amazonka-kms-1.6.0: Amazon Key Management Service SDK.

Copyright(c) 2013-2018 Brendan Hay
LicenseMozilla Public License, v. 2.0.
MaintainerBrendan Hay <brendan.g.hay+amazonka@gmail.com>
Stabilityauto-generated
Portabilitynon-portable (GHC extensions)
Safe HaskellNone
LanguageHaskell2010

Network.AWS.KMS.ImportKeyMaterial

Contents

Description

Imports key material into an existing AWS KMS customer master key (CMK) that was created without key material. You cannot perform this operation on a CMK in a different AWS account. For more information about creating CMKs with no key material and then importing key material, see Importing Key Material in the AWS Key Management Service Developer Guide .

Before using this operation, call GetParametersForImport . Its response includes a public key and an import token. Use the public key to encrypt the key material. Then, submit the import token from the same GetParametersForImport response.

When calling this operation, you must specify the following values:

  • The key ID or key ARN of a CMK with no key material. Its Origin must be EXTERNAL .

To create a CMK with no key material, call CreateKey and set the value of its Origin parameter to EXTERNAL . To get the Origin of a CMK, call DescribeKey .)

  • The encrypted key material. To get the public key to encrypt the key material, call GetParametersForImport .
  • The import token that GetParametersForImport returned. This token and the public key used to encrypt the key material must have come from the same response.
  • Whether the key material expires and if so, when. If you set an expiration date, you can change it only by reimporting the same key material and specifying a new expiration date. If the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. To use the CMK again, you must reimport the same key material.

When this operation is successful, the CMK's key state changes from PendingImport to Enabled , and you can use the CMK. After you successfully import key material into a CMK, you can reimport the same key material into that CMK, but you cannot import different key material.

Synopsis

Creating a Request

importKeyMaterial #

Creates a value of ImportKeyMaterial with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

  • ikmExpirationModel - Specifies whether the key material expires. The default is KEY_MATERIAL_EXPIRES , in which case you must include the ValidTo parameter. When this parameter is set to KEY_MATERIAL_DOES_NOT_EXPIRE , you must omit the ValidTo parameter.
  • ikmValidTo - The time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. You must omit this parameter when the ExpirationModel parameter is set to KEY_MATERIAL_DOES_NOT_EXPIRE . Otherwise it is required.
  • ikmKeyId - The identifier of the CMK to import the key material into. The CMK's Origin must be EXTERNAL . Specify the key ID or the Amazon Resource Name (ARN) of the CMK. For example: * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey .
  • ikmImportToken - The import token that you received in the response to a previous GetParametersForImport request. It must be from the same response that contained the public key that you used to encrypt the key material.-- Note: This Lens automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This Lens accepts and returns only raw unencoded data.
  • ikmEncryptedKeyMaterial - The encrypted key material to import. It must be encrypted with the public key that you received in the response to a previous GetParametersForImport request, using the wrapping algorithm that you specified in that request.-- Note: This Lens automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This Lens accepts and returns only raw unencoded data.

data ImportKeyMaterial #

See: importKeyMaterial smart constructor.

Instances

Eq ImportKeyMaterial # 
Data ImportKeyMaterial # 

Methods

gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> ImportKeyMaterial -> c ImportKeyMaterial #

gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c ImportKeyMaterial #

toConstr :: ImportKeyMaterial -> Constr #

dataTypeOf :: ImportKeyMaterial -> DataType #

dataCast1 :: Typeable (* -> *) t => (forall d. Data d => c (t d)) -> Maybe (c ImportKeyMaterial) #

dataCast2 :: Typeable (* -> * -> *) t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c ImportKeyMaterial) #

gmapT :: (forall b. Data b => b -> b) -> ImportKeyMaterial -> ImportKeyMaterial #

gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> ImportKeyMaterial -> r #

gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> ImportKeyMaterial -> r #

gmapQ :: (forall d. Data d => d -> u) -> ImportKeyMaterial -> [u] #

gmapQi :: Int -> (forall d. Data d => d -> u) -> ImportKeyMaterial -> u #

gmapM :: Monad m => (forall d. Data d => d -> m d) -> ImportKeyMaterial -> m ImportKeyMaterial #

gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> ImportKeyMaterial -> m ImportKeyMaterial #

gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> ImportKeyMaterial -> m ImportKeyMaterial #

Read ImportKeyMaterial # 
Show ImportKeyMaterial # 
Generic ImportKeyMaterial # 
Hashable ImportKeyMaterial # 
ToJSON ImportKeyMaterial # 
NFData ImportKeyMaterial # 

Methods

rnf :: ImportKeyMaterial -> () #

AWSRequest ImportKeyMaterial # 
ToHeaders ImportKeyMaterial # 
ToPath ImportKeyMaterial # 
ToQuery ImportKeyMaterial # 
type Rep ImportKeyMaterial # 
type Rep ImportKeyMaterial = D1 * (MetaData "ImportKeyMaterial" "Network.AWS.KMS.ImportKeyMaterial" "amazonka-kms-1.6.0-1x3YFaSKSJTDyirX3XbKEX" False) (C1 * (MetaCons "ImportKeyMaterial'" PrefixI True) ((:*:) * ((:*:) * (S1 * (MetaSel (Just Symbol "_ikmExpirationModel") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 * (Maybe ExpirationModelType))) (S1 * (MetaSel (Just Symbol "_ikmValidTo") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 * (Maybe POSIX)))) ((:*:) * (S1 * (MetaSel (Just Symbol "_ikmKeyId") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 * Text)) ((:*:) * (S1 * (MetaSel (Just Symbol "_ikmImportToken") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 * Base64)) (S1 * (MetaSel (Just Symbol "_ikmEncryptedKeyMaterial") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 * Base64))))))
type Rs ImportKeyMaterial # 

Request Lenses

ikmExpirationModel :: Lens' ImportKeyMaterial (Maybe ExpirationModelType) #

Specifies whether the key material expires. The default is KEY_MATERIAL_EXPIRES , in which case you must include the ValidTo parameter. When this parameter is set to KEY_MATERIAL_DOES_NOT_EXPIRE , you must omit the ValidTo parameter.

ikmValidTo :: Lens' ImportKeyMaterial (Maybe UTCTime) #

The time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. You must omit this parameter when the ExpirationModel parameter is set to KEY_MATERIAL_DOES_NOT_EXPIRE . Otherwise it is required.

ikmKeyId :: Lens' ImportKeyMaterial Text #

The identifier of the CMK to import the key material into. The CMK's Origin must be EXTERNAL . Specify the key ID or the Amazon Resource Name (ARN) of the CMK. For example: * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey .

ikmImportToken :: Lens' ImportKeyMaterial ByteString #

The import token that you received in the response to a previous GetParametersForImport request. It must be from the same response that contained the public key that you used to encrypt the key material.-- Note: This Lens automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This Lens accepts and returns only raw unencoded data.

ikmEncryptedKeyMaterial :: Lens' ImportKeyMaterial ByteString #

The encrypted key material to import. It must be encrypted with the public key that you received in the response to a previous GetParametersForImport request, using the wrapping algorithm that you specified in that request.-- Note: This Lens automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This Lens accepts and returns only raw unencoded data.

Destructuring the Response

importKeyMaterialResponse #

Creates a value of ImportKeyMaterialResponse with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

data ImportKeyMaterialResponse #

See: importKeyMaterialResponse smart constructor.

Instances

Eq ImportKeyMaterialResponse # 
Data ImportKeyMaterialResponse # 

Methods

gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> ImportKeyMaterialResponse -> c ImportKeyMaterialResponse #

gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c ImportKeyMaterialResponse #

toConstr :: ImportKeyMaterialResponse -> Constr #

dataTypeOf :: ImportKeyMaterialResponse -> DataType #

dataCast1 :: Typeable (* -> *) t => (forall d. Data d => c (t d)) -> Maybe (c ImportKeyMaterialResponse) #

dataCast2 :: Typeable (* -> * -> *) t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c ImportKeyMaterialResponse) #

gmapT :: (forall b. Data b => b -> b) -> ImportKeyMaterialResponse -> ImportKeyMaterialResponse #

gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> ImportKeyMaterialResponse -> r #

gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> ImportKeyMaterialResponse -> r #

gmapQ :: (forall d. Data d => d -> u) -> ImportKeyMaterialResponse -> [u] #

gmapQi :: Int -> (forall d. Data d => d -> u) -> ImportKeyMaterialResponse -> u #

gmapM :: Monad m => (forall d. Data d => d -> m d) -> ImportKeyMaterialResponse -> m ImportKeyMaterialResponse #

gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> ImportKeyMaterialResponse -> m ImportKeyMaterialResponse #

gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> ImportKeyMaterialResponse -> m ImportKeyMaterialResponse #

Read ImportKeyMaterialResponse # 
Show ImportKeyMaterialResponse # 
Generic ImportKeyMaterialResponse # 
NFData ImportKeyMaterialResponse # 
type Rep ImportKeyMaterialResponse # 
type Rep ImportKeyMaterialResponse = D1 * (MetaData "ImportKeyMaterialResponse" "Network.AWS.KMS.ImportKeyMaterial" "amazonka-kms-1.6.0-1x3YFaSKSJTDyirX3XbKEX" True) (C1 * (MetaCons "ImportKeyMaterialResponse'" PrefixI True) (S1 * (MetaSel (Just Symbol "_ikmrsResponseStatus") NoSourceUnpackedness NoSourceStrictness DecidedLazy) (Rec0 * Int)))

Response Lenses

ikmrsResponseStatus :: Lens' ImportKeyMaterialResponse Int #

  • - | The response status code.