File Coverage

blib/lib/Paws/KMS.pm

Criterion	Covered	Total	%
statement	3	3	100.0
branch			n/a
condition			n/a
subroutine	1	1	100.0
pod			n/a
total	4	4	100.0

line	stmt	sub	time	code
1				package Paws::KMS;
2	1	1	1518	use Moose;
	1		3
	1		9
3				sub service { 'kms' }
4				sub version { '2014-11-01' }
5				sub target_prefix { 'TrentService' }
6				sub json_version { "1.1" }
7				has max_attempts => (is => 'ro', isa => 'Int', default => 5);
8				has retry => (is => 'ro', isa => 'HashRef', default => sub {
9				{ base => 'rand', type => 'exponential', growth_factor => 2 }
10				});
11				has retriables => (is => 'ro', isa => 'ArrayRef', default => sub { [
12				] });
13
14				with 'Paws::API::Caller', 'Paws::API::EndpointResolver', 'Paws::Net::V4Signature', 'Paws::Net::JsonCaller', 'Paws::Net::JsonResponse';
15
16
17				sub CancelKeyDeletion {
18				my $self = shift;
19				my $call_object = $self->new_with_coercions('Paws::KMS::CancelKeyDeletion', @_);
20				return $self->caller->do_call($self, $call_object);
21				}
22				sub CreateAlias {
23				my $self = shift;
24				my $call_object = $self->new_with_coercions('Paws::KMS::CreateAlias', @_);
25				return $self->caller->do_call($self, $call_object);
26				}
27				sub CreateGrant {
28				my $self = shift;
29				my $call_object = $self->new_with_coercions('Paws::KMS::CreateGrant', @_);
30				return $self->caller->do_call($self, $call_object);
31				}
32				sub CreateKey {
33				my $self = shift;
34				my $call_object = $self->new_with_coercions('Paws::KMS::CreateKey', @_);
35				return $self->caller->do_call($self, $call_object);
36				}
37				sub Decrypt {
38				my $self = shift;
39				my $call_object = $self->new_with_coercions('Paws::KMS::Decrypt', @_);
40				return $self->caller->do_call($self, $call_object);
41				}
42				sub DeleteAlias {
43				my $self = shift;
44				my $call_object = $self->new_with_coercions('Paws::KMS::DeleteAlias', @_);
45				return $self->caller->do_call($self, $call_object);
46				}
47				sub DeleteImportedKeyMaterial {
48				my $self = shift;
49				my $call_object = $self->new_with_coercions('Paws::KMS::DeleteImportedKeyMaterial', @_);
50				return $self->caller->do_call($self, $call_object);
51				}
52				sub DescribeKey {
53				my $self = shift;
54				my $call_object = $self->new_with_coercions('Paws::KMS::DescribeKey', @_);
55				return $self->caller->do_call($self, $call_object);
56				}
57				sub DisableKey {
58				my $self = shift;
59				my $call_object = $self->new_with_coercions('Paws::KMS::DisableKey', @_);
60				return $self->caller->do_call($self, $call_object);
61				}
62				sub DisableKeyRotation {
63				my $self = shift;
64				my $call_object = $self->new_with_coercions('Paws::KMS::DisableKeyRotation', @_);
65				return $self->caller->do_call($self, $call_object);
66				}
67				sub EnableKey {
68				my $self = shift;
69				my $call_object = $self->new_with_coercions('Paws::KMS::EnableKey', @_);
70				return $self->caller->do_call($self, $call_object);
71				}
72				sub EnableKeyRotation {
73				my $self = shift;
74				my $call_object = $self->new_with_coercions('Paws::KMS::EnableKeyRotation', @_);
75				return $self->caller->do_call($self, $call_object);
76				}
77				sub Encrypt {
78				my $self = shift;
79				my $call_object = $self->new_with_coercions('Paws::KMS::Encrypt', @_);
80				return $self->caller->do_call($self, $call_object);
81				}
82				sub GenerateDataKey {
83				my $self = shift;
84				my $call_object = $self->new_with_coercions('Paws::KMS::GenerateDataKey', @_);
85				return $self->caller->do_call($self, $call_object);
86				}
87				sub GenerateDataKeyWithoutPlaintext {
88				my $self = shift;
89				my $call_object = $self->new_with_coercions('Paws::KMS::GenerateDataKeyWithoutPlaintext', @_);
90				return $self->caller->do_call($self, $call_object);
91				}
92				sub GenerateRandom {
93				my $self = shift;
94				my $call_object = $self->new_with_coercions('Paws::KMS::GenerateRandom', @_);
95				return $self->caller->do_call($self, $call_object);
96				}
97				sub GetKeyPolicy {
98				my $self = shift;
99				my $call_object = $self->new_with_coercions('Paws::KMS::GetKeyPolicy', @_);
100				return $self->caller->do_call($self, $call_object);
101				}
102				sub GetKeyRotationStatus {
103				my $self = shift;
104				my $call_object = $self->new_with_coercions('Paws::KMS::GetKeyRotationStatus', @_);
105				return $self->caller->do_call($self, $call_object);
106				}
107				sub GetParametersForImport {
108				my $self = shift;
109				my $call_object = $self->new_with_coercions('Paws::KMS::GetParametersForImport', @_);
110				return $self->caller->do_call($self, $call_object);
111				}
112				sub ImportKeyMaterial {
113				my $self = shift;
114				my $call_object = $self->new_with_coercions('Paws::KMS::ImportKeyMaterial', @_);
115				return $self->caller->do_call($self, $call_object);
116				}
117				sub ListAliases {
118				my $self = shift;
119				my $call_object = $self->new_with_coercions('Paws::KMS::ListAliases', @_);
120				return $self->caller->do_call($self, $call_object);
121				}
122				sub ListGrants {
123				my $self = shift;
124				my $call_object = $self->new_with_coercions('Paws::KMS::ListGrants', @_);
125				return $self->caller->do_call($self, $call_object);
126				}
127				sub ListKeyPolicies {
128				my $self = shift;
129				my $call_object = $self->new_with_coercions('Paws::KMS::ListKeyPolicies', @_);
130				return $self->caller->do_call($self, $call_object);
131				}
132				sub ListKeys {
133				my $self = shift;
134				my $call_object = $self->new_with_coercions('Paws::KMS::ListKeys', @_);
135				return $self->caller->do_call($self, $call_object);
136				}
137				sub ListResourceTags {
138				my $self = shift;
139				my $call_object = $self->new_with_coercions('Paws::KMS::ListResourceTags', @_);
140				return $self->caller->do_call($self, $call_object);
141				}
142				sub ListRetirableGrants {
143				my $self = shift;
144				my $call_object = $self->new_with_coercions('Paws::KMS::ListRetirableGrants', @_);
145				return $self->caller->do_call($self, $call_object);
146				}
147				sub PutKeyPolicy {
148				my $self = shift;
149				my $call_object = $self->new_with_coercions('Paws::KMS::PutKeyPolicy', @_);
150				return $self->caller->do_call($self, $call_object);
151				}
152				sub ReEncrypt {
153				my $self = shift;
154				my $call_object = $self->new_with_coercions('Paws::KMS::ReEncrypt', @_);
155				return $self->caller->do_call($self, $call_object);
156				}
157				sub RetireGrant {
158				my $self = shift;
159				my $call_object = $self->new_with_coercions('Paws::KMS::RetireGrant', @_);
160				return $self->caller->do_call($self, $call_object);
161				}
162				sub RevokeGrant {
163				my $self = shift;
164				my $call_object = $self->new_with_coercions('Paws::KMS::RevokeGrant', @_);
165				return $self->caller->do_call($self, $call_object);
166				}
167				sub ScheduleKeyDeletion {
168				my $self = shift;
169				my $call_object = $self->new_with_coercions('Paws::KMS::ScheduleKeyDeletion', @_);
170				return $self->caller->do_call($self, $call_object);
171				}
172				sub TagResource {
173				my $self = shift;
174				my $call_object = $self->new_with_coercions('Paws::KMS::TagResource', @_);
175				return $self->caller->do_call($self, $call_object);
176				}
177				sub UntagResource {
178				my $self = shift;
179				my $call_object = $self->new_with_coercions('Paws::KMS::UntagResource', @_);
180				return $self->caller->do_call($self, $call_object);
181				}
182				sub UpdateAlias {
183				my $self = shift;
184				my $call_object = $self->new_with_coercions('Paws::KMS::UpdateAlias', @_);
185				return $self->caller->do_call($self, $call_object);
186				}
187				sub UpdateKeyDescription {
188				my $self = shift;
189				my $call_object = $self->new_with_coercions('Paws::KMS::UpdateKeyDescription', @_);
190				return $self->caller->do_call($self, $call_object);
191				}
192
193				sub ListAllAliases {
194				my $self = shift;
195
196				my $callback = shift @_ if (ref($_[0]) eq 'CODE');
197				my $result = $self->ListAliases(@_);
198				my $next_result = $result;
199
200				if (not defined $callback) {
201				while ($next_result->Truncated) {
202				$next_result = $self->ListAliases(@_, Marker => $next_result->NextMarker);
203				push @{ $result->Aliases }, @{ $next_result->Aliases };
204				}
205				return $result;
206				} else {
207				while ($result->Truncated) {
208				$callback->($_ => 'Aliases') foreach (@{ $result->Aliases });
209				$result = $self->ListAliases(@_, Marker => $result->NextMarker);
210				}
211				$callback->($_ => 'Aliases') foreach (@{ $result->Aliases });
212				}
213
214				return undef
215				}
216				sub ListAllGrants {
217				my $self = shift;
218
219				my $callback = shift @_ if (ref($_[0]) eq 'CODE');
220				my $result = $self->ListGrants(@_);
221				my $next_result = $result;
222
223				if (not defined $callback) {
224				while ($next_result->Truncated) {
225				$next_result = $self->ListGrants(@_, Marker => $next_result->NextMarker);
226				push @{ $result->Grants }, @{ $next_result->Grants };
227				}
228				return $result;
229				} else {
230				while ($result->Truncated) {
231				$callback->($_ => 'Grants') foreach (@{ $result->Grants });
232				$result = $self->ListGrants(@_, Marker => $result->NextMarker);
233				}
234				$callback->($_ => 'Grants') foreach (@{ $result->Grants });
235				}
236
237				return undef
238				}
239				sub ListAllKeyPolicies {
240				my $self = shift;
241
242				my $callback = shift @_ if (ref($_[0]) eq 'CODE');
243				my $result = $self->ListKeyPolicies(@_);
244				my $next_result = $result;
245
246				if (not defined $callback) {
247				while ($next_result->Truncated) {
248				$next_result = $self->ListKeyPolicies(@_, Marker => $next_result->NextMarker);
249				push @{ $result->PolicyNames }, @{ $next_result->PolicyNames };
250				}
251				return $result;
252				} else {
253				while ($result->Truncated) {
254				$callback->($_ => 'PolicyNames') foreach (@{ $result->PolicyNames });
255				$result = $self->ListKeyPolicies(@_, Marker => $result->NextMarker);
256				}
257				$callback->($_ => 'PolicyNames') foreach (@{ $result->PolicyNames });
258				}
259
260				return undef
261				}
262				sub ListAllKeys {
263				my $self = shift;
264
265				my $callback = shift @_ if (ref($_[0]) eq 'CODE');
266				my $result = $self->ListKeys(@_);
267				my $next_result = $result;
268
269				if (not defined $callback) {
270				while ($next_result->Truncated) {
271				$next_result = $self->ListKeys(@_, Marker => $next_result->NextMarker);
272				push @{ $result->Keys }, @{ $next_result->Keys };
273				}
274				return $result;
275				} else {
276				while ($result->Truncated) {
277				$callback->($_ => 'Keys') foreach (@{ $result->Keys });
278				$result = $self->ListKeys(@_, Marker => $result->NextMarker);
279				}
280				$callback->($_ => 'Keys') foreach (@{ $result->Keys });
281				}
282
283				return undef
284				}
285
286
287				sub operations { qw/CancelKeyDeletion CreateAlias CreateGrant CreateKey Decrypt DeleteAlias DeleteImportedKeyMaterial DescribeKey DisableKey DisableKeyRotation EnableKey EnableKeyRotation Encrypt GenerateDataKey GenerateDataKeyWithoutPlaintext GenerateRandom GetKeyPolicy GetKeyRotationStatus GetParametersForImport ImportKeyMaterial ListAliases ListGrants ListKeyPolicies ListKeys ListResourceTags ListRetirableGrants PutKeyPolicy ReEncrypt RetireGrant RevokeGrant ScheduleKeyDeletion TagResource UntagResource UpdateAlias UpdateKeyDescription / }
288
289				1;
290
291				### main pod documentation begin ###
292
293				=head1 NAME
294
295				Paws::KMS - Perl Interface to AWS AWS Key Management Service
296
297				=head1 SYNOPSIS
298
299				use Paws;
300
301				my $obj = Paws->service('KMS');
302				my $res = $obj->Method(
303				Arg1 => $val1,
304				Arg2 => [ 'V1', 'V2' ],
305				# if Arg3 is an object, the HashRef will be used as arguments to the constructor
306				# of the arguments type
307				Arg3 => { Att1 => 'Val1' },
308				# if Arg4 is an array of objects, the HashRefs will be passed as arguments to
309				# the constructor of the arguments type
310				Arg4 => [ { Att1 => 'Val1' }, { Att1 => 'Val2' } ],
311				);
312
313				=head1 DESCRIPTION
314
315				AWS Key Management Service
316
317				AWS Key Management Service (AWS KMS) is an encryption and key
318				management web service. This guide describes the AWS KMS operations
319				that you can call programmatically. For general information about AWS
320				KMS, see the AWS Key Management Service Developer Guide.
321
322				AWS provides SDKs that consist of libraries and sample code for various
323				programming languages and platforms (Java, Ruby, .Net, iOS, Android,
324				etc.). The SDKs provide a convenient way to create programmatic access
325				to AWS KMS and other AWS services. For example, the SDKs take care of
326				tasks such as signing requests (see below), managing errors, and
327				retrying requests automatically. For more information about the AWS
328				SDKs, including how to download and install them, see Tools for Amazon
329				Web Services.
330
331				We recommend that you use the AWS SDKs to make programmatic API calls
332				to AWS KMS.
333
334				Clients must support TLS (Transport Layer Security) 1.0. We recommend
335				TLS 1.2. Clients must also support cipher suites with Perfect Forward
336				Secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve
337				Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7
338				and later support these modes.
339
340				B<Signing Requests>
341
342				Requests must be signed by using an access key ID and a secret access
343				key. We strongly recommend that you I<do not> use your AWS account
344				(root) access key ID and secret key for everyday work with AWS KMS.
345				Instead, use the access key ID and secret access key for an IAM user,
346				or you can use the AWS Security Token Service to generate temporary
347				security credentials that you can use to sign requests.
348
349				All AWS KMS operations require Signature Version 4.
350
351				B<Logging API Requests>
352
353				AWS KMS supports AWS CloudTrail, a service that logs AWS API calls and
354				related events for your AWS account and delivers them to an Amazon S3
355				bucket that you specify. By using the information collected by
356				CloudTrail, you can determine what requests were made to AWS KMS, who
357				made the request, when it was made, and so on. To learn more about
358				CloudTrail, including how to turn it on and find your log files, see
359				the AWS CloudTrail User Guide.
360
361				B<Additional Resources>
362
363				For more information about credentials and request signing, see the
364				following:
365
366				=over
367
368				=item *
369
370				AWS Security Credentials - This topic provides general information
371				about the types of credentials used for accessing AWS.
372
373				=item *
374
375				Temporary Security Credentials - This section of the I<IAM User Guide>
376				describes how to create and use temporary security credentials.
377
378				=item *
379
380				Signature Version 4 Signing Process - This set of topics walks you
381				through the process of signing a request using an access key ID and a
382				secret access key.
383
384				=back
385
386				B<Commonly Used APIs>
387
388				Of the APIs discussed in this guide, the following will prove the most
389				useful for most applications. You will likely perform actions other
390				than these, such as creating keys and assigning policies, by using the
391				console.
392
393				=over
394
395				=item *
396
397				Encrypt
398
399				=item *
400
401				Decrypt
402
403				=item *
404
405				GenerateDataKey
406
407				=item *
408
409				GenerateDataKeyWithoutPlaintext
410
411				=back
412
413
414				=head1 METHODS
415
416				=head2 CancelKeyDeletion(KeyId => Str)
417
418				Each argument is described in detail in: L<Paws::KMS::CancelKeyDeletion>
419
420				Returns: a L<Paws::KMS::CancelKeyDeletionResponse> instance
421
422				Cancels the deletion of a customer master key (CMK). When this
423				operation is successful, the CMK is set to the C<Disabled> state. To
424				enable a CMK, use EnableKey.
425
426				For more information about scheduling and canceling deletion of a CMK,
427				see Deleting Customer Master Keys in the I<AWS Key Management Service
428				Developer Guide>.
429
430
431				=head2 CreateAlias(AliasName => Str, TargetKeyId => Str)
432
433				Each argument is described in detail in: L<Paws::KMS::CreateAlias>
434
435				Returns: nothing
436
437				Creates a display name for a customer master key. An alias can be used
438				to identify a key and should be unique. The console enforces a
439				one-to-one mapping between the alias and a key. An alias name can
440				contain only alphanumeric characters, forward slashes (/), underscores
441				(_), and dashes (-). An alias must start with the word "alias" followed
442				by a forward slash (alias/). An alias that begins with "aws" after the
443				forward slash (alias/aws...) is reserved by Amazon Web Services (AWS).
444
445				The alias and the key it is mapped to must be in the same AWS account
446				and the same region.
447
448				To map an alias to a different key, call UpdateAlias.
449
450
451				=head2 CreateGrant(GranteePrincipal => Str, KeyId => Str, [Constraints => L<Paws::KMS::GrantConstraints>, GrantTokens => ArrayRef[Str\|Undef], Name => Str, Operations => ArrayRef[Str\|Undef], RetiringPrincipal => Str])
452
453				Each argument is described in detail in: L<Paws::KMS::CreateGrant>
454
455				Returns: a L<Paws::KMS::CreateGrantResponse> instance
456
457				Adds a grant to a key to specify who can use the key and under what
458				conditions. Grants are alternate permission mechanisms to key policies.
459
460				For more information about grants, see Grants in the I<AWS Key
461				Management Service Developer Guide>.
462
463
464				=head2 CreateKey([BypassPolicyLockoutSafetyCheck => Bool, Description => Str, KeyUsage => Str, Origin => Str, Policy => Str, Tags => ArrayRef[L<Paws::KMS::Tag>]])
465
466				Each argument is described in detail in: L<Paws::KMS::CreateKey>
467
468				Returns: a L<Paws::KMS::CreateKeyResponse> instance
469
470				Creates a customer master key (CMK).
471
472				You can use a CMK to encrypt small amounts of data (4 KiB or less)
473				directly, but CMKs are more commonly used to encrypt data encryption
474				keys (DEKs), which are used to encrypt raw data. For more information
475				about DEKs and the difference between CMKs and DEKs, see the following:
476
477				=over
478
479				=item *
480
481				The GenerateDataKey operation
482
483				=item *
484
485				AWS Key Management Service Concepts in the I<AWS Key Management Service
486				Developer Guide>
487
488				=back
489
490
491
492				=head2 Decrypt(CiphertextBlob => Str, [EncryptionContext => L<Paws::KMS::EncryptionContextType>, GrantTokens => ArrayRef[Str\|Undef]])
493
494				Each argument is described in detail in: L<Paws::KMS::Decrypt>
495
496				Returns: a L<Paws::KMS::DecryptResponse> instance
497
498				Decrypts ciphertext. Ciphertext is plaintext that has been previously
499				encrypted by using any of the following functions:
500
501				=over
502
503				=item *
504
505				GenerateDataKey
506
507				=item *
508
509				GenerateDataKeyWithoutPlaintext
510
511				=item *
512
513				Encrypt
514
515				=back
516
517				Note that if a caller has been granted access permissions to all keys
518				(through, for example, IAM user policies that grant C<Decrypt>
519				permission on all resources), then ciphertext encrypted by using keys
520				in other accounts where the key grants access to the caller can be
521				decrypted. To remedy this, we recommend that you do not grant
522				C<Decrypt> access in an IAM user policy. Instead grant C<Decrypt>
523				access only in key policies. If you must grant C<Decrypt> access in an
524				IAM user policy, you should scope the resource to specific keys or to
525				specific trusted accounts.
526
527
528				=head2 DeleteAlias(AliasName => Str)
529
530				Each argument is described in detail in: L<Paws::KMS::DeleteAlias>
531
532				Returns: nothing
533
534				Deletes the specified alias. To map an alias to a different key, call
535				UpdateAlias.
536
537
538				=head2 DeleteImportedKeyMaterial(KeyId => Str)
539
540				Each argument is described in detail in: L<Paws::KMS::DeleteImportedKeyMaterial>
541
542				Returns: nothing
543
544				Deletes key material that you previously imported and makes the
545				specified customer master key (CMK) unusable. For more information
546				about importing key material into AWS KMS, see Importing Key Material
547				in the I<AWS Key Management Service Developer Guide>.
548
549				When the specified CMK is in the C<PendingDeletion> state, this
550				operation does not change the CMK's state. Otherwise, it changes the
551				CMK's state to C<PendingImport>.
552
553				After you delete key material, you can use ImportKeyMaterial to
554				reimport the same key material into the CMK.
555
556
557				=head2 DescribeKey(KeyId => Str, [GrantTokens => ArrayRef[Str\|Undef]])
558
559				Each argument is described in detail in: L<Paws::KMS::DescribeKey>
560
561				Returns: a L<Paws::KMS::DescribeKeyResponse> instance
562
563				Provides detailed information about the specified customer master key.
564
565
566				=head2 DisableKey(KeyId => Str)
567
568				Each argument is described in detail in: L<Paws::KMS::DisableKey>
569
570				Returns: nothing
571
572				Sets the state of a customer master key (CMK) to disabled, thereby
573				preventing its use for cryptographic operations. For more information
574				about how key state affects the use of a CMK, see How Key State Affects
575				the Use of a Customer Master Key in the I<AWS Key Management Service
576				Developer Guide>.
577
578
579				=head2 DisableKeyRotation(KeyId => Str)
580
581				Each argument is described in detail in: L<Paws::KMS::DisableKeyRotation>
582
583				Returns: nothing
584
585				Disables rotation of the specified key.
586
587
588				=head2 EnableKey(KeyId => Str)
589
590				Each argument is described in detail in: L<Paws::KMS::EnableKey>
591
592				Returns: nothing
593
594				Marks a key as enabled, thereby permitting its use.
595
596
597				=head2 EnableKeyRotation(KeyId => Str)
598
599				Each argument is described in detail in: L<Paws::KMS::EnableKeyRotation>
600
601				Returns: nothing
602
603				Enables rotation of the specified customer master key.
604
605
606				=head2 Encrypt(KeyId => Str, Plaintext => Str, [EncryptionContext => L<Paws::KMS::EncryptionContextType>, GrantTokens => ArrayRef[Str\|Undef]])
607
608				Each argument is described in detail in: L<Paws::KMS::Encrypt>
609
610				Returns: a L<Paws::KMS::EncryptResponse> instance
611
612				Encrypts plaintext into ciphertext by using a customer master key. The
613				C<Encrypt> function has two primary use cases:
614
615				=over
616
617				=item *
618
619				You can encrypt up to 4 KB of arbitrary data such as an RSA key, a
620				database password, or other sensitive customer information.
621
622				=item *
623
624				If you are moving encrypted data from one region to another, you can
625				use this API to encrypt in the new region the plaintext data key that
626				was used to encrypt the data in the original region. This provides you
627				with an encrypted copy of the data key that can be decrypted in the new
628				region and used there to decrypt the encrypted data.
629
630				=back
631
632				Unless you are moving encrypted data from one region to another, you
633				don't use this function to encrypt a generated data key within a
634				region. You retrieve data keys already encrypted by calling the
635				GenerateDataKey or GenerateDataKeyWithoutPlaintext function. Data keys
636				don't need to be encrypted again by calling C<Encrypt>.
637
638				If you want to encrypt data locally in your application, you can use
639				the C<GenerateDataKey> function to return a plaintext data encryption
640				key and a copy of the key encrypted under the customer master key (CMK)
641				of your choosing.
642
643
644				=head2 GenerateDataKey(KeyId => Str, [EncryptionContext => L<Paws::KMS::EncryptionContextType>, GrantTokens => ArrayRef[Str\|Undef], KeySpec => Str, NumberOfBytes => Int])
645
646				Each argument is described in detail in: L<Paws::KMS::GenerateDataKey>
647
648				Returns: a L<Paws::KMS::GenerateDataKeyResponse> instance
649
650				Returns a data encryption key that you can use in your application to
651				encrypt data locally.
652
653				You must specify the customer master key (CMK) under which to generate
654				the data key. You must also specify the length of the data key using
655				either the C<KeySpec> or C<NumberOfBytes> field. You must specify one
656				field or the other, but not both. For common key lengths (128-bit and
657				256-bit symmetric keys), we recommend that you use C<KeySpec>.
658
659				This operation returns a plaintext copy of the data key in the
660				C<Plaintext> field of the response, and an encrypted copy of the data
661				key in the C<CiphertextBlob> field. The data key is encrypted under the
662				CMK specified in the C<KeyId> field of the request.
663
664				We recommend that you use the following pattern to encrypt data locally
665				in your application:
666
667				=over
668
669				=item 1.
670
671				Use this operation (C<GenerateDataKey>) to retrieve a data encryption
672				key.
673
674				=item 2.
675
676				Use the plaintext data encryption key (returned in the C<Plaintext>
677				field of the response) to encrypt data locally, then erase the
678				plaintext data key from memory.
679
680				=item 3.
681
682				Store the encrypted data key (returned in the C<CiphertextBlob> field
683				of the response) alongside the locally encrypted data.
684
685				=back
686
687				To decrypt data locally:
688
689				=over
690
691				=item 1.
692
693				Use the Decrypt operation to decrypt the encrypted data key into a
694				plaintext copy of the data key.
695
696				=item 2.
697
698				Use the plaintext data key to decrypt data locally, then erase the
699				plaintext data key from memory.
700
701				=back
702
703				To return only an encrypted copy of the data key, use
704				GenerateDataKeyWithoutPlaintext. To return a random byte string that is
705				cryptographically secure, use GenerateRandom.
706
707				If you use the optional C<EncryptionContext> field, you must store at
708				least enough information to be able to reconstruct the full encryption
709				context when you later send the ciphertext to the Decrypt operation. It
710				is a good practice to choose an encryption context that you can
711				reconstruct on the fly to better secure the ciphertext. For more
712				information, see Encryption Context in the I<AWS Key Management Service
713				Developer Guide>.
714
715
716				=head2 GenerateDataKeyWithoutPlaintext(KeyId => Str, [EncryptionContext => L<Paws::KMS::EncryptionContextType>, GrantTokens => ArrayRef[Str\|Undef], KeySpec => Str, NumberOfBytes => Int])
717
718				Each argument is described in detail in: L<Paws::KMS::GenerateDataKeyWithoutPlaintext>
719
720				Returns: a L<Paws::KMS::GenerateDataKeyWithoutPlaintextResponse> instance
721
722				Returns a data encryption key encrypted under a customer master key
723				(CMK). This operation is identical to GenerateDataKey but returns only
724				the encrypted copy of the data key.
725
726				This operation is useful in a system that has multiple components with
727				different degrees of trust. For example, consider a system that stores
728				encrypted data in containers. Each container stores the encrypted data
729				and an encrypted copy of the data key. One component of the system,
730				called the I<control plane>, creates new containers. When it creates a
731				new container, it uses this operation
732				(C<GenerateDataKeyWithoutPlaintext>) to get an encrypted data key and
733				then stores it in the container. Later, a different component of the
734				system, called the I<data plane>, puts encrypted data into the
735				containers. To do this, it passes the encrypted data key to the Decrypt
736				operation, then uses the returned plaintext data key to encrypt data,
737				and finally stores the encrypted data in the container. In this system,
738				the control plane never sees the plaintext data key.
739
740
741				=head2 GenerateRandom([NumberOfBytes => Int])
742
743				Each argument is described in detail in: L<Paws::KMS::GenerateRandom>
744
745				Returns: a L<Paws::KMS::GenerateRandomResponse> instance
746
747				Returns a random byte string that is cryptographically secure.
748
749				For more information about entropy and random number generation, see
750				the AWS Key Management Service Cryptographic Details whitepaper.
751
752
753				=head2 GetKeyPolicy(KeyId => Str, PolicyName => Str)
754
755				Each argument is described in detail in: L<Paws::KMS::GetKeyPolicy>
756
757				Returns: a L<Paws::KMS::GetKeyPolicyResponse> instance
758
759				Retrieves a policy attached to the specified key.
760
761
762				=head2 GetKeyRotationStatus(KeyId => Str)
763
764				Each argument is described in detail in: L<Paws::KMS::GetKeyRotationStatus>
765
766				Returns: a L<Paws::KMS::GetKeyRotationStatusResponse> instance
767
768				Retrieves a Boolean value that indicates whether key rotation is
769				enabled for the specified key.
770
771
772				=head2 GetParametersForImport(KeyId => Str, WrappingAlgorithm => Str, WrappingKeySpec => Str)
773
774				Each argument is described in detail in: L<Paws::KMS::GetParametersForImport>
775
776				Returns: a L<Paws::KMS::GetParametersForImportResponse> instance
777
778				Returns the items you need in order to import key material into AWS KMS
779				from your existing key management infrastructure. For more information
780				about importing key material into AWS KMS, see Importing Key Material
781				in the I<AWS Key Management Service Developer Guide>.
782
783				You must specify the key ID of the customer master key (CMK) into which
784				you will import key material. This CMK's C<Origin> must be C<EXTERNAL>.
785				You must also specify the wrapping algorithm and type of wrapping key
786				(public key) that you will use to encrypt the key material.
787
788				This operation returns a public key and an import token. Use the public
789				key to encrypt the key material. Store the import token to send with a
790				subsequent ImportKeyMaterial request. The public key and import token
791				from the same response must be used together. These items are valid for
792				24 hours, after which they cannot be used for a subsequent
793				ImportKeyMaterial request. To retrieve new ones, send another
794				C<GetParametersForImport> request.
795
796
797				=head2 ImportKeyMaterial(EncryptedKeyMaterial => Str, ImportToken => Str, KeyId => Str, [ExpirationModel => Str, ValidTo => Str])
798
799				Each argument is described in detail in: L<Paws::KMS::ImportKeyMaterial>
800
801				Returns: a L<Paws::KMS::ImportKeyMaterialResponse> instance
802
803				Imports key material into an AWS KMS customer master key (CMK) from
804				your existing key management infrastructure. For more information about
805				importing key material into AWS KMS, see Importing Key Material in the
806				I<AWS Key Management Service Developer Guide>.
807
808				You must specify the key ID of the CMK to import the key material into.
809				This CMK's C<Origin> must be C<EXTERNAL>. You must also send an import
810				token and the encrypted key material. Send the import token that you
811				received in the same GetParametersForImport response that contained the
812				public key that you used to encrypt the key material. You must also
813				specify whether the key material expires and if so, when. When the key
814				material expires, AWS KMS deletes the key material and the CMK becomes
815				unusable. To use the CMK again, you can reimport the same key material.
816				If you set an expiration date, you can change it only by reimporting
817				the same key material and specifying a new expiration date.
818
819				When this operation is successful, the specified CMK's key state
820				changes to C<Enabled>, and you can use the CMK.
821
822				After you successfully import key material into a CMK, you can reimport
823				the same key material into that CMK, but you cannot import different
824				key material.
825
826
827				=head2 ListAliases([Limit => Int, Marker => Str])
828
829				Each argument is described in detail in: L<Paws::KMS::ListAliases>
830
831				Returns: a L<Paws::KMS::ListAliasesResponse> instance
832
833				Lists all of the key aliases in the account.
834
835
836				=head2 ListGrants(KeyId => Str, [Limit => Int, Marker => Str])
837
838				Each argument is described in detail in: L<Paws::KMS::ListGrants>
839
840				Returns: a L<Paws::KMS::ListGrantsResponse> instance
841
842				List the grants for a specified key.
843
844
845				=head2 ListKeyPolicies(KeyId => Str, [Limit => Int, Marker => Str])
846
847				Each argument is described in detail in: L<Paws::KMS::ListKeyPolicies>
848
849				Returns: a L<Paws::KMS::ListKeyPoliciesResponse> instance
850
851				Retrieves a list of policies attached to a key.
852
853
854				=head2 ListKeys([Limit => Int, Marker => Str])
855
856				Each argument is described in detail in: L<Paws::KMS::ListKeys>
857
858				Returns: a L<Paws::KMS::ListKeysResponse> instance
859
860				Lists the customer master keys.
861
862
863				=head2 ListResourceTags(KeyId => Str, [Limit => Int, Marker => Str])
864
865				Each argument is described in detail in: L<Paws::KMS::ListResourceTags>
866
867				Returns: a L<Paws::KMS::ListResourceTagsResponse> instance
868
869				Returns a list of all tags for the specified customer master key (CMK).
870
871
872				=head2 ListRetirableGrants(RetiringPrincipal => Str, [Limit => Int, Marker => Str])
873
874				Each argument is described in detail in: L<Paws::KMS::ListRetirableGrants>
875
876				Returns: a L<Paws::KMS::ListGrantsResponse> instance
877
878				Returns a list of all grants for which the grant's C<RetiringPrincipal>
879				matches the one specified.
880
881				A typical use is to list all grants that you are able to retire. To
882				retire a grant, use RetireGrant.
883
884
885				=head2 PutKeyPolicy(KeyId => Str, Policy => Str, PolicyName => Str, [BypassPolicyLockoutSafetyCheck => Bool])
886
887				Each argument is described in detail in: L<Paws::KMS::PutKeyPolicy>
888
889				Returns: nothing
890
891				Attaches a key policy to the specified customer master key (CMK).
892
893				For more information about key policies, see Key Policies in the I<AWS
894				Key Management Service Developer Guide>.
895
896
897				=head2 ReEncrypt(CiphertextBlob => Str, DestinationKeyId => Str, [DestinationEncryptionContext => L<Paws::KMS::EncryptionContextType>, GrantTokens => ArrayRef[Str\|Undef], SourceEncryptionContext => L<Paws::KMS::EncryptionContextType>])
898
899				Each argument is described in detail in: L<Paws::KMS::ReEncrypt>
900
901				Returns: a L<Paws::KMS::ReEncryptResponse> instance
902
903				Encrypts data on the server side with a new customer master key (CMK)
904				without exposing the plaintext of the data on the client side. The data
905				is first decrypted and then reencrypted. You can also use this
906				operation to change the encryption context of a ciphertext.
907
908				Unlike other operations, C<ReEncrypt> is authorized twice, once as
909				C<ReEncryptFrom> on the source CMK and once as C<ReEncryptTo> on the
910				destination CMK. We recommend that you include the C<"kms:ReEncrypt*">
911				permission in your key policies to permit reencryption from or to the
912				CMK. This permission is automatically included in the key policy when
913				you create a CMK through the console, but you must include it manually
914				when you create a CMK programmatically or when you set a key policy
915				with the PutKeyPolicy operation.
916
917
918				=head2 RetireGrant([GrantId => Str, GrantToken => Str, KeyId => Str])
919
920				Each argument is described in detail in: L<Paws::KMS::RetireGrant>
921
922				Returns: nothing
923
924				Retires a grant. To clean up, you can retire a grant when you're done
925				using it. You should revoke a grant when you intend to actively deny
926				operations that depend on it. The following are permitted to call this
927				API:
928
929				=over
930
931				=item *
932
933				The AWS account (root user) under which the grant was created
934
935				=item *
936
937				The C<RetiringPrincipal>, if present in the grant
938
939				=item *
940
941				The C<GranteePrincipal>, if C<RetireGrant> is an operation specified in
942				the grant
943
944				=back
945
946				You must identify the grant to retire by its grant token or by a
947				combination of the grant ID and the Amazon Resource Name (ARN) of the
948				customer master key (CMK). A grant token is a unique variable-length
949				base64-encoded string. A grant ID is a 64 character unique identifier
950				of a grant. The CreateGrant operation returns both.
951
952
953				=head2 RevokeGrant(GrantId => Str, KeyId => Str)
954
955				Each argument is described in detail in: L<Paws::KMS::RevokeGrant>
956
957				Returns: nothing
958
959				Revokes a grant. You can revoke a grant to actively deny operations
960				that depend on it.
961
962
963				=head2 ScheduleKeyDeletion(KeyId => Str, [PendingWindowInDays => Int])
964
965				Each argument is described in detail in: L<Paws::KMS::ScheduleKeyDeletion>
966
967				Returns: a L<Paws::KMS::ScheduleKeyDeletionResponse> instance
968
969				Schedules the deletion of a customer master key (CMK). You may provide
970				a waiting period, specified in days, before deletion occurs. If you do
971				not provide a waiting period, the default period of 30 days is used.
972				When this operation is successful, the state of the CMK changes to
973				C<PendingDeletion>. Before the waiting period ends, you can use
974				CancelKeyDeletion to cancel the deletion of the CMK. After the waiting
975				period ends, AWS KMS deletes the CMK and all AWS KMS data associated
976				with it, including all aliases that refer to it.
977
978				Deleting a CMK is a destructive and potentially dangerous operation.
979				When a CMK is deleted, all data that was encrypted under the CMK is
980				rendered unrecoverable. To restrict the use of a CMK without deleting
981				it, use DisableKey.
982
983				For more information about scheduling a CMK for deletion, see Deleting
984				Customer Master Keys in the I<AWS Key Management Service Developer
985				Guide>.
986
987
988				=head2 TagResource(KeyId => Str, Tags => ArrayRef[L<Paws::KMS::Tag>])
989
990				Each argument is described in detail in: L<Paws::KMS::TagResource>
991
992				Returns: nothing
993
994				Adds or overwrites one or more tags for the specified customer master
995				key (CMK).
996
997				Each tag consists of a tag key and a tag value. Tag keys and tag values
998				are both required, but tag values can be empty (null) strings.
999
1000				You cannot use the same tag key more than once per CMK. For example,
1001				consider a CMK with one tag whose tag key is C<Purpose> and tag value
1002				is C<Test>. If you send a C<TagResource> request for this CMK with a
1003				tag key of C<Purpose> and a tag value of C<Prod>, it does not create a
1004				second tag. Instead, the original tag is overwritten with the new tag
1005				value.
1006
1007
1008				=head2 UntagResource(KeyId => Str, TagKeys => ArrayRef[Str\|Undef])
1009
1010				Each argument is described in detail in: L<Paws::KMS::UntagResource>
1011
1012				Returns: nothing
1013
1014				Removes the specified tag or tags from the specified customer master
1015				key (CMK).
1016
1017				To remove a tag, you specify the tag key for each tag to remove. You do
1018				not specify the tag value. To overwrite the tag value for an existing
1019				tag, use TagResource.
1020
1021
1022				=head2 UpdateAlias(AliasName => Str, TargetKeyId => Str)
1023
1024				Each argument is described in detail in: L<Paws::KMS::UpdateAlias>
1025
1026				Returns: nothing
1027
1028				Updates an alias to map it to a different key.
1029
1030				An alias is not a property of a key. Therefore, an alias can be mapped
1031				to and unmapped from an existing key without changing the properties of
1032				the key.
1033
1034				An alias name can contain only alphanumeric characters, forward slashes
1035				(/), underscores (_), and dashes (-). An alias must start with the word
1036				"alias" followed by a forward slash (alias/). An alias that begins with
1037				"aws" after the forward slash (alias/aws...) is reserved by Amazon Web
1038				Services (AWS).
1039
1040				The alias and the key it is mapped to must be in the same AWS account
1041				and the same region.
1042
1043
1044				=head2 UpdateKeyDescription(Description => Str, KeyId => Str)
1045
1046				Each argument is described in detail in: L<Paws::KMS::UpdateKeyDescription>
1047
1048				Returns: nothing
1049
1050				Updates the description of a customer master key (CMK).
1051
1052
1053
1054
1055				=head1 PAGINATORS
1056
1057				Paginator methods are helpers that repetively call methods that return partial results
1058
1059				=head2 ListAllAliases(sub { },[Limit => Int, Marker => Str])
1060
1061				=head2 ListAllAliases([Limit => Int, Marker => Str])
1062
1063
1064				If passed a sub as first parameter, it will call the sub for each element found in :
1065
1066				- Aliases, passing the object as the first parameter, and the string 'Aliases' as the second parameter
1067
1068				If not, it will return a a L<Paws::KMS::ListAliasesResponse> instance with all the C<param>s; from all the responses. Please take into account that this mode can potentially consume vasts ammounts of memory.
1069
1070
1071				=head2 ListAllGrants(sub { },KeyId => Str, [Limit => Int, Marker => Str])
1072
1073				=head2 ListAllGrants(KeyId => Str, [Limit => Int, Marker => Str])
1074
1075
1076				If passed a sub as first parameter, it will call the sub for each element found in :
1077
1078				- Grants, passing the object as the first parameter, and the string 'Grants' as the second parameter
1079
1080				If not, it will return a a L<Paws::KMS::ListGrantsResponse> instance with all the C<param>s; from all the responses. Please take into account that this mode can potentially consume vasts ammounts of memory.
1081
1082
1083				=head2 ListAllKeyPolicies(sub { },KeyId => Str, [Limit => Int, Marker => Str])
1084
1085				=head2 ListAllKeyPolicies(KeyId => Str, [Limit => Int, Marker => Str])
1086
1087
1088				If passed a sub as first parameter, it will call the sub for each element found in :
1089
1090				- PolicyNames, passing the object as the first parameter, and the string 'PolicyNames' as the second parameter
1091
1092				If not, it will return a a L<Paws::KMS::ListKeyPoliciesResponse> instance with all the C<param>s; from all the responses. Please take into account that this mode can potentially consume vasts ammounts of memory.
1093
1094
1095				=head2 ListAllKeys(sub { },[Limit => Int, Marker => Str])
1096
1097				=head2 ListAllKeys([Limit => Int, Marker => Str])
1098
1099
1100				If passed a sub as first parameter, it will call the sub for each element found in :
1101
1102				- Keys, passing the object as the first parameter, and the string 'Keys' as the second parameter
1103
1104				If not, it will return a a L<Paws::KMS::ListKeysResponse> instance with all the C<param>s; from all the responses. Please take into account that this mode can potentially consume vasts ammounts of memory.
1105
1106
1107
1108
1109
1110				=head1 SEE ALSO
1111
1112				This service class forms part of L<Paws>
1113
1114				=head1 BUGS and CONTRIBUTIONS
1115
1116				The source code is located here: https://github.com/pplu/aws-sdk-perl
1117
1118				Please report bugs to: https://github.com/pplu/aws-sdk-perl/issues
1119
1120				=cut
1121