolicyLockoutSafetyCheck() const{ return m_bypassPolicyLockoutSafetyCheck; } /** *

Skips ("bypasses") the key policy lockout safety check. The default value is * false.

Setting this value to true increases the risk that the * KMS key becomes unmanageable. Do not set this value to true * indiscriminately.

For more information, see Default * key policy in the Key Management Service Developer Guide.

Use this parameter only when you intend to prevent the principal * that is making the request from making a subsequent PutKeyPolicy request * on the KMS key.

*/ inline bool BypassPolicyLockoutSafetyCheckHasBeenSet() const { return m_bypassPolicyLockoutSafetyCheckHasBeenSet; } /** *

Skips ("bypasses") the key policy lockout safety check. The default value is * false.

Setting this value to true increases the risk that the * KMS key becomes unmanageable. Do not set this value to true * indiscriminately.

For more information, see Default * key policy in the Key Management Service Developer Guide.

Use this parameter only when you intend to prevent the principal * that is making the request from making a subsequent PutKeyPolicy request * on the KMS key.

*/ inline void SetBypassPolicyLockoutSafetyCheck(bool value) { m_bypassPolicyLockoutSafetyCheckHasBeenSet = true; m_bypassPolicyLockoutSafetyCheck = value; } /** *

Skips ("bypasses") the key policy lockout safety check. The default value is * false.

Setting this value to true increases the risk that the * KMS key becomes unmanageable. Do not set this value to true * indiscriminately.

For more information, see Default * key policy in the Key Management Service Developer Guide.

Use this parameter only when you intend to prevent the principal * that is making the request from making a subsequent PutKeyPolicy request * on the KMS key.

*/ inline CreateKeyRequest& WithBypassPolicyLockoutSafetyCheck(bool value) { SetBypassPolicyLockoutSafetyCheck(value); return *this;} /** *

Assigns one or more tags to the KMS key. Use this parameter to tag the KMS * key when it is created. To tag an existing KMS key, use the TagResource * operation.

Do not include confidential or sensitive * information in this field. This field may be displayed in plaintext in * CloudTrail logs and other output.

Tagging or * untagging a KMS key can allow or deny permission to the KMS key. For details, * see ABAC for * KMS in the Key Management Service Developer Guide.

To * use this parameter, you must have kms:TagResource * permission in an IAM policy.

Each tag consists of a tag key and a tag * value. Both the tag key and the tag value are required, but the tag value can be * an empty (null) string. You cannot have more than one tag on a KMS key with the * same tag key. If you specify an existing tag key with a different tag value, KMS * replaces the current tag value with the specified one.

When you add tags * to an Amazon Web Services resource, Amazon Web Services generates a cost * allocation report with usage and costs aggregated by tags. Tags can also be used * to control access to a KMS key. For details, see Tagging * Keys.

*/ inline const Aws::Vector& GetTags() const{ return m_tags; } /** *

Assigns one or more tags to the KMS key. Use this parameter to tag the KMS * key when it is created. To tag an existing KMS key, use the TagResource * operation.

Do not include confidential or sensitive * information in this field. This field may be displayed in plaintext in * CloudTrail logs and other output.

Tagging or * untagging a KMS key can allow or deny permission to the KMS key. For details, * see ABAC for * KMS in the Key Management Service Developer Guide.

To * use this parameter, you must have kms:TagResource * permission in an IAM policy.

*/ inline bool TagsHasBeenSet() const { return m_tagsHasBeenSet; } /** *

Assigns one or more tags to the KMS key. Use this parameter to tag the KMS * key when it is created. To tag an existing KMS key, use the TagResource * operation.

Do not include confidential or sensitive * information in this field. This field may be displayed in plaintext in * CloudTrail logs and other output.

Tagging or * untagging a KMS key can allow or deny permission to the KMS key. For details, * see ABAC for * KMS in the Key Management Service Developer Guide.

To * use this parameter, you must have kms:TagResource * permission in an IAM policy.

*/ inline void SetTags(const Aws::Vector& value) { m_tagsHasBeenSet = true; m_tags = value; } /** *

Assigns one or more tags to the KMS key. Use this parameter to tag the KMS * key when it is created. To tag an existing KMS key, use the TagResource * operation.

Do not include confidential or sensitive * information in this field. This field may be displayed in plaintext in * CloudTrail logs and other output.

Tagging or * untagging a KMS key can allow or deny permission to the KMS key. For details, * see ABAC for * KMS in the Key Management Service Developer Guide.

To * use this parameter, you must have kms:TagResource * permission in an IAM policy.

*/ inline void SetTags(Aws::Vector&& value) { m_tagsHasBeenSet = true; m_tags = std::move(value); } /** *

Assigns one or more tags to the KMS key. Use this parameter to tag the KMS * key when it is created. To tag an existing KMS key, use the TagResource * operation.

Do not include confidential or sensitive * information in this field. This field may be displayed in plaintext in * CloudTrail logs and other output.

Tagging or * untagging a KMS key can allow or deny permission to the KMS key. For details, * see ABAC for * KMS in the Key Management Service Developer Guide.

To * use this parameter, you must have kms:TagResource * permission in an IAM policy.

*/ inline CreateKeyRequest& WithTags(const Aws::Vector& value) { SetTags(value); return *this;} /** *

Assigns one or more tags to the KMS key. Use this parameter to tag the KMS * key when it is created. To tag an existing KMS key, use the TagResource * operation.

Do not include confidential or sensitive * information in this field. This field may be displayed in plaintext in * CloudTrail logs and other output.

Tagging or * untagging a KMS key can allow or deny permission to the KMS key. For details, * see ABAC for * KMS in the Key Management Service Developer Guide.

To * use this parameter, you must have kms:TagResource * permission in an IAM policy.

*/ inline CreateKeyRequest& WithTags(Aws::Vector&& value) { SetTags(std::move(value)); return *this;} /** *

Assigns one or more tags to the KMS key. Use this parameter to tag the KMS * key when it is created. To tag an existing KMS key, use the TagResource * operation.

Do not include confidential or sensitive * information in this field. This field may be displayed in plaintext in * CloudTrail logs and other output.

Tagging or * untagging a KMS key can allow or deny permission to the KMS key. For details, * see ABAC for * KMS in the Key Management Service Developer Guide.

To * use this parameter, you must have kms:TagResource * permission in an IAM policy.

*/ inline CreateKeyRequest& AddTags(const Tag& value) { m_tagsHasBeenSet = true; m_tags.push_back(value); return *this; } /** *

Assigns one or more tags to the KMS key. Use this parameter to tag the KMS * key when it is created. To tag an existing KMS key, use the TagResource * operation.

Do not include confidential or sensitive * information in this field. This field may be displayed in plaintext in * CloudTrail logs and other output.

Tagging or * untagging a KMS key can allow or deny permission to the KMS key. For details, * see ABAC for * KMS in the Key Management Service Developer Guide.

To * use this parameter, you must have kms:TagResource * permission in an IAM policy.

*/ inline CreateKeyRequest& AddTags(Tag&& value) { m_tagsHasBeenSet = true; m_tags.push_back(std::move(value)); return *this; } /** *

Creates a multi-Region primary key that you can replicate into other Amazon * Web Services Regions. You cannot change this value after you create the KMS key. *

For a multi-Region key, set this parameter to True. For a * single-Region KMS key, omit this parameter or set it to False. The * default value is False.

This operation supports * multi-Region keys, an KMS feature that lets you create multiple * interoperable KMS keys in different Amazon Web Services Regions. Because these * KMS keys have the same key ID, key material, and other metadata, you can use * them interchangeably to encrypt data in one Amazon Web Services Region and * decrypt it in a different Amazon Web Services Region without re-encrypting the * data or making a cross-Region call. For more information about multi-Region * keys, see Multi-Region * keys in KMS in the Key Management Service Developer Guide.

This value creates a primary key, not a replica. To create a * replica key, use the ReplicateKey operation.

You can * create a symmetric or asymmetric multi-Region key, and you can create a * multi-Region key with imported key material. However, you cannot create a * multi-Region key in a custom key store.

*/ inline bool GetMultiRegion() const{ return m_multiRegion; } /** *

Creates a multi-Region primary key that you can replicate into other Amazon * Web Services Regions. You cannot change this value after you create the KMS key. *

For a multi-Region key, set this parameter to True. For a * single-Region KMS key, omit this parameter or set it to False. The * default value is False.

This value creates a primary key, not a replica. To create a * replica key, use the ReplicateKey operation.

You can * create a symmetric or asymmetric multi-Region key, and you can create a * multi-Region key with imported key material. However, you cannot create a * multi-Region key in a custom key store.

*/ inline bool MultiRegionHasBeenSet() const { return m_multiRegionHasBeenSet; } /** *

Creates a multi-Region primary key that you can replicate into other Amazon * Web Services Regions. You cannot change this value after you create the KMS key. *

For a multi-Region key, set this parameter to True. For a * single-Region KMS key, omit this parameter or set it to False. The * default value is False.

This value creates a primary key, not a replica. To create a * replica key, use the ReplicateKey operation.

You can * create a symmetric or asymmetric multi-Region key, and you can create a * multi-Region key with imported key material. However, you cannot create a * multi-Region key in a custom key store.

*/ inline void SetMultiRegion(bool value) { m_multiRegionHasBeenSet = true; m_multiRegion = value; } /** *

Creates a multi-Region primary key that you can replicate into other Amazon * Web Services Regions. You cannot change this value after you create the KMS key. *

For a multi-Region key, set this parameter to True. For a * single-Region KMS key, omit this parameter or set it to False. The * default value is False.

This value creates a primary key, not a replica. To create a * replica key, use the ReplicateKey operation.

You can * create a symmetric or asymmetric multi-Region key, and you can create a * multi-Region key with imported key material. However, you cannot create a * multi-Region key in a custom key store.

*/ inline CreateKeyRequest& WithMultiRegion(bool value) { SetMultiRegion(value); return *this;} /** *

Identifies the external * key that serves as key material for the KMS key in an external * key store. Specify the ID that the external * key store proxy uses to refer to the external key. For help, see the * documentation for your external key store proxy.

This parameter is * required for a KMS key with an Origin value of * EXTERNAL_KEY_STORE. It is not valid for KMS keys with any other * Origin value.

The external key must be an existing 256-bit * AES symmetric encryption key hosted outside of Amazon Web Services in an * external key manager associated with the external key store specified by the * CustomKeyStoreId parameter. This key must be enabled and configured * to perform encryption and decryption. Each KMS key in an external key store must * use a different external key. For details, see Requirements * for a KMS key in an external key store in the Key Management Service * Developer Guide.

Each KMS key in an external key store is associated * two backing keys. One is key material that KMS generates. The other is the * external key specified by this parameter. When you use the KMS key in an * external key store to encrypt data, the encryption operation is performed first * by KMS using the KMS key material, and then by the external key manager using * the specified external key, a process known as double encryption. For * details, see Double * encryption in the Key Management Service Developer Guide.

*/ inline const Aws::String& GetXksKeyId() const{ return m_xksKeyId; } /** *

This parameter is * required for a KMS key with an Origin value of * EXTERNAL_KEY_STORE. It is not valid for KMS keys with any other * Origin value.

*/ inline bool XksKeyIdHasBeenSet() const { return m_xksKeyIdHasBeenSet; } /** *

This parameter is * required for a KMS key with an Origin value of * EXTERNAL_KEY_STORE. It is not valid for KMS keys with any other * Origin value.

*/ inline void SetXksKeyId(const Aws::String& value) { m_xksKeyIdHasBeenSet = true; m_xksKeyId = value; } /** *

This parameter is * required for a KMS key with an Origin value of * EXTERNAL_KEY_STORE. It is not valid for KMS keys with any other * Origin value.

*/ inline void SetXksKeyId(Aws::String&& value) { m_xksKeyIdHasBeenSet = true; m_xksKeyId = std::move(value); } /** *

This parameter is * required for a KMS key with an Origin value of * EXTERNAL_KEY_STORE. It is not valid for KMS keys with any other * Origin value.

*/ inline void SetXksKeyId(const char* value) { m_xksKeyIdHasBeenSet = true; m_xksKeyId.assign(value); } /** *

This parameter is * required for a KMS key with an Origin value of * EXTERNAL_KEY_STORE. It is not valid for KMS keys with any other * Origin value.

*/ inline CreateKeyRequest& WithXksKeyId(const Aws::String& value) { SetXksKeyId(value); return *this;} /** *

This parameter is * required for a KMS key with an Origin value of * EXTERNAL_KEY_STORE. It is not valid for KMS keys with any other * Origin value.

*/ inline CreateKeyRequest& WithXksKeyId(Aws::String&& value) { SetXksKeyId(std::move(value)); return *this;} /** *

This parameter is * required for a KMS key with an Origin value of * EXTERNAL_KEY_STORE. It is not valid for KMS keys with any other * Origin value.

*/ inline CreateKeyRequest& WithXksKeyId(const char* value) { SetXksKeyId(value); return *this;} private: Aws::String m_policy; bool m_policyHasBeenSet = false; Aws::String m_description; bool m_descriptionHasBeenSet = false; KeyUsageType m_keyUsage; bool m_keyUsageHasBeenSet = false; KeySpec m_keySpec; bool m_keySpecHasBeenSet = false; OriginType m_origin; bool m_originHasBeenSet = false; Aws::String m_customKeyStoreId; bool m_customKeyStoreIdHasBeenSet = false; bool m_bypassPolicyLockoutSafetyCheck; bool m_bypassPolicyLockoutSafetyCheckHasBeenSet = false; Aws::Vector m_tags; bool m_tagsHasBeenSet = false; bool m_multiRegion; bool m_multiRegionHasBeenSet = false; Aws::String m_xksKeyId; bool m_xksKeyIdHasBeenSet = false; }; } // namespace Model } // namespace KMS } // namespace Aws