to continue:");
String input = scanner.nextLine();
if (input.trim().equalsIgnoreCase("c")) {
logger.info("Continuing with the program...");
logger.info("");
break;
} else {
// Handle invalid input.
logger.info("Invalid input. Please try again.");
}
}
}
}
```
Defina una clase que ajuste las acciones de KMS.
```
public class KMSActions {
private static final Logger logger = LoggerFactory.getLogger(KMSActions.class);
private static KmsAsyncClient kmsAsyncClient;
/**
* Retrieves an asynchronous AWS Key Management Service (KMS) client.
*
* This method creates and returns a singleton instance of the KMS async client, with the following configurations:
*
* Max concurrency: 100
* Connection timeout: 60 seconds
* Read timeout: 60 seconds
* Write timeout: 60 seconds
* API call timeout: 2 minutes
* API call attempt timeout: 90 seconds
* Retry policy: up to 3 retries
* Credentials provider: environment variable credentials provider
*
*
* If the client instance has already been created, it is returned instead of creating a new one.
*
* @return the KMS async client instance
*/
private static KmsAsyncClient getAsyncClient() {
if (kmsAsyncClient == null) {
SdkAsyncHttpClient httpClient = NettyNioAsyncHttpClient.builder()
.maxConcurrency(100)
.connectionTimeout(Duration.ofSeconds(60))
.readTimeout(Duration.ofSeconds(60))
.writeTimeout(Duration.ofSeconds(60))
.build();
ClientOverrideConfiguration overrideConfig = ClientOverrideConfiguration.builder()
.apiCallTimeout(Duration.ofMinutes(2))
.apiCallAttemptTimeout(Duration.ofSeconds(90))
.retryPolicy(RetryPolicy.builder()
.numRetries(3)
.build())
.build();
kmsAsyncClient = KmsAsyncClient.builder()
.httpClient(httpClient)
.overrideConfiguration(overrideConfig)
.build();
}
return kmsAsyncClient;
}
/**
* Creates a new symmetric encryption key asynchronously.
*
* @param keyDesc the description of the key to be created
* @return a {@link CompletableFuture} that completes with the ID of the newly created key
* @throws RuntimeException if an error occurs while creating the key
*/
public CompletableFuture createKeyAsync(String keyDesc) {
CreateKeyRequest keyRequest = CreateKeyRequest.builder()
.description(keyDesc)
.keySpec(KeySpec.SYMMETRIC_DEFAULT)
.keyUsage(KeyUsageType.ENCRYPT_DECRYPT)
.build();
return getAsyncClient().createKey(keyRequest)
.thenApply(resp -> resp.keyMetadata().keyId())
.exceptionally(ex -> {
throw new RuntimeException("An error occurred while creating the key: " + ex.getMessage(), ex);
});
}
/**
* Asynchronously checks if a specified key is enabled.
*
* @param keyId the ID of the key to check
* @return a {@link CompletableFuture} that, when completed, indicates whether the key is enabled or not
*
* @throws RuntimeException if an exception occurs while checking the key state
*/
public CompletableFuture isKeyEnabledAsync(String keyId) {
DescribeKeyRequest keyRequest = DescribeKeyRequest.builder()
.keyId(keyId)
.build();
CompletableFuture responseFuture = getAsyncClient().describeKey(keyRequest);
return responseFuture.whenComplete((resp, ex) -> {
if (resp != null) {
KeyState keyState = resp.keyMetadata().keyState();
if (keyState == KeyState.ENABLED) {
logger.info("The key is enabled.");
} else {
logger.info("The key is not enabled. Key state: {}", keyState);
}
} else {
throw new RuntimeException(ex);
}
}).thenApply(resp -> resp.keyMetadata().keyState() == KeyState.ENABLED);
}
/**
* Asynchronously enables the specified key.
*
* @param keyId the ID of the key to enable
* @return a {@link CompletableFuture} that completes when the key has been enabled
*/
public CompletableFuture enableKeyAsync(String keyId) {
EnableKeyRequest enableKeyRequest = EnableKeyRequest.builder()
.keyId(keyId)
.build();
CompletableFuture responseFuture = getAsyncClient().enableKey(enableKeyRequest);
responseFuture.whenComplete((response, exception) -> {
if (exception == null) {
logger.info("Key with ID [{}] has been enabled.", keyId);
} else {
if (exception instanceof KmsException kmsEx) {
throw new RuntimeException("KMS error occurred while enabling key: " + kmsEx.getMessage(), kmsEx);
} else {
throw new RuntimeException("An unexpected error occurred while enabling key: " + exception.getMessage(), exception);
}
}
});
return responseFuture.thenApply(response -> null);
}
/**
* Encrypts the given text asynchronously using the specified KMS client and key ID.
*
* @param keyId the ID of the KMS key to use for encryption
* @param text the text to encrypt
* @return a CompletableFuture that completes with the encrypted data as an SdkBytes object
*/
public CompletableFuture encryptDataAsync(String keyId, String text) {
SdkBytes myBytes = SdkBytes.fromUtf8String(text);
EncryptRequest encryptRequest = EncryptRequest.builder()
.keyId(keyId)
.plaintext(myBytes)
.build();
CompletableFuture responseFuture = getAsyncClient().encrypt(encryptRequest).toCompletableFuture();
return responseFuture.whenComplete((response, ex) -> {
if (response != null) {
String algorithm = response.encryptionAlgorithm().toString();
logger.info("The string was encrypted with algorithm {}.", algorithm);
} else {
throw new RuntimeException(ex);
}
}).thenApply(EncryptResponse::ciphertextBlob);
}
/**
* Creates a custom alias for the specified target key asynchronously.
*
* @param targetKeyId the ID of the target key for the alias
* @param aliasName the name of the alias to create
* @return a {@link CompletableFuture} that completes when the alias creation operation is finished
*/
public CompletableFuture createCustomAliasAsync(String targetKeyId, String aliasName) {
CreateAliasRequest aliasRequest = CreateAliasRequest.builder()
.aliasName(aliasName)
.targetKeyId(targetKeyId)
.build();
CompletableFuture responseFuture = getAsyncClient().createAlias(aliasRequest);
responseFuture.whenComplete((response, exception) -> {
if (exception == null) {
logger.info("{} was successfully created.", aliasName);
} else {
if (exception instanceof ResourceExistsException) {
logger.info("Alias [{}] already exists. Moving on...", aliasName);
} else if (exception instanceof KmsException kmsEx) {
throw new RuntimeException("KMS error occurred while creating alias: " + kmsEx.getMessage(), kmsEx);
} else {
throw new RuntimeException("An unexpected error occurred while creating alias: " + exception.getMessage(), exception);
}
}
});
return responseFuture.thenApply(response -> null);
}
/**
* Asynchronously lists all the aliases in the current AWS account.
*
* @return a {@link CompletableFuture} that completes when the list of aliases has been processed
*/
public CompletableFuture listAllAliasesAsync() {
ListAliasesRequest aliasesRequest = ListAliasesRequest.builder()
.limit(15)
.build();
ListAliasesPublisher paginator = getAsyncClient().listAliasesPaginator(aliasesRequest);
return paginator.subscribe(response -> {
response.aliases().forEach(alias ->
logger.info("The alias name is: " + alias.aliasName())
);
})
.thenApply(v -> null)
.exceptionally(ex -> {
if (ex.getCause() instanceof KmsException) {
KmsException e = (KmsException) ex.getCause();
throw new RuntimeException("A KMS exception occurred: " + e.getMessage());
} else {
throw new RuntimeException("An unexpected error occurred: " + ex.getMessage());
}
});
}
/**
* Enables key rotation asynchronously for the specified key ID.
*
* @param keyId the ID of the key for which to enable key rotation
* @return a CompletableFuture that represents the asynchronous operation of enabling key rotation
* @throws RuntimeException if there was an error enabling key rotation, either due to a KMS exception or an unexpected error
*/
public CompletableFuture enableKeyRotationAsync(String keyId) {
EnableKeyRotationRequest enableKeyRotationRequest = EnableKeyRotationRequest.builder()
.keyId(keyId)
.build();
CompletableFuture responseFuture = getAsyncClient().enableKeyRotation(enableKeyRotationRequest);
responseFuture.whenComplete((response, exception) -> {
if (exception == null) {
logger.info("Key rotation has been enabled for key with id [{}]", keyId);
} else {
if (exception instanceof KmsException kmsEx) {
throw new RuntimeException("Failed to enable key rotation: " + kmsEx.getMessage(), kmsEx);
} else {
throw new RuntimeException("An unexpected error occurred: " + exception.getMessage(), exception);
}
}
});
return responseFuture;
}
/**
* Grants permissions to a specified principal on a customer master key (CMK) asynchronously.
*
* @param keyId The unique identifier for the customer master key (CMK) that the grant applies to.
* @param granteePrincipal The principal that is given permission to perform the operations that the grant permits on the CMK.
* @return A {@link CompletableFuture} that, when completed, contains the ID of the created grant.
* @throws RuntimeException If an error occurs during the grant creation process.
*/
public CompletableFuture grantKeyAsync(String keyId, String granteePrincipal) {
List grantPermissions = List.of(
GrantOperation.ENCRYPT,
GrantOperation.DECRYPT,
GrantOperation.DESCRIBE_KEY
);
CreateGrantRequest grantRequest = CreateGrantRequest.builder()
.keyId(keyId)
.name("grant1")
.granteePrincipal(granteePrincipal)
.operations(grantPermissions)
.build();
CompletableFuture responseFuture = getAsyncClient().createGrant(grantRequest);
responseFuture.whenComplete((response, ex) -> {
if (ex == null) {
logger.info("Grant created successfully with ID: " + response.grantId());
} else {
if (ex instanceof KmsException kmsEx) {
throw new RuntimeException("Failed to create grant: " + kmsEx.getMessage(), kmsEx);
} else {
throw new RuntimeException("An unexpected error occurred: " + ex.getMessage(), ex);
}
}
});
return responseFuture.thenApply(CreateGrantResponse::grantId);
}
/**
* Asynchronously displays the grant IDs for the specified key ID.
*
* @param keyId the ID of the AWS KMS key for which to list the grants
* @return a {@link CompletableFuture} that, when completed, will be null if the operation succeeded, or will throw a {@link RuntimeException} if the operation failed
* @throws RuntimeException if there was an error listing the grants, either due to an {@link KmsException} or an unexpected error
*/
public CompletableFuture displayGrantIdsAsync(String keyId) {
ListGrantsRequest grantsRequest = ListGrantsRequest.builder()
.keyId(keyId)
.limit(15)
.build();
ListGrantsPublisher paginator = getAsyncClient().listGrantsPaginator(grantsRequest);
return paginator.subscribe(response -> {
response.grants().forEach(grant -> {
logger.info("The grant Id is: " + grant.grantId());
});
})
.thenApply(v -> null)
.exceptionally(ex -> {
Throwable cause = ex.getCause();
if (cause instanceof KmsException) {
throw new RuntimeException("Failed to list grants: " + cause.getMessage(), cause);
} else {
throw new RuntimeException("An unexpected error occurred: " + cause.getMessage(), cause);
}
});
}
/**
* Revokes a grant for the specified AWS KMS key asynchronously.
*
* @param keyId The ID or key ARN of the AWS KMS key.
* @param grantId The identifier of the grant to be revoked.
* @return A {@link CompletableFuture} representing the asynchronous operation of revoking the grant.
* The {@link CompletableFuture} will complete with a {@link RevokeGrantResponse} object
* if the operation is successful, or with a {@code null} value if an error occurs.
*/
public CompletableFuture revokeKeyGrantAsync(String keyId, String grantId) {
RevokeGrantRequest grantRequest = RevokeGrantRequest.builder()
.keyId(keyId)
.grantId(grantId)
.build();
CompletableFuture responseFuture = getAsyncClient().revokeGrant(grantRequest);
responseFuture.whenComplete((response, exception) -> {
if (exception == null) {
logger.info("Grant ID: [" + grantId + "] was successfully revoked!");
} else {
if (exception instanceof KmsException kmsEx) {
if (kmsEx.getMessage().contains("Grant does not exist")) {
logger.info("The grant ID '" + grantId + "' does not exist. Moving on...");
} else {
throw new RuntimeException("KMS error occurred: " + kmsEx.getMessage(), kmsEx);
}
} else {
throw new RuntimeException("An unexpected error occurred: " + exception.getMessage(), exception);
}
}
});
return responseFuture;
}
/**
* Asynchronously decrypts the given encrypted data using the specified key ID.
*
* @param encryptedData The encrypted data to be decrypted.
* @param keyId The ID of the key to be used for decryption.
* @return A CompletableFuture that, when completed, will contain the decrypted data as a String.
* If an error occurs during the decryption process, the CompletableFuture will complete
* exceptionally with the error, and the method will return an empty String.
*/
public CompletableFuture decryptDataAsync(SdkBytes encryptedData, String keyId) {
DecryptRequest decryptRequest = DecryptRequest.builder()
.ciphertextBlob(encryptedData)
.keyId(keyId)
.build();
CompletableFuture responseFuture = getAsyncClient().decrypt(decryptRequest);
responseFuture.whenComplete((decryptResponse, exception) -> {
if (exception == null) {
logger.info("Data decrypted successfully for key ID: " + keyId);
} else {
if (exception instanceof KmsException kmsEx) {
throw new RuntimeException("KMS error occurred while decrypting data: " + kmsEx.getMessage(), kmsEx);
} else {
throw new RuntimeException("An unexpected error occurred while decrypting data: " + exception.getMessage(), exception);
}
}
});
return responseFuture.thenApply(decryptResponse -> decryptResponse.plaintext().asString(StandardCharsets.UTF_8));
}
/**
* Asynchronously replaces the policy for the specified KMS key.
*
* @param keyId the ID of the KMS key to replace the policy for
* @param policyName the name of the policy to be replaced
* @param accountId the AWS account ID to be used in the policy
* @return a {@link CompletableFuture} that completes with a boolean indicating
* whether the policy replacement was successful or not
*/
public CompletableFuture replacePolicyAsync(String keyId, String policyName, String accountId) {
String policy = """
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::%s:root"},
"Action": "kms:*",
"Resource": "*"
}]
}
""".formatted(accountId);
PutKeyPolicyRequest keyPolicyRequest = PutKeyPolicyRequest.builder()
.keyId(keyId)
.policyName(policyName)
.policy(policy)
.build();
// First, get the current policy to check if it exists
return getAsyncClient().getKeyPolicy(r -> r.keyId(keyId).policyName(policyName))
.thenCompose(response -> {
logger.info("Current policy exists. Replacing it...");
return getAsyncClient().putKeyPolicy(keyPolicyRequest);
})
.thenApply(putPolicyResponse -> {
logger.info("The key policy has been replaced.");
return true;
})
.exceptionally(throwable -> {
if (throwable.getCause() instanceof LimitExceededException) {
logger.error("Cannot replace policy, as only one policy is allowed per key.");
return false;
}
throw new RuntimeException("Error replacing policy", throwable);
});
}
/**
* Asynchronously retrieves the key policy for the specified key ID and policy name.
*
* @param keyId the ID of the AWS KMS key for which to retrieve the policy
* @param policyName the name of the key policy to retrieve
* @return a {@link CompletableFuture} that, when completed, contains the key policy as a {@link String}
*/
public CompletableFuture getKeyPolicyAsync(String keyId, String policyName) {
GetKeyPolicyRequest policyRequest = GetKeyPolicyRequest.builder()
.keyId(keyId)
.policyName(policyName)
.build();
return getAsyncClient().getKeyPolicy(policyRequest)
.thenApply(response -> {
String policy = response.policy();
logger.info("The response is: " + policy);
return policy;
})
.exceptionally(ex -> {
throw new RuntimeException("Failed to get key policy", ex);
});
}
/**
* Asynchronously signs and verifies data using AWS KMS.
*
* The method performs the following steps:
*
* Creates an AWS KMS key with the specified key spec, key usage, and origin.
* Signs the provided message using the created KMS key and the RSASSA-PSS-SHA-256 algorithm.
* Verifies the signature of the message using the created KMS key and the RSASSA-PSS-SHA-256 algorithm.
*
*
* @return a {@link CompletableFuture} that completes with the result of the signature verification,
* {@code true} if the signature is valid, {@code false} otherwise.
* @throws KmsException if any error occurs during the KMS operations.
* @throws RuntimeException if an unexpected error occurs.
*/
public CompletableFuture signVerifyDataAsync() {
String signMessage = "Here is the message that will be digitally signed";
// Create an AWS KMS key used to digitally sign data.
CreateKeyRequest createKeyRequest = CreateKeyRequest.builder()
.keySpec(KeySpec.RSA_2048)
.keyUsage(KeyUsageType.SIGN_VERIFY)
.origin(OriginType.AWS_KMS)
.build();
return getAsyncClient().createKey(createKeyRequest)
.thenCompose(createKeyResponse -> {
String keyId = createKeyResponse.keyMetadata().keyId();
SdkBytes messageBytes = SdkBytes.fromString(signMessage, Charset.defaultCharset());
SignRequest signRequest = SignRequest.builder()
.keyId(keyId)
.message(messageBytes)
.signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256)
.build();
return getAsyncClient().sign(signRequest)
.thenCompose(signResponse -> {
byte[] signedBytes = signResponse.signature().asByteArray();
VerifyRequest verifyRequest = VerifyRequest.builder()
.keyId(keyId)
.message(SdkBytes.fromByteArray(signMessage.getBytes(Charset.defaultCharset())))
.signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(signedBytes)))
.signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256)
.build();
return getAsyncClient().verify(verifyRequest)
.thenApply(verifyResponse -> {
return (boolean) verifyResponse.signatureValid();
});
});
})
.exceptionally(throwable -> {
throw new RuntimeException("Failed to sign or verify data", throwable);
});
}
/**
* Asynchronously tags a KMS key with a specific tag.
*
* @param keyId the ID of the KMS key to be tagged
* @return a {@link CompletableFuture} that completes when the tagging operation is finished
*/
public CompletableFuture tagKMSKeyAsync(String keyId) {
Tag tag = Tag.builder()
.tagKey("Environment")
.tagValue("Production")
.build();
TagResourceRequest tagResourceRequest = TagResourceRequest.builder()
.keyId(keyId)
.tags(tag)
.build();
return getAsyncClient().tagResource(tagResourceRequest)
.thenRun(() -> {
logger.info("{} key was tagged", keyId);
})
.exceptionally(throwable -> {
throw new RuntimeException("Failed to tag the KMS key", throwable);
});
}
/**
* Deletes a specific KMS alias asynchronously.
*
* @param aliasName the name of the alias to be deleted
* @return a {@link CompletableFuture} representing the asynchronous operation of deleting the specified alias
*/
public CompletableFuture deleteSpecificAliasAsync(String aliasName) {
DeleteAliasRequest deleteAliasRequest = DeleteAliasRequest.builder()
.aliasName(aliasName)
.build();
return getAsyncClient().deleteAlias(deleteAliasRequest)
.thenRun(() -> {
logger.info("Alias {} has been deleted successfully", aliasName);
})
.exceptionally(throwable -> {
throw new RuntimeException("Failed to delete alias: " + aliasName, throwable);
});
}
/**
* Asynchronously disables the specified AWS Key Management Service (KMS) key.
*
* @param keyId the ID or Amazon Resource Name (ARN) of the KMS key to be disabled
* @return a CompletableFuture that, when completed, indicates that the key has been disabled successfully
*/
public CompletableFuture disableKeyAsync(String keyId) {
DisableKeyRequest keyRequest = DisableKeyRequest.builder()
.keyId(keyId)
.build();
return getAsyncClient().disableKey(keyRequest)
.thenRun(() -> {
logger.info("Key {} has been disabled successfully",keyId);
})
.exceptionally(throwable -> {
throw new RuntimeException("Failed to disable key: " + keyId, throwable);
});
}
/**
* Deletes a KMS key asynchronously.
*
* Warning: Deleting a KMS key is a destructive and potentially dangerous operation.
* When a KMS key is deleted, all data that was encrypted under the KMS key becomes unrecoverable.
* This means that any files, databases, or other data that were encrypted using the deleted KMS key
* will become permanently inaccessible. Exercise extreme caution when deleting KMS keys.
*
* @param keyId the ID of the KMS key to delete
* @return a {@link CompletableFuture} that completes when the key deletion is scheduled
*/
public CompletableFuture deleteKeyAsync(String keyId) {
ScheduleKeyDeletionRequest deletionRequest = ScheduleKeyDeletionRequest.builder()
.keyId(keyId)
.pendingWindowInDays(7)
.build();
return getAsyncClient().scheduleKeyDeletion(deletionRequest)
.thenRun(() -> {
logger.info("Key {} will be deleted in 7 days", keyId);
})
.exceptionally(throwable -> {
throw new RuntimeException("Failed to schedule key deletion for key ID: " + keyId, throwable);
});
}
public String getAccountId(){
try (StsClient stsClient = StsClient.create()){
GetCallerIdentityResponse callerIdentity = stsClient.getCallerIdentity();
return callerIdentity.account();
}
}
}
```
+ Para obtener detalles sobre la API, consulte los siguientes temas en la *Referencia de la API de AWS SDK for Java 2.x *.
+ [CreateAlias](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/CreateAlias)
+ [CreateGrant](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/CreateGrant)
+ [CreateKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/CreateKey)
+ [Decrypt](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/Decrypt)
+ [DescribeKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/DescribeKey)
+ [DisableKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/DisableKey)
+ [EnableKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/EnableKey)
+ [Encrypt](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/Encrypt)
+ [GetKeyPolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/GetKeyPolicy)
+ [ListAliases](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/ListAliases)
+ [ListGrants](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/ListGrants)
+ [ListKeys](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/ListKeys)
+ [RevokeGrant](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/RevokeGrant)
+ [ScheduleKeyDeletion](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/ScheduleKeyDeletion)
+ [Sign](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/Sign)
+ [TagResource](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/TagResource)
------
#### [ PHP ]
**SDK para PHP**
Hay más información GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples).
```
echo "\n";
echo "--------------------------------------\n";
echo <<pressEnter();
$this->kmsClient = new KmsClient([]);
// Initialize the KmsService class with the client. This allows you to override any defaults in the client before giving it to the service class.
$this->kmsService = new KmsService($this->kmsClient);
// 1. Create a symmetric KMS key.
echo "\n";
echo "1. Create a symmetric KMS key.\n";
echo "First, we will create a symmetric KMS key that is used to encrypt and decrypt data by invoking createKey().\n";
$this->pressEnter();
$key = $this->kmsService->createKey();
$this->resources['symmetricKey'] = $key['KeyId'];
echo "Created a customer key with ARN {$key['Arn']}.\n";
$this->pressEnter();
// 2. Enable a KMS key.
echo "\n";
echo "2. Enable a KMS key.\n";
echo "By default when you create an AWS key, it is enabled. The code checks to
determine if the key is enabled. If it is not enabled, the code enables it.\n";
$this->pressEnter();
$keyInfo = $this->kmsService->describeKey($key['KeyId']);
if(!$keyInfo['Enabled']){
echo "The key was not enabled, so we will enable it.\n";
$this->pressEnter();
$this->kmsService->enableKey($key['KeyId']);
echo "The key was successfully enabled.\n";
}else{
echo "The key was already enabled, so there was no need to enable it.\n";
}
$this->pressEnter();
// 3. Encrypt data using the symmetric KMS key.
echo "\n";
echo "3. Encrypt data using the symmetric KMS key.\n";
echo "One of the main uses of symmetric keys is to encrypt and decrypt data.\n";
echo "Next, we'll encrypt the string 'Hello, AWS KMS!' with the SYMMETRIC_DEFAULT encryption algorithm.\n";
$this->pressEnter();
$text = "Hello, AWS KMS!";
$encryption = $this->kmsService->encrypt($key['KeyId'], $text);
echo "The plaintext data was successfully encrypted with the algorithm: {$encryption['EncryptionAlgorithm']}.\n";
$this->pressEnter();
// 4. Create an alias.
echo "\n";
echo "4. Create an alias.\n";
$aliasInput = testable_readline("Please enter an alias prefixed with \"alias/\" or press enter to use a default value: ");
if($aliasInput == ""){
$aliasInput = "alias/dev-encryption-key";
}
$this->kmsService->createAlias($key['KeyId'], $aliasInput);
$this->resources['alias'] = $aliasInput;
echo "The alias \"$aliasInput\" was successfully created.\n";
$this->pressEnter();
// 5. List all of your aliases.
$aliasPageSize = 10;
echo "\n";
echo "5. List all of your aliases, up to $aliasPageSize.\n";
$this->pressEnter();
$aliasPaginator = $this->kmsService->listAliases();
foreach($aliasPaginator as $pages){
foreach($pages['Aliases'] as $alias){
echo $alias['AliasName'] . "\n";
}
break;
}
$this->pressEnter();
// 6. Enable automatic rotation of the KMS key.
echo "\n";
echo "6. Enable automatic rotation of the KMS key.\n";
echo "By default, when the SDK enables automatic rotation of a KMS key,
KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and every year
thereafter.";
$this->pressEnter();
$this->kmsService->enableKeyRotation($key['KeyId']);
echo "The key's rotation was successfully set for key: {$key['KeyId']}\n";
$this->pressEnter();
// 7. Create a grant.
echo "7. Create a grant.\n";
echo "\n";
echo "A grant is a policy instrument that allows Amazon Web Services principals to use KMS keys.
It also can allow them to view a KMS key (DescribeKey) and create and manage grants.
When authorizing access to a KMS key, grants are considered along with key policies and IAM policies.\n";
$granteeARN = testable_readline("Please enter the Amazon Resource Name (ARN) of an Amazon Web Services principal. Valid principals include Amazon Web Services accounts, IAM users, IAM roles, federated users, and assumed role users. For help with the ARN syntax for a principal, see IAM ARNs in the Identity and Access Management User Guide. \nTo skip this step, press enter without any other values: ");
if($granteeARN){
$operations = [
"ENCRYPT",
"DECRYPT",
"DESCRIBE_KEY",
];
$grant = $this->kmsService->createGrant($key['KeyId'], $granteeARN, $operations);
echo "The grant Id is: {$grant['GrantId']}\n";
}else{
echo "Steps 7, 8, and 9 will be skipped.\n";
}
$this->pressEnter();
// 8. List grants for the KMS key.
if($granteeARN){
echo "8. List grants for the KMS key.\n\n";
$grantsPaginator = $this->kmsService->listGrants($key['KeyId']);
foreach($grantsPaginator as $page){
foreach($page['Grants'] as $grant){
echo $grant['GrantId'] . "\n";
}
}
}else{
echo "Skipping step 8...\n";
}
$this->pressEnter();
// 9. Revoke the grant.
if($granteeARN) {
echo "\n";
echo "9. Revoke the grant.\n";
$this->pressEnter();
$this->kmsService->revokeGrant($grant['GrantId'], $keyInfo['KeyId']);
echo "{$grant['GrantId']} was successfully revoked!\n";
}else{
echo "Skipping step 9...\n";
}
$this->pressEnter();
// 10. Decrypt the data.
echo "\n";
echo "10. Decrypt the data.\n";
echo "Let's decrypt the data that was encrypted before.\n";
echo "We'll use the same key to decrypt the string that we encrypted earlier in the program.\n";
$this->pressEnter();
$decryption = $this->kmsService->decrypt($keyInfo['KeyId'], $encryption['CiphertextBlob'], $encryption['EncryptionAlgorithm']);
echo "The decrypted text is: {$decryption['Plaintext']}\n";
$this->pressEnter();
// 11. Replace a Key Policy.
echo "\n";
echo "11. Replace a Key Policy.\n";
echo "A key policy is a resource policy for a KMS key. Key policies are the primary way to control access to KMS keys.\n";
echo "Every KMS key must have exactly one key policy. The statements in the key policy determine who has permission to use the KMS key and how they can use it.\n";
echo " You can also use IAM policies and grants to control access to the KMS key, but every KMS key must have a key policy.\n";
echo "We will replace the key's policy with a new one:\n";
$stsClient = new StsClient([]);
$result = $stsClient->getCallerIdentity();
$accountId = $result['Account'];
$keyPolicy = <<< KEYPOLICY
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::$accountId:root"},
"Action": "kms:*",
"Resource": "*"
}]
}
KEYPOLICY;
echo $keyPolicy;
$this->pressEnter();
$this->kmsService->putKeyPolicy($keyInfo['KeyId'], $keyPolicy);
echo "The Key Policy was successfully replaced!\n";
$this->pressEnter();
// 12. Retrieve the key policy.
echo "\n";
echo "12. Retrieve the key policy.\n";
echo "Let's get some information about the new policy and print it to the screen.\n";
$this->pressEnter();
$policyInfo = $this->kmsService->getKeyPolicy($keyInfo['KeyId']);
echo "We got the info! Here is the policy: \n";
echo $policyInfo['Policy'] . "\n";
$this->pressEnter();
// 13. Create an asymmetric KMS key and sign data.
echo "\n";
echo "13. Create an asymmetric KMS key and sign data.\n";
echo "Signing your data with an AWS key can provide several benefits that make it an attractive option for your data signing needs.\n";
echo "By using an AWS KMS key, you can leverage the security controls and compliance features provided by AWS, which can help you meet various regulatory requirements and enhance the overall security posture of your organization.\n";
echo "First we'll create the asymmetric key.\n";
$this->pressEnter();
$keySpec = "RSA_2048";
$keyUsage = "SIGN_VERIFY";
$asymmetricKey = $this->kmsService->createKey($keySpec, $keyUsage);
$this->resources['asymmetricKey'] = $asymmetricKey['KeyId'];
echo "Created the key with ID: {$asymmetricKey['KeyId']}\n";
echo "Next, we'll sign the data.\n";
$this->pressEnter();
$algorithm = "RSASSA_PSS_SHA_256";
$sign = $this->kmsService->sign($asymmetricKey['KeyId'], $text, $algorithm);
$verify = $this->kmsService->verify($asymmetricKey['KeyId'], $text, $sign['Signature'], $algorithm);
echo "Signature verification result: {$sign['signature']}\n";
$this->pressEnter();
// 14. Tag the symmetric KMS key.
echo "\n";
echo "14. Tag the symmetric KMS key.\n";
echo "By using tags, you can improve the overall management, security, and governance of your KMS keys, making it easier to organize, track, and control access to your encrypted data within your AWS environment.\n";
echo "Let's tag our symmetric key as Environment->Production\n";
$this->pressEnter();
$this->kmsService->tagResource($key['KeyId'], [
[
'TagKey' => "Environment",
'TagValue' => "Production",
],
]);
echo "The key was successfully tagged!\n";
$this->pressEnter();
// 15. Schedule the deletion of the KMS key
echo "\n";
echo "15. Schedule the deletion of the KMS key.\n";
echo "By default, KMS applies a waiting period of 30 days, but you can specify a waiting period of 7-30 days.\n";
echo "When this operation is successful, the key state of the KMS key changes to PendingDeletion and the key can't be used in any cryptographic operations.\n";
echo "It remains in this state for the duration of the waiting period.\n\n";
echo "Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that was encrypted under the KMS key is unrecoverable.\n\n";
$cleanUp = testable_readline("Would you like to delete the resources created during this scenario, including the keys? (y/n): ");
if($cleanUp == "Y" || $cleanUp == "y"){
$this->cleanUp();
}
echo "--------------------------------------------------------------------------------\n";
echo "This concludes the AWS Key Management SDK Basics scenario\n";
echo "--------------------------------------------------------------------------------\n";
namespace Kms;
use Aws\Kms\Exception\KmsException;
use Aws\Kms\KmsClient;
use Aws\Result;
use Aws\ResultPaginator;
use AwsUtilities\AWSServiceClass;
class KmsService extends AWSServiceClass
{
protected KmsClient $client;
protected bool $verbose;
/***
* @param KmsClient|null $client
* @param bool $verbose
*/
public function __construct(KmsClient $client = null, bool $verbose = false)
{
$this->verbose = $verbose;
if($client){
$this->client = $client;
return;
}
$this->client = new KmsClient([]);
}
/***
* @param string $keySpec
* @param string $keyUsage
* @param string $description
* @return array
*/
public function createKey(string $keySpec = "", string $keyUsage = "", string $description = "Created by the SDK for PHP")
{
$parameters = ['Description' => $description];
if($keySpec && $keyUsage){
$parameters['KeySpec'] = $keySpec;
$parameters['KeyUsage'] = $keyUsage;
}
try {
$result = $this->client->createKey($parameters);
return $result['KeyMetadata'];
}catch(KmsException $caught){
// Check for error specific to createKey operations
if ($caught->getAwsErrorMessage() == "LimitExceededException"){
echo "The request was rejected because a quota was exceeded. For more information, see Quotas in the Key Management Service Developer Guide.";
}
throw $caught;
}
}
/***
* @param string $keyId
* @param string $ciphertext
* @param string $algorithm
* @return Result
*/
public function decrypt(string $keyId, string $ciphertext, string $algorithm = "SYMMETRIC_DEFAULT")
{
try{
return $this->client->decrypt([
'CiphertextBlob' => $ciphertext,
'EncryptionAlgorithm' => $algorithm,
'KeyId' => $keyId,
]);
}catch(KmsException $caught){
echo "There was a problem decrypting the data: {$caught->getAwsErrorMessage()}\n";
throw $caught;
}
}
/***
* @param string $keyId
* @param string $text
* @return Result
*/
public function encrypt(string $keyId, string $text)
{
try {
return $this->client->encrypt([
'KeyId' => $keyId,
'Plaintext' => $text,
]);
}catch(KmsException $caught){
if($caught->getAwsErrorMessage() == "DisabledException"){
echo "The request was rejected because the specified KMS key is not enabled.\n";
}
throw $caught;
}
}
/***
* @param string $keyId
* @param int $limit
* @return ResultPaginator
*/
public function listAliases(string $keyId = "", int $limit = 0)
{
$args = [];
if($keyId){
$args['KeyId'] = $keyId;
}
if($limit){
$args['Limit'] = $limit;
}
try{
return $this->client->getPaginator("ListAliases", $args);
}catch(KmsException $caught){
if($caught->getAwsErrorMessage() == "InvalidMarkerException"){
echo "The request was rejected because the marker that specifies where pagination should next begin is not valid.\n";
}
throw $caught;
}
}
/***
* @param string $keyId
* @param string $alias
* @return void
*/
public function createAlias(string $keyId, string $alias)
{
try{
$this->client->createAlias([
'TargetKeyId' => $keyId,
'AliasName' => $alias,
]);
}catch (KmsException $caught){
if($caught->getAwsErrorMessage() == "InvalidAliasNameException"){
echo "The request was rejected because the specified alias name is not valid.";
}
throw $caught;
}
}
/***
* @param string $keyId
* @param string $granteePrincipal
* @param array $operations
* @param array $grantTokens
* @return Result
*/
public function createGrant(string $keyId, string $granteePrincipal, array $operations, array $grantTokens = [])
{
$args = [
'KeyId' => $keyId,
'GranteePrincipal' => $granteePrincipal,
'Operations' => $operations,
];
if($grantTokens){
$args['GrantTokens'] = $grantTokens;
}
try{
return $this->client->createGrant($args);
}catch(KmsException $caught){
if($caught->getAwsErrorMessage() == "InvalidGrantTokenException"){
echo "The request was rejected because the specified grant token is not valid.\n";
}
throw $caught;
}
}
/***
* @param string $keyId
* @return array
*/
public function describeKey(string $keyId)
{
try {
$result = $this->client->describeKey([
"KeyId" => $keyId,
]);
return $result['KeyMetadata'];
}catch(KmsException $caught){
if($caught->getAwsErrorMessage() == "NotFoundException"){
echo "The request was rejected because the specified entity or resource could not be found.\n";
}
throw $caught;
}
}
/***
* @param string $keyId
* @return void
*/
public function disableKey(string $keyId)
{
try {
$this->client->disableKey([
'KeyId' => $keyId,
]);
}catch(KmsException $caught){
echo "There was a problem disabling the key: {$caught->getAwsErrorMessage()}\n";
throw $caught;
}
}
/***
* @param string $keyId
* @return void
*/
public function enableKey(string $keyId)
{
try {
$this->client->enableKey([
'KeyId' => $keyId,
]);
}catch(KmsException $caught){
if($caught->getAwsErrorMessage() == "NotFoundException"){
echo "The request was rejected because the specified entity or resource could not be found.\n";
}
throw $caught;
}
}
/***
* @return array
*/
public function listKeys()
{
try {
$contents = [];
$paginator = $this->client->getPaginator("ListKeys");
foreach($paginator as $result){
foreach ($result['Content'] as $object) {
$contents[] = $object;
}
}
return $contents;
}catch(KmsException $caught){
echo "There was a problem listing the keys: {$caught->getAwsErrorMessage()}\n";
throw $caught;
}
}
/***
* @param string $keyId
* @return Result
*/
public function listGrants(string $keyId)
{
try{
return $this->client->listGrants([
'KeyId' => $keyId,
]);
}catch(KmsException $caught){
if($caught->getAwsErrorMessage() == "NotFoundException"){
echo " The request was rejected because the specified entity or resource could not be found.\n";
}
throw $caught;
}
}
/***
* @param string $keyId
* @return Result
*/
public function getKeyPolicy(string $keyId)
{
try {
return $this->client->getKeyPolicy([
'KeyId' => $keyId,
]);
}catch(KmsException $caught){
echo "There was a problem getting the key policy: {$caught->getAwsErrorMessage()}\n";
throw $caught;
}
}
/***
* @param string $grantId
* @param string $keyId
* @return void
*/
public function revokeGrant(string $grantId, string $keyId)
{
try{
$this->client->revokeGrant([
'GrantId' => $grantId,
'KeyId' => $keyId,
]);
}catch(KmsException $caught){
echo "There was a problem with revoking the grant: {$caught->getAwsErrorMessage()}.\n";
throw $caught;
}
}
/***
* @param string $keyId
* @param int $pendingWindowInDays
* @return void
*/
public function scheduleKeyDeletion(string $keyId, int $pendingWindowInDays = 7)
{
try {
$this->client->scheduleKeyDeletion([
'KeyId' => $keyId,
'PendingWindowInDays' => $pendingWindowInDays,
]);
}catch(KmsException $caught){
echo "There was a problem scheduling the key deletion: {$caught->getAwsErrorMessage()}\n";
throw $caught;
}
}
/***
* @param string $keyId
* @param array $tags
* @return void
*/
public function tagResource(string $keyId, array $tags)
{
try {
$this->client->tagResource([
'KeyId' => $keyId,
'Tags' => $tags,
]);
}catch(KmsException $caught){
echo "There was a problem applying the tag(s): {$caught->getAwsErrorMessage()}\n";
throw $caught;
}
}
/***
* @param string $keyId
* @param string $message
* @param string $algorithm
* @return Result
*/
public function sign(string $keyId, string $message, string $algorithm)
{
try {
return $this->client->sign([
'KeyId' => $keyId,
'Message' => $message,
'SigningAlgorithm' => $algorithm,
]);
}catch(KmsException $caught){
echo "There was a problem signing the data: {$caught->getAwsErrorMessage()}\n";
throw $caught;
}
}
/***
* @param string $keyId
* @param int $rotationPeriodInDays
* @return void
*/
public function enableKeyRotation(string $keyId, int $rotationPeriodInDays = 365)
{
try{
$this->client->enableKeyRotation([
'KeyId' => $keyId,
'RotationPeriodInDays' => $rotationPeriodInDays,
]);
}catch(KmsException $caught){
if($caught->getAwsErrorMessage() == "NotFoundException"){
echo "The request was rejected because the specified entity or resource could not be found.\n";
}
throw $caught;
}
}
/***
* @param string $keyId
* @param string $policy
* @return void
*/
public function putKeyPolicy(string $keyId, string $policy)
{
try {
$this->client->putKeyPolicy([
'KeyId' => $keyId,
'Policy' => $policy,
]);
}catch(KmsException $caught){
echo "There was a problem replacing the key policy: {$caught->getAwsErrorMessage()}\n";
throw $caught;
}
}
/***
* @param string $aliasName
* @return void
*/
public function deleteAlias(string $aliasName)
{
try {
$this->client->deleteAlias([
'AliasName' => $aliasName,
]);
}catch(KmsException $caught){
echo "There was a problem deleting the alias: {$caught->getAwsErrorMessage()}\n";
throw $caught;
}
}
/***
* @param string $keyId
* @param string $message
* @param string $signature
* @param string $signingAlgorithm
* @return bool
*/
public function verify(string $keyId, string $message, string $signature, string $signingAlgorithm)
{
try {
$result = $this->client->verify([
'KeyId' => $keyId,
'Message' => $message,
'Signature' => $signature,
'SigningAlgorithm' => $signingAlgorithm,
]);
return $result['SignatureValid'];
}catch(KmsException $caught){
echo "There was a problem verifying the signature: {$caught->getAwsErrorMessage()}\n";
throw $caught;
}
}
}
```
+ Para obtener detalles sobre la API, consulte los siguientes temas en la *Referencia de la API de AWS SDK para PHP *.
+ [CreateAlias](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/CreateAlias)
+ [CreateGrant](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/CreateGrant)
+ [CreateKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/CreateKey)
+ [Decrypt](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/Decrypt)
+ [DescribeKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/DescribeKey)
+ [DisableKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/DisableKey)
+ [EnableKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/EnableKey)
+ [Encrypt](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/Encrypt)
+ [GetKeyPolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/GetKeyPolicy)
+ [ListAliases](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ListAliases)
+ [ListGrants](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ListGrants)
+ [ListKeys](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ListKeys)
+ [RevokeGrant](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/RevokeGrant)
+ [ScheduleKeyDeletion](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ScheduleKeyDeletion)
+ [Sign](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/Sign)
+ [TagResource](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/TagResource)
------
#### [ Python ]
**SDK para Python (Boto3)**
Hay más información GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples).
```
class KMSScenario:
"""Runs an interactive scenario that shows how to get started with KMS."""
def __init__(
self,
key_manager: KeyManager,
key_encryption: KeyEncrypt,
alias_manager: AliasManager,
grant_manager: GrantManager,
key_policy: KeyPolicy,
):
self.key_manager = key_manager
self.key_encryption = key_encryption
self.alias_manager = alias_manager
self.grant_manager = grant_manager
self.key_policy = key_policy
self.key_id = ""
self.alias_name = ""
self.asymmetric_key_id = ""
def kms_scenario(self):
key_description = "Created by the AWS KMS API"
print(DASHES)
print(
"""
Welcome to the AWS Key Management SDK Basics scenario.
This program demonstrates how to interact with AWS Key Management using the AWS SDK for Python (Boto3).
The AWS Key Management Service (KMS) is a secure and highly available service that allows you to create
and manage AWS KMS keys and control their use across a wide range of AWS services and applications.
KMS provides a centralized and unified approach to managing encryption keys, making it easier to meet your
data protection and regulatory compliance requirements.
This Basics scenario creates two key types:
- A symmetric encryption key is used to encrypt and decrypt data.
- An asymmetric key used to digitally sign data.
Let's get started...
"""
)
q.ask("Press Enter to continue...")
print(DASHES)
print(f"1. Create a symmetric KMS key\n")
print(
f"First, the program will creates a symmetric KMS key that you can used to encrypt and decrypt data."
)
q.ask("Press Enter to continue...")
self.key_id = self.key_manager.create_key(key_description)["KeyId"]
print(f"A symmetric key was successfully created {self.key_id}.")
q.ask("Press Enter to continue...")
print(DASHES)
print(
"""
2. Enable a KMS key
By default, when the SDK creates an AWS key, it is enabled. The next bit of code checks to
determine if the key is enabled.
"""
)
q.ask("Press Enter to continue...")
is_enabled = self.is_key_enabled(self.key_id)
print(f"Is the key enabled? {is_enabled}")
if not is_enabled:
self.key_manager.enable_key(self.key_id)
q.ask("Press Enter to continue...")
print(DASHES)
print(f"3. Encrypt data using the symmetric KMS key")
plain_text = "Hello, AWS KMS!"
print(
f"""
One of the main uses of symmetric keys is to encrypt and decrypt data.
Next, the code encrypts the string "{plain_text}" with the SYMMETRIC_DEFAULT encryption algorithm.
"""
)
q.ask("Press Enter to continue...")
encrypted_text = self.key_encryption.encrypt(self.key_id, plain_text)
print(DASHES)
print(f"4. Create an alias")
print(
"""
Now, the program will create an alias for the KMS key. An alias is a friendly name that you
can associate with a KMS key. The alias name should be prefixed with 'alias/'.
"""
)
alias_name = q.ask("Enter an alias name: ", q.non_empty)
self.alias_manager.create_alias(self.key_id, alias_name)
print(f"{alias_name} was successfully created.")
self.alias_name = alias_name
print(DASHES)
print(f"5. List all of your aliases")
q.ask("Press Enter to continue...")
self.alias_manager.list_aliases(10)
q.ask("Press Enter to continue...")
print(DASHES)
print(f"6. Enable automatic rotation of the KMS key")
print(
"""
By default, when the SDK enables automatic rotation of a KMS key,
KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and every year
thereafter.
"""
)
q.ask("Press Enter to continue...")
self.key_manager.enable_key_rotation(self.key_id)
print(DASHES)
print(f"Key rotation has been enabled for key with id {self.key_id}")
print(
"""
7. Create a grant
A grant is a policy instrument that allows Amazon Web Services principals to use KMS keys.
It also can allow them to view a KMS key (DescribeKey) and create and manage grants.
When authorizing access to a KMS key, grants are considered along with key policies and IAM policies.
"""
)
print(
"""
To create a grant you must specify a account_id. To specify the grantee account_id, use the Amazon Resource Name (ARN)
of an AWS account_id. Valid principals include AWS accounts, IAM users, IAM roles, federated users,
and assumed role users.
"""
)
account_id = q.ask(
"Enter an account_id, or press enter to skip creating a grant... "
)
grant = None
if account_id != "":
grant = self.grant_manager.create_grant(
self.key_id,
account_id,
[
"Encrypt",
"Decrypt",
"DescribeKey",
],
)
print(f"Grant created successfully with ID: {grant['GrantId']}")
q.ask("Press Enter to continue...")
print(DASHES)
print(DASHES)
print(f"8. List grants for the KMS key")
q.ask("Press Enter to continue...")
self.grant_manager.list_grants(self.key_id)
q.ask("Press Enter to continue...")
print(DASHES)
print(f"9. Revoke the grant")
print(
"""
The revocation of a grant immediately removes the permissions and access that the grant had provided.
This means that any account_id (user, role, or service) that was granted access to perform specific
KMS operations on a KMS key will no longer be able to perform those operations.
"""
)
q.ask("Press Enter to continue...")
if grant is not None:
self.grant_manager.revoke_grant(self.key_id, grant["GrantId"])
print(f"Grant ID: {grant['GrantId']} was successfully revoked!")
q.ask("Press Enter to continue...")
print(DASHES)
print(f"10. Decrypt the data\n")
print(
"""
Lets decrypt the data that was encrypted in an early step.
The code uses the same key to decrypt the string that we encrypted earlier in the program.
"""
)
q.ask("Press Enter to continue...")
decrypted_data = self.key_encryption.decrypt(self.key_id, encrypted_text)
print(f"Data decrypted successfully for key ID: {self.key_id}")
print(f"Decrypted data: {decrypted_data}")
q.ask("Press Enter to continue...")
print(DASHES)
print(f"11. Replace a key policy\n")
print(
"""
A key policy is a resource policy for a KMS key. Key policies are the primary way to control
access to KMS keys. Every KMS key must have exactly one key policy. The statements in the key policy
determine who has permission to use the KMS key and how they can use it.
You can also use IAM policies and grants to control access to the KMS key, but every KMS key
must have a key policy.
By default, when you create a key by using the SDK, a policy is created that
gives the AWS account that owns the KMS key full access to the KMS key.
Let's try to replace the automatically created policy with the following policy.
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::0000000000:root"},
"Action": "kms:*",
"Resource": "*"
}]
}
"""
)
account_id = q.ask("Enter your account ID or press enter to skip: ")
if account_id != "":
policy = {
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": f"arn:aws:iam::{account_id}:root"},
"Action": "kms:*",
"Resource": "*",
}
],
}
self.key_policy.set_new_policy(self.key_id, policy)
print("Key policy replacement succeeded.")
q.ask("Press Enter to continue...")
else:
print("Skipping replacing the key policy.")
print(DASHES)
print(f"12. Get the key policy\n")
print(
f"The next bit of code that runs gets the key policy to make sure it exists."
)
q.ask("Press Enter to continue...")
policy = self.key_policy.get_policy(self.key_id)
print(f"The key policy is: {policy}")
q.ask("Press Enter to continue...")
print(DASHES)
print(f"13. Create an asymmetric KMS key and sign your data\n")
print(
"""
Signing your data with an AWS key can provide several benefits that make it an attractive option
for your data signing needs. By using an AWS KMS key, you can leverage the
security controls and compliance features provided by AWS,
which can help you meet various regulatory requirements and enhance the overall security posture
of your organization.
"""
)
q.ask("Press Enter to continue...")
print(f"Sign and verify data operation succeeded.")
self.asymmetric_key_id = self.key_manager.create_asymmetric_key()
message = "Here is the message that will be digitally signed"
signature = self.key_encryption.sign(self.asymmetric_key_id, message)
if self.key_encryption.verify(self.asymmetric_key_id, message, signature):
print("Signature verification succeeded.")
else:
print("Signature verification failed.")
q.ask("Press Enter to continue...")
print(DASHES)
print(f"14. Tag your symmetric KMS Key\n")
print(
"""
By using tags, you can improve the overall management, security, and governance of your
KMS keys, making it easier to organize, track, and control access to your encrypted data within
your AWS environment
"""
)
q.ask("Press Enter to continue...")
self.key_manager.tag_resource(self.key_id, "Environment", "Production")
self.clean_up()
def is_key_enabled(self, key_id: str) -> bool:
"""
Check if the key is enabled or not.
:param key_id: The key to check.
:return: True if the key is enabled, otherwise False.
"""
response = self.key_manager.describe_key(key_id)
return response["Enabled"] is True
def clean_up(self):
"""
Delete resources created by this scenario.
"""
if self.alias_name != "":
print(f"Deleting the alias {self.alias_name}.")
self.alias_manager.delete_alias(self.alias_name)
window = 7 # The window in days for a scheduled deletion.
if self.key_id != "":
print(
"""
Warning:
Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted,
all data that was encrypted under the KMS key is unrecoverable.
"""
)
if q.ask(
f"Do you want to delete the key with ID {self.key_id} (y/n)?",
q.is_yesno,
):
print(
f"The key {self.key_id} will be deleted with a window of {window} days. You can cancel the deletion before"
)
print("the window expires.")
self.key_manager.delete_key(self.key_id, window)
self.key_id = ""
if self.asymmetric_key_id != "":
if q.ask(
f"Do you want to delete the asymmetric key with ID {self.asymmetric_key_id} (y/n)?",
q.is_yesno,
):
print(
f"The key {self.asymmetric_key_id} will be deleted with a window of {window} days. You can cancel the deletion before"
)
print("the window expires.")
self.key_manager.delete_key(self.asymmetric_key_id, window)
self.asymmetric_key_id = ""
if __name__ == "__main__":
kms_scenario = None
try:
kms_client = boto3.client("kms")
a_key_manager = KeyManager(kms_client)
a_key_encrypt = KeyEncrypt(kms_client)
an_alias_manager = AliasManager(kms_client)
a_grant_manager = GrantManager(kms_client)
a_key_policy = KeyPolicy(kms_client)
kms_scenario = KMSScenario(
key_manager=a_key_manager,
key_encryption=a_key_encrypt,
alias_manager=an_alias_manager,
grant_manager=a_grant_manager,
key_policy=a_key_policy,
)
kms_scenario.kms_scenario()
except Exception:
logging.exception("Something went wrong with the demo!")
if kms_scenario is not None:
kms_scenario.clean_up()
```
Clase contenedora y métodos para la administración de claves KMS.
```
class KeyManager:
def __init__(self, kms_client):
self.kms_client = kms_client
self.created_keys = []
@classmethod
def from_client(cls) -> "KeyManager":
"""
Creates a KeyManager instance with a default KMS client.
:return: An instance of KeyManager initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def create_key(self, key_description: str) -> dict[str, any]:
"""
Creates a key with a user-provided description.
:param key_description: A description for the key.
:return: The key ID.
"""
try:
key = self.kms_client.create_key(Description=key_description)["KeyMetadata"]
self.created_keys.append(key)
return key
except ClientError as err:
logging.error(
"Couldn't create your key. Here's why: %s",
err.response["Error"]["Message"],
)
raise
def describe_key(self, key_id: str) -> dict[str, any]:
"""
Describes a key.
:param key_id: The ARN or ID of the key to describe.
:return: Information about the key.
"""
try:
key = self.kms_client.describe_key(KeyId=key_id)["KeyMetadata"]
return key
except ClientError as err:
logging.error(
"Couldn't get key '%s'. Here's why: %s",
key_id,
err.response["Error"]["Message"],
)
raise
def enable_key_rotation(self, key_id: str) -> None:
"""
Enables rotation for a key.
:param key_id: The ARN or ID of the key to enable rotation for.
"""
try:
self.kms_client.enable_key_rotation(KeyId=key_id)
except ClientError as err:
logging.error(
"Couldn't enable rotation for key '%s'. Here's why: %s",
key_id,
err.response["Error"]["Message"],
)
raise
def create_asymmetric_key(self) -> str:
"""
Creates an asymmetric key in AWS KMS for signing messages.
:return: The ID of the created key.
"""
try:
key = self.kms_client.create_key(
KeySpec="RSA_2048", KeyUsage="SIGN_VERIFY", Origin="AWS_KMS"
)["KeyMetadata"]
self.created_keys.append(key)
return key["KeyId"]
except ClientError as err:
logger.error(
"Couldn't create your key. Here's why: %s",
err.response["Error"]["Message"],
)
raise
def tag_resource(self, key_id: str, tag_key: str, tag_value: str) -> None:
"""
Add or edit tags on a customer managed key.
:param key_id: The ARN or ID of the key to enable rotation for.
:param tag_key: Key for the tag.
:param tag_value: Value for the tag.
"""
try:
self.kms_client.tag_resource(
KeyId=key_id, Tags=[{"TagKey": tag_key, "TagValue": tag_value}]
)
except ClientError as err:
logging.error(
"Couldn't add a tag for the key '%s'. Here's why: %s",
key_id,
err.response["Error"]["Message"],
)
raise
def delete_key(self, key_id: str, window: int) -> None:
"""
Deletes a list of keys.
Warning:
Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted,
all data that was encrypted under the KMS key is unrecoverable.
:param key_id: The ARN or ID of the key to delete.
:param window: The waiting period, in days, before the KMS key is deleted.
"""
try:
self.kms_client.schedule_key_deletion(
KeyId=key_id, PendingWindowInDays=window
)
except ClientError as err:
logging.error(
"Couldn't delete key %s. Here's why: %s",
key_id,
err.response["Error"]["Message"],
)
raise
```
Clase contenedora y métodos para los alias de claves KMS.
```
class AliasManager:
def __init__(self, kms_client):
self.kms_client = kms_client
self.created_key = None
@classmethod
def from_client(cls) -> "AliasManager":
"""
Creates an AliasManager instance with a default KMS client.
:return: An instance of AliasManager initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def create_alias(self, key_id: str, alias: str) -> None:
"""
Creates an alias for the specified key.
:param key_id: The ARN or ID of a key to give an alias.
:param alias: The alias to assign to the key.
"""
try:
self.kms_client.create_alias(AliasName=alias, TargetKeyId=key_id)
except ClientError as err:
if err.response["Error"]["Code"] == "AlreadyExistsException":
logger.error(
"Could not create the alias %s because it already exists.", key_id
)
else:
logger.error(
"Couldn't encrypt text. Here's why: %s",
err.response["Error"]["Message"],
)
raise
def list_aliases(self, page_size: int) -> None:
"""
Lists aliases for the current account.
:param page_size: The number of aliases to list per page.
"""
try:
alias_paginator = self.kms_client.get_paginator("list_aliases")
for alias_page in alias_paginator.paginate(
PaginationConfig={"PageSize": page_size}
):
print(f"Here are {page_size} aliases:")
pprint(alias_page["Aliases"])
if alias_page["Truncated"]:
answer = input(
f"Do you want to see the next {page_size} aliases (y/n)? "
)
if answer.lower() != "y":
break
else:
print("That's all your aliases!")
except ClientError as err:
logging.error(
"Couldn't list your aliases. Here's why: %s",
err.response["Error"]["Message"],
)
raise
def delete_alias(self, alias: str) -> None:
"""
Deletes an alias.
:param alias: The alias to delete.
"""
try:
self.kms_client.delete_alias(AliasName=alias)
except ClientError as err:
logger.error(
"Couldn't delete alias %s. Here's why: %s",
alias,
err.response["Error"]["Message"],
)
raise
```
Clase contenedora y métodos para el cifrado de claves KMS.
```
class KeyEncrypt:
def __init__(self, kms_client):
self.kms_client = kms_client
@classmethod
def from_client(cls) -> "KeyEncrypt":
"""
Creates a KeyEncrypt instance with a default KMS client.
:return: An instance of KeyEncrypt initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def encrypt(self, key_id: str, text: str) -> bytes:
"""
Encrypts text by using the specified key.
:param key_id: The ARN or ID of the key to use for encryption.
:param text: The text to encrypt.
:return: The encrypted version of the text.
"""
try:
response = self.kms_client.encrypt(KeyId=key_id, Plaintext=text.encode())
print(
f"The string was encrypted with algorithm {response['EncryptionAlgorithm']}"
)
return response["CiphertextBlob"]
except ClientError as err:
if err.response["Error"]["Code"] == "DisabledException":
logger.error(
"Could not encrypt because the key %s is disabled.", key_id
)
else:
logger.error(
"Couldn't encrypt text. Here's why: %s",
err.response["Error"]["Message"],
)
raise
def decrypt(self, key_id: str, cipher_text: bytes) -> str:
"""
Decrypts text previously encrypted with a key.
:param key_id: The ARN or ID of the key used to decrypt the data.
:param cipher_text: The encrypted text to decrypt.
:return: The decrypted text.
"""
try:
return self.kms_client.decrypt(KeyId=key_id, CiphertextBlob=cipher_text)[
"Plaintext"
].decode()
except ClientError as err:
logger.error(
"Couldn't decrypt your ciphertext. Here's why: %s",
err.response["Error"]["Message"],
)
raise
def sign(self, key_id: str, message: str) -> str:
"""
Signs a message with a key.
:param key_id: The ARN or ID of the key to use for signing.
:param message: The message to sign.
:return: The signature of the message.
"""
try:
return self.kms_client.sign(
KeyId=key_id,
Message=message.encode(),
SigningAlgorithm="RSASSA_PSS_SHA_256",
)["Signature"]
except ClientError as err:
logger.error(
"Couldn't sign your message. Here's why: %s",
err.response["Error"]["Message"],
)
raise
def verify(self, key_id: str, message: str, signature: str) -> bool:
"""
Verifies a signature against a message.
:param key_id: The ARN or ID of the key used to sign the message.
:param message: The message to verify.
:param signature: The signature to verify.
:return: True when the signature matches the message, otherwise False.
"""
try:
response = self.kms_client.verify(
KeyId=key_id,
Message=message.encode(),
Signature=signature,
SigningAlgorithm="RSASSA_PSS_SHA_256",
)
valid = response["SignatureValid"]
print(f"The signature is {'valid' if valid else 'invalid'}.")
return valid
except ClientError as err:
if err.response["Error"]["Code"] == "SignatureDoesNotMatchException":
print("The signature is not valid.")
else:
logger.error(
"Couldn't verify your signature. Here's why: %s",
err.response["Error"]["Message"],
)
raise
```
Clase contenedora y métodos para las concesiones de claves KMS.
```
class GrantManager:
def __init__(self, kms_client):
self.kms_client = kms_client
@classmethod
def from_client(cls) -> "GrantManager":
"""
Creates a GrantManager instance with a default KMS client.
:return: An instance of GrantManager initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def create_grant(
self, key_id: str, principal: str, operations: [str]
) -> dict[str, str]:
"""
Creates a grant for a key that lets a principal generate a symmetric data
encryption key.
:param key_id: The ARN or ID of the key.
:param principal: The principal to grant permission to.
:param operations: The operations to grant permission for.
:return: The grant that is created.
"""
try:
return self.kms_client.create_grant(
KeyId=key_id,
GranteePrincipal=principal,
Operations=operations,
)
except ClientError as err:
logger.error(
"Couldn't create a grant on key %s. Here's why: %s",
key_id,
err.response["Error"]["Message"],
)
raise
def list_grants(self, key_id):
"""
Lists grants for a key.
:param key_id: The ARN or ID of the key to query.
:return: The grants for the key.
"""
try:
paginator = self.kms_client.get_paginator("list_grants")
grants = []
page_iterator = paginator.paginate(KeyId=key_id)
for page in page_iterator:
grants.extend(page["Grants"])
print(f"Grants for key {key_id}:")
pprint(grants)
return grants
except ClientError as err:
logger.error(
"Couldn't list grants for key %s. Here's why: %s",
key_id,
err.response["Error"]["Message"],
)
raise
def revoke_grant(self, key_id: str, grant_id: str) -> None:
"""
Revokes a grant so that it can no longer be used.
:param key_id: The ARN or ID of the key associated with the grant.
:param grant_id: The ID of the grant to revoke.
"""
try:
self.kms_client.revoke_grant(KeyId=key_id, GrantId=grant_id)
except ClientError as err:
logger.error(
"Couldn't revoke grant %s. Here's why: %s",
grant_id,
err.response["Error"]["Message"],
)
raise
```
Clase contenedora y métodos para las políticas de claves KMS.
```
class KeyPolicy:
def __init__(self, kms_client):
self.kms_client = kms_client
@classmethod
def from_client(cls) -> "KeyPolicy":
"""
Creates a KeyPolicy instance with a default KMS client.
:return: An instance of KeyPolicy initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def set_new_policy(self, key_id: str, policy: dict[str, any]) -> None:
"""
Sets the policy of a key. Setting a policy entirely overwrites the existing
policy, so care is taken to add a statement to the existing list of statements
rather than simply writing a new policy.
:param key_id: The ARN or ID of the key to set the policy to.
:param policy: A new key policy. The key policy must allow the calling principal to make a subsequent
PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable
"""
try:
self.kms_client.put_key_policy(KeyId=key_id, Policy=json.dumps(policy))
except ClientError as err:
logger.error(
"Couldn't set policy for key %s. Here's why %s",
key_id,
err.response["Error"]["Message"],
)
raise
def get_policy(self, key_id: str) -> dict[str, str]:
"""
Gets the policy of a key.
:param key_id: The ARN or ID of the key to query.
:return: The key policy as a dict.
"""
if key_id != "":
try:
response = self.kms_client.get_key_policy(
KeyId=key_id,
)
policy = json.loads(response["Policy"])
except ClientError as err:
logger.error(
"Couldn't get policy for key %s. Here's why: %s",
key_id,
err.response["Error"]["Message"],
)
raise
else:
pprint(policy)
return policy
else:
print("Skipping get policy demo.")
```
+ Para obtener información sobre la API, consulte los siguientes temas en la *Referencia de la API de AWS SDK para Python (Boto3)*.
+ [CreateAlias](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/CreateAlias)
+ [CreateGrant](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/CreateGrant)
+ [CreateKey](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/CreateKey)
+ [Decrypt](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/Decrypt)
+ [DescribeKey](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/DescribeKey)
+ [DisableKey](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/DisableKey)
+ [EnableKey](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/EnableKey)
+ [Encrypt](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/Encrypt)
+ [GetKeyPolicy](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/GetKeyPolicy)
+ [ListAliases](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListAliases)
+ [ListGrants](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListGrants)
+ [ListKeys](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListKeys)
+ [RevokeGrant](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/RevokeGrant)
+ [ScheduleKeyDeletion](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ScheduleKeyDeletion)
+ [Sign](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/Sign)
+ [TagResource](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/TagResource)
------
Para obtener una lista completa de guías para desarrolladores del AWS SDK y ejemplos de código, consulte[Uso de este servicio con un AWS SDK](sdk-general-information-section.md). En este tema también se incluye información sobre cómo comenzar a utilizar el SDK y detalles sobre sus versiones anteriores.
# Acciones de AWS KMS uso AWS SDKs
/// Creates an alias for an AWS Key Management Service (AWS KMS) key.
///
public class CreateAlias
{
public static async Task Main()
{
var client = new AmazonKeyManagementServiceClient();
// The alias name must start with alias/ and can be
// up to 256 alphanumeric characters long.
var aliasName = "alias/ExampleAlias";
// The value supplied as the TargetKeyId can be either
// the key ID or key Amazon Resource Name (ARN) of the
// AWS KMS key.
var keyId = "1234abcd-12ab-34cd-56ef-1234567890ab";
var request = new CreateAliasRequest
{
AliasName = aliasName,
TargetKeyId = keyId,
};
var response = await client.CreateAliasAsync(request);
if (response.HttpStatusCode == System.Net.HttpStatusCode.OK)
{
Console.WriteLine($"Alias, {aliasName}, successfully created.");
}
else
{
Console.WriteLine($"Could not create alias.");
}
}
}
```
+ Para obtener más información sobre la API, consulta [CreateAlias](https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/CreateAlias)la *Referencia AWS SDK para .NET de la API*.
------
#### [ CLI ]
**AWS CLI**
**Creación de un alias de una clave de KMS**
El siguiente comando `create-alias` crea un alias llamado `example-alias` de la clave de KMS identificada por el ID de clave `1234abcd-12ab-34cd-56ef-1234567890ab`.
Los nombres del alias no debe empezar por `alias/`. No utilice nombres de alias que comiencen por`alias/aws`; están reservados para su uso exclusivo AWS.
```
aws kms create-alias \
--alias-name alias/example-alias \
--target-key-id 1234abcd-12ab-34cd-56ef-1234567890ab
```
Este comando no devuelve ningún resultado. Para ver el nuevo alias, utilice el comando `list-aliases`.
Para obtener más información, consulte [Uso de alias](https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html) en la *AWS Guía para desarrolladores de Key Management Service*.
+ Para obtener más información sobre la API, consulte [CreateAlias](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-alias.html)la *Referencia de AWS CLI comandos*.
------
#### [ Java ]
**SDK para Java 2.x**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples).
```
/**
* Creates a custom alias for the specified target key asynchronously.
*
* @param targetKeyId the ID of the target key for the alias
* @param aliasName the name of the alias to create
* @return a {@link CompletableFuture} that completes when the alias creation operation is finished
*/
public CompletableFuture createCustomAliasAsync(String targetKeyId, String aliasName) {
CreateAliasRequest aliasRequest = CreateAliasRequest.builder()
.aliasName(aliasName)
.targetKeyId(targetKeyId)
.build();
CompletableFuture responseFuture = getAsyncClient().createAlias(aliasRequest);
responseFuture.whenComplete((response, exception) -> {
if (exception == null) {
logger.info("{} was successfully created.", aliasName);
} else {
if (exception instanceof ResourceExistsException) {
logger.info("Alias [{}] already exists. Moving on...", aliasName);
} else if (exception instanceof KmsException kmsEx) {
throw new RuntimeException("KMS error occurred while creating alias: " + kmsEx.getMessage(), kmsEx);
} else {
throw new RuntimeException("An unexpected error occurred while creating alias: " + exception.getMessage(), exception);
}
}
});
return responseFuture.thenApply(response -> null);
}
```
+ Para obtener más información sobre la API, consulta [CreateAlias](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/CreateAlias)la *Referencia AWS SDK for Java 2.x de la API*.
------
#### [ Kotlin ]
**SDK para Kotlin**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples).
```
suspend fun createCustomAlias(
targetKeyIdVal: String?,
aliasNameVal: String?,
) {
val request =
CreateAliasRequest {
aliasName = aliasNameVal
targetKeyId = targetKeyIdVal
}
KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient ->
kmsClient.createAlias(request)
println("$aliasNameVal was successfully created")
}
}
```
+ Para obtener más información sobre la API, consulta [CreateAlias](https://sdk.amazonaws.com/kotlin/api/latest/index.html)la *referencia sobre el AWS SDK para la API de Kotlin*.
------
#### [ PHP ]
**SDK para PHP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples).
```
/***
* @param string $keyId
* @param string $alias
* @return void
*/
public function createAlias(string $keyId, string $alias)
{
try{
$this->client->createAlias([
'TargetKeyId' => $keyId,
'AliasName' => $alias,
]);
}catch (KmsException $caught){
if($caught->getAwsErrorMessage() == "InvalidAliasNameException"){
echo "The request was rejected because the specified alias name is not valid.";
}
throw $caught;
}
}
```
+ Para obtener más información sobre la API, consulta [CreateAlias](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/CreateAlias)la *Referencia AWS SDK para PHP de la API*.
------
#### [ Python ]
**SDK para Python (Boto3)**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples).
```
class AliasManager:
def __init__(self, kms_client):
self.kms_client = kms_client
self.created_key = None
@classmethod
def from_client(cls) -> "AliasManager":
"""
Creates an AliasManager instance with a default KMS client.
:return: An instance of AliasManager initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def create_alias(self, key_id: str, alias: str) -> None:
"""
Creates an alias for the specified key.
:param key_id: The ARN or ID of a key to give an alias.
:param alias: The alias to assign to the key.
"""
try:
self.kms_client.create_alias(AliasName=alias, TargetKeyId=key_id)
except ClientError as err:
if err.response["Error"]["Code"] == "AlreadyExistsException":
logger.error(
"Could not create the alias %s because it already exists.", key_id
)
else:
logger.error(
"Couldn't encrypt text. Here's why: %s",
err.response["Error"]["Message"],
)
raise
```
+ Para obtener más información sobre la API, consulta [CreateAlias](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/CreateAlias)la *AWS Referencia de API de SDK for Python (Boto3*).
------
#### [ SAP ABAP ]
**SDK para SAP ABAP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples).
```
TRY.
" iv_alias_name = 'alias/my-key-alias'
" iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab'
lo_kms->createalias(
iv_aliasname = iv_alias_name
iv_targetkeyid = iv_key_id
).
MESSAGE 'Alias created successfully.' TYPE 'I'.
CATCH /aws1/cx_kmsalreadyexistsex.
MESSAGE 'Alias already exists.' TYPE 'E'.
CATCH /aws1/cx_kmsnotfoundexception.
MESSAGE 'Key not found.' TYPE 'E'.
CATCH /aws1/cx_kmsinvalidaliasnameex.
MESSAGE 'Invalid alias name.' TYPE 'E'.
CATCH /aws1/cx_kmskmsinternalex.
MESSAGE 'An internal error occurred.' TYPE 'E'.
ENDTRY.
```
+ Para obtener más información sobre la API, consulte [CreateAlias](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)la *referencia sobre la API ABAP del AWS SDK para SAP*.
------
Para obtener una lista completa de guías para desarrolladores del AWS SDK y ejemplos de código, consulte[Uso de este servicio con un AWS SDK](sdk-general-information-section.md). En este tema también se incluye información sobre cómo comenzar a utilizar el SDK y detalles sobre sus versiones anteriores.
# Úselo `CreateGrant` con un AWS SDK o CLI
{
"Encrypt",
"Decrypt",
},
};
var response = await client.CreateGrantAsync(request);
string grantId = response.GrantId; // The unique identifier of the grant.
string grantToken = response.GrantToken; // The grant token.
Console.WriteLine($"Id: {grantId}, Token: {grantToken}");
}
}
```
+ Para obtener más información sobre la API, consulta [CreateGrant](https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/CreateGrant)la *Referencia AWS SDK para .NET de la API*.
------
#### [ CLI ]
**AWS CLI**
**Creación de una concesión**
En el siguiente ejemplo de `create-grant` se crea una concesión que permite al usuario `exampleUser` utilizar el comando `decrypt` de la clave de KMS del ejemplo `1234abcd-12ab-34cd-56ef-1234567890ab`. La entidad principal que se va a dar de baja es el rol `adminRole`. La concesión utiliza la limitación de concesión `EncryptionContextSubset` para permitir este permiso solo cuando el contexto de cifrado de la solicitud `decrypt` incluye un par clave-valor `"Department": "IT"`.
```
aws kms create-grant \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
--grantee-principal arn:aws:iam::123456789012:user/exampleUser \
--operations Decrypt \
--constraints EncryptionContextSubset={Department=IT} \
--retiring-principal arn:aws:iam::123456789012:role/adminRole
```
Salida:
```
{
"GrantId": "1a2b3c4d2f5e69f440bae30eaec9570bb1fb7358824f9ddfa1aa5a0dab1a59b2",
"GrantToken": ""
}
```
Para ver información detallada sobre la concesión, utilice el comando `list-grants`.
Para obtener más información, consulte [las subvenciones en AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) en la *Guía para desarrolladores de AWS Key Management Service*.
+ Para obtener más información sobre la API, consulte [CreateGrant](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-grant.html)la *Referencia de AWS CLI comandos*.
------
#### [ Java ]
**SDK para Java 2.x**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples).
```
/**
* Grants permissions to a specified principal on a customer master key (CMK) asynchronously.
*
* @param keyId The unique identifier for the customer master key (CMK) that the grant applies to.
* @param granteePrincipal The principal that is given permission to perform the operations that the grant permits on the CMK.
* @return A {@link CompletableFuture} that, when completed, contains the ID of the created grant.
* @throws RuntimeException If an error occurs during the grant creation process.
*/
public CompletableFuture grantKeyAsync(String keyId, String granteePrincipal) {
List grantPermissions = List.of(
GrantOperation.ENCRYPT,
GrantOperation.DECRYPT,
GrantOperation.DESCRIBE_KEY
);
CreateGrantRequest grantRequest = CreateGrantRequest.builder()
.keyId(keyId)
.name("grant1")
.granteePrincipal(granteePrincipal)
.operations(grantPermissions)
.build();
CompletableFuture responseFuture = getAsyncClient().createGrant(grantRequest);
responseFuture.whenComplete((response, ex) -> {
if (ex == null) {
logger.info("Grant created successfully with ID: " + response.grantId());
} else {
if (ex instanceof KmsException kmsEx) {
throw new RuntimeException("Failed to create grant: " + kmsEx.getMessage(), kmsEx);
} else {
throw new RuntimeException("An unexpected error occurred: " + ex.getMessage(), ex);
}
}
});
return responseFuture.thenApply(CreateGrantResponse::grantId);
}
```
+ Para obtener más información sobre la API, consulta [CreateGrant](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/CreateGrant)la *Referencia AWS SDK for Java 2.x de la API*.
------
#### [ Kotlin ]
**SDK para Kotlin**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples).
```
suspend fun createNewGrant(
keyIdVal: String?,
granteePrincipalVal: String?,
operation: String,
): String? {
val operationOb = GrantOperation.fromValue(operation)
val grantOperationList = ArrayList()
grantOperationList.add(operationOb)
val request =
CreateGrantRequest {
keyId = keyIdVal
granteePrincipal = granteePrincipalVal
operations = grantOperationList
}
KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient ->
val response = kmsClient.createGrant(request)
return response.grantId
}
}
```
+ Para obtener más información sobre la API, consulta [CreateGrant](https://sdk.amazonaws.com/kotlin/api/latest/index.html)la *referencia sobre el AWS SDK para la API de Kotlin*.
------
#### [ PHP ]
**SDK para PHP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples).
```
/***
* @param string $keyId
* @param string $granteePrincipal
* @param array $operations
* @param array $grantTokens
* @return Result
*/
public function createGrant(string $keyId, string $granteePrincipal, array $operations, array $grantTokens = [])
{
$args = [
'KeyId' => $keyId,
'GranteePrincipal' => $granteePrincipal,
'Operations' => $operations,
];
if($grantTokens){
$args['GrantTokens'] = $grantTokens;
}
try{
return $this->client->createGrant($args);
}catch(KmsException $caught){
if($caught->getAwsErrorMessage() == "InvalidGrantTokenException"){
echo "The request was rejected because the specified grant token is not valid.\n";
}
throw $caught;
}
}
```
+ Para obtener más información sobre la API, consulta [CreateGrant](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/CreateGrant)la *Referencia AWS SDK para PHP de la API*.
------
#### [ Python ]
**SDK para Python (Boto3)**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples).
```
class GrantManager:
def __init__(self, kms_client):
self.kms_client = kms_client
@classmethod
def from_client(cls) -> "GrantManager":
"""
Creates a GrantManager instance with a default KMS client.
:return: An instance of GrantManager initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def create_grant(
self, key_id: str, principal: str, operations: [str]
) -> dict[str, str]:
"""
Creates a grant for a key that lets a principal generate a symmetric data
encryption key.
:param key_id: The ARN or ID of the key.
:param principal: The principal to grant permission to.
:param operations: The operations to grant permission for.
:return: The grant that is created.
"""
try:
return self.kms_client.create_grant(
KeyId=key_id,
GranteePrincipal=principal,
Operations=operations,
)
except ClientError as err:
logger.error(
"Couldn't create a grant on key %s. Here's why: %s",
key_id,
err.response["Error"]["Message"],
)
raise
```
+ Para obtener más información sobre la API, consulta [CreateGrant](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/CreateGrant)la *AWS Referencia de API de SDK for Python (Boto3*).
------
#### [ SAP ABAP ]
**SDK para SAP ABAP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples).
```
TRY.
" iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab'
" iv_grantee_principal = 'arn:aws:iam::123456789012:role/my-role'
" it_operations contains 'Encrypt', 'Decrypt', 'GenerateDataKey'
oo_result = lo_kms->creategrant(
iv_keyid = iv_key_id
iv_granteeprincipal = iv_grantee_principal
it_operations = it_operations
).
MESSAGE 'Grant created successfully.' TYPE 'I'.
CATCH /aws1/cx_kmsdisabledexception.
MESSAGE 'The key is disabled.' TYPE 'E'.
CATCH /aws1/cx_kmsnotfoundexception.
MESSAGE 'Key not found.' TYPE 'E'.
CATCH /aws1/cx_kmskmsinternalex.
MESSAGE 'An internal error occurred.' TYPE 'E'.
ENDTRY.
```
+ Para obtener más información sobre la API, consulte [CreateGrant](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)la *referencia sobre la API ABAP del AWS SDK para SAP*.
------
Para obtener una lista completa de guías para desarrolladores del AWS SDK y ejemplos de código, consulte[Uso de este servicio con un AWS SDK](sdk-general-information-section.md). En este tema también se incluye información sobre cómo comenzar a utilizar el SDK y detalles sobre sus versiones anteriores.
# Úselo `CreateKey` con un AWS SDK o CLI
/// Shows how to create a new AWS Key Management Service (AWS KMS)
/// key.
///
public class CreateKey
{
public static async Task Main()
{
// Note that if you need to create a Key in an AWS Region
// other than the Region defined for the default user, you need to
// pass the Region to the client constructor.
var client = new AmazonKeyManagementServiceClient();
// The call to CreateKeyAsync will create a symmetrical AWS KMS
// key. For more information about symmetrical and asymmetrical
// keys, see:
//
// https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html
var response = await client.CreateKeyAsync(new CreateKeyRequest());
// The KeyMetadata object contains information about the new AWS KMS key.
KeyMetadata keyMetadata = response.KeyMetadata;
if (keyMetadata is not null)
{
Console.WriteLine($"KMS Key: {keyMetadata.KeyId} was successfully created.");
}
else
{
Console.WriteLine("Could not create KMS Key.");
}
}
}
```
+ Para obtener más información sobre la API, consulta [CreateKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/CreateKey)la *Referencia AWS SDK para .NET de la API*.
------
#### [ CLI ]
**AWS CLI**
**Ejemplo 1: Para crear una clave de KMS gestionada por el cliente en AWS KMS**
En el siguiente ejemplo `create-key` se crea una clave de KMS de cifrado simétrico.
Para crear la clave de KMS básica, una clave de cifrado simétrica, no es necesario especificar ningún parámetro. Los valores predeterminados de esos parámetros crean una clave de cifrado simétrica.
Puesto que este comando no especifica una política de claves, la clave de KMS obtiene la [política de claves predeterminada](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) para las claves de KMS creadas mediante programación. Utilice el comando `get-key-policy` para ver la política de claves. Utilice el comando `put-key-policy` para cambiar la política de claves.
```
aws kms create-key
```
El comando `create-key` devuelve los metadatos de la clave, incluidos el ID de la clave y el ARN de la nueva clave de KMS. Puede usar estos valores para identificar la clave de KMS en otras operaciones de AWS KMS. La salida no incluye las etiquetas. Para ver las etiquetas de una clave de KMS, utilice `list-resource-tags command`.
Salida:
```
{
"KeyMetadata": {
"AWSAccountId": "111122223333",
"Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"CreationDate": "2017-07-05T14:04:55-07:00",
"CurrentKeyMaterialId": "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "",
"Enabled": true,
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"KeyManager": "CUSTOMER",
"KeySpec": "SYMMETRIC_DEFAULT",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"MultiRegion": false,
"Origin": "AWS_KMS"
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
```
Nota: El comando `create-key` no permite especificar un alias. Para crear un alias para la nueva clave de KMS, utilice el comando `create-alias`.
Para obtener más información, consulte [Creación de claves](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) en la *Guía para desarrolladores de AWS Key Management Service*.
**Ejemplo 2: Creación de una clave KMS de RSA asimétrica para el cifrado y el descifrado**
El siguiente ejemplo de `create-key` se crea una clave de KMS que incluye un par de claves asimétricas RSA para el cifrado y el descifrado. No se puede cambiar la especificación de clave y el uso de la clave después de crear la clave:
```
aws kms create-key \
--key-spec RSA_4096 \
--key-usage ENCRYPT_DECRYPT
```
Salida:
```
{
"KeyMetadata": {
"Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"AWSAccountId": "111122223333",
"CreationDate": "2021-04-05T14:04:55-07:00",
"CustomerMasterKeySpec": "RSA_4096",
"Description": "",
"Enabled": true,
"EncryptionAlgorithms": [
"RSAES_OAEP_SHA_1",
"RSAES_OAEP_SHA_256"
],
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"KeyManager": "CUSTOMER",
"KeySpec": "RSA_4096",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"MultiRegion": false,
"Origin": "AWS_KMS"
}
}
```
Para obtener más información, consulte [Claves asimétricas en AWS KMS en](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) la *Guía para desarrolladores del Servicio de administración de AWS claves*.
**Ejemplo 3: creación de una clave de KMS asimétrica de curva elíptica para la firma y la verificación**
Creación de una clave de KMS asimétrica que contenga un par de claves asimétricas de curva elíptica (ECC) para la firma y la verificación. El parámetro `--key-usage` es obligatorio aunque `SIGN_VERIFY` sea el único valor válido para las claves KMS de ECC. No se puede cambiar la especificación de clave y el uso de la clave después de crear la clave:
```
aws kms create-key \
--key-spec ECC_NIST_P521 \
--key-usage SIGN_VERIFY
```
Salida:
```
{
"KeyMetadata": {
"Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"AWSAccountId": "111122223333",
"CreationDate": "2019-12-02T07:48:55-07:00",
"CustomerMasterKeySpec": "ECC_NIST_P521",
"Description": "",
"Enabled": true,
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"KeyManager": "CUSTOMER",
"KeySpec": "ECC_NIST_P521",
"KeyState": "Enabled",
"KeyUsage": "SIGN_VERIFY",
"MultiRegion": false,
"Origin": "AWS_KMS",
"SigningAlgorithms": [
"ECDSA_SHA_512"
]
}
}
```
Para obtener más información, consulte [Claves asimétricas en AWS KMS en](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) la Guía para *desarrolladores del Servicio de administración de AWS claves*.
**Ejemplo 4: Creación de una clave de KMS ML-DSA asimétrica para la firma y la verificación**
En este ejemplo, se crea una clave de algoritmo de firma digital de module-lattice (ML-DSA) para la firma y la verificación. El parámetro de clave de uso es obligatorio aunque `SIGN_VERIFY` sea el único valor válido para las claves de ML-DSA.
```
aws kms create-key \
--key-spec ML_DSA_65 \
--key-usage SIGN_VERIFY
```
Salida:
```
{
"KeyMetadata": {
"Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"AWSAccountId": "111122223333",
"CreationDate": "2019-12-02T07:48:55-07:00",
"Description": "",
"Enabled": true,
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"KeyManager": "CUSTOMER",
"KeySpec": "ML_DSA_65",
"KeyState": "Enabled",
"KeyUsage": "SIGN_VERIFY",
"MultiRegion": false,
"Origin": "AWS_KMS",
"SigningAlgorithms": [
"ML_DSA_SHAKE_256"
]
}
}
```
Para obtener más información, consulte [Claves asimétricas en AWS KMS en](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) la Guía para *desarrolladores del Servicio de administración de AWS claves*.
**Ejemplo 5: Creación de una clave de KMS HMAC**
En el siguiente ejemplo de `create-key` se crea una clave de KMS HMAC de 384 bits. El valor `GENERATE_VERIFY_MAC` del parámetro `--key-usage` es obligatorio aunque sea el único valor válido para las claves KMS HMAC.
```
aws kms create-key \
--key-spec HMAC_384 \
--key-usage GENERATE_VERIFY_MAC
```
Salida:
```
{
"KeyMetadata": {
"Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"AWSAccountId": "111122223333",
"CreationDate": "2022-04-05T14:04:55-07:00",
"CustomerMasterKeySpec": "HMAC_384",
"Description": "",
"Enabled": true,
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"KeyManager": "CUSTOMER",
"KeySpec": "HMAC_384",
"KeyState": "Enabled",
"KeyUsage": "GENERATE_VERIFY_MAC",
"MacAlgorithms": [
"HMAC_SHA_384"
],
"MultiRegion": false,
"Origin": "AWS_KMS"
}
}
```
Para obtener más información, consulte [las claves HMAC en AWS KMS en](https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html) la Guía para *desarrolladores del Servicio de administración de AWS claves*.
**Ejemplo 6: Creación de una clave de KMS principal de varias regiones**
En el siguiente ejemplo de `create-key` se crea una clave principal de cifrado simétrica de varias regiones. Puesto que los valores predeterminados de todos los parámetros crean una clave de cifrado simétrica, solo es necesario el parámetro `--multi-region` para esta clave de KMS. En la AWS CLI, para indicar que un parámetro booleano es verdadero, simplemente especifique el nombre del parámetro.
```
aws kms create-key \
--multi-region
```
Salida:
```
{
"KeyMetadata": {
"Arn": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef12345678990ab",
"AWSAccountId": "111122223333",
"CreationDate": "2021-09-02T016:15:21-09:00",
"CurrentKeyMaterialId": "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyId": "mrk-1234abcd12ab34cd56ef12345678990ab",
"KeyManager": "CUSTOMER",
"KeySpec": "SYMMETRIC_DEFAULT",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"MultiRegion": true,
"MultiRegionConfiguration": {
"MultiRegionKeyType": "PRIMARY",
"PrimaryKey": {
"Arn": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef12345678990ab",
"Region": "us-west-2"
},
"ReplicaKeys": []
},
"Origin": "AWS_KMS"
}
}
```
Para obtener más información, consulte [Claves asimétricas en AWS KMS en](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) la Guía para desarrolladores del *servicio de administración de AWS claves*.
**Ejemplo 7: Creación de una clave de KMS para material de claves importado**
En el siguiente ejemplo de `create-key` se crea una clave de KMS sin material de claves. Cuando se complete la operación, puede importar su propio material de claves en la clave de KMS. Para crear esta clave de KMS, establezca el parámetro `--origin` en `EXTERNAL`.
```
aws kms create-key \
--origin EXTERNAL
```
Salida:
```
{
"KeyMetadata": {
"Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"AWSAccountId": "111122223333",
"CreationDate": "2019-12-02T07:48:55-07:00",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "",
"Enabled": false,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"KeyManager": "CUSTOMER",
"KeySpec": "SYMMETRIC_DEFAULT",
"KeyState": "PendingImport",
"KeyUsage": "ENCRYPT_DECRYPT",
"MultiRegion": false,
"Origin": "EXTERNAL"
}
}
```
Para obtener más información, consulte [Importación de material clave en claves de AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) en la *Guía para desarrolladores del Servicio de administración de AWS claves*.
**Ejemplo 6: Para crear una clave KMS en un almacén de claves de AWS CloudHSM**
En el siguiente `create-key` ejemplo, se crea una clave KMS en el almacén de claves de AWS CloudHSM especificado. La operación crea la clave de KMS y sus metadatos en AWS KMS y crea el material de claves en el clúster de AWS CloudHSM asociado al almacén de claves personalizado. Los parámetros `--custom-key-store-id` y `--origin` son obligatorios.
```
aws kms create-key \
--origin AWS_CLOUDHSM \
--custom-key-store-id cks-1234567890abcdef0
```
Salida:
```
{
"KeyMetadata": {
"Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"AWSAccountId": "111122223333",
"CloudHsmClusterId": "cluster-1a23b4cdefg",
"CreationDate": "2019-12-02T07:48:55-07:00",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"CustomKeyStoreId": "cks-1234567890abcdef0",
"Description": "",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"KeyManager": "CUSTOMER",
"KeySpec": "SYMMETRIC_DEFAULT",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"MultiRegion": false,
"Origin": "AWS_CLOUDHSM"
}
}
```
Para obtener más información, consulte [Almacenes de claves de AWS CloudHSM](https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html) en la *Guía para desarrolladores de AWS Key Management Service*.
**Ejemplo 8: Creación de una clave de KMS en un almacén de claves externo**
En el siguiente ejemplo de `create-key` se crea una clave de KMS en el almacén de claves externo especificado. Los parámetros `--custom-key-store-id`, `--origin` y `--xks-key-id` son obligatorios en este comando.
El parámetro `--xks-key-id` especifica el ID de una clave de cifrado simétrica existente en el administrador de claves externo. Esta clave sirve como material de clave externa para la clave de KMS. El valor del parámetro `--origin` debe ser `EXTERNAL_KEY_STORE`. El parámetro `custom-key-store-id` debe identificar un almacén de claves externo que esté conectado a su proxy de almacén de claves externo.
```
aws kms create-key \
--origin EXTERNAL_KEY_STORE \
--custom-key-store-id cks-9876543210fedcba9 \
--xks-key-id bb8562717f809024
```
Salida:
```
{
"KeyMetadata": {
"Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"AWSAccountId": "111122223333",
"CreationDate": "2022-12-02T07:48:55-07:00",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"CustomKeyStoreId": "cks-9876543210fedcba9",
"Description": "",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"KeyManager": "CUSTOMER",
"KeySpec": "SYMMETRIC_DEFAULT",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"MultiRegion": false,
"Origin": "EXTERNAL_KEY_STORE",
"XksKeyConfiguration": {
"Id": "bb8562717f809024"
}
}
}
```
Para obtener más información, consulte [Almacenes de claves externos](https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html) en la *Guía para desarrolladores de AWS Key Management Service*.
+ Para obtener más información sobre la API, consulte la Referencia [CreateKey](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html)de *AWS CLI comandos*.
------
#### [ Java ]
**SDK para Java 2.x**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples).
```
/**
* Creates a new symmetric encryption key asynchronously.
*
* @param keyDesc the description of the key to be created
* @return a {@link CompletableFuture} that completes with the ID of the newly created key
* @throws RuntimeException if an error occurs while creating the key
*/
public CompletableFuture createKeyAsync(String keyDesc) {
CreateKeyRequest keyRequest = CreateKeyRequest.builder()
.description(keyDesc)
.keySpec(KeySpec.SYMMETRIC_DEFAULT)
.keyUsage(KeyUsageType.ENCRYPT_DECRYPT)
.build();
return getAsyncClient().createKey(keyRequest)
.thenApply(resp -> resp.keyMetadata().keyId())
.exceptionally(ex -> {
throw new RuntimeException("An error occurred while creating the key: " + ex.getMessage(), ex);
});
}
```
+ Para obtener más información sobre la API, consulta [CreateKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/CreateKey)la *Referencia AWS SDK for Java 2.x de la API*.
------
#### [ Kotlin ]
**SDK para Kotlin**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples).
```
suspend fun createKey(keyDesc: String?): String? {
val request =
CreateKeyRequest {
description = keyDesc
customerMasterKeySpec = CustomerMasterKeySpec.SymmetricDefault
keyUsage = KeyUsageType.fromValue("ENCRYPT_DECRYPT")
}
KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient ->
val result = kmsClient.createKey(request)
println("Created a customer key with id " + result.keyMetadata?.arn)
return result.keyMetadata?.keyId
}
}
```
+ Para obtener más información sobre la API, consulta [CreateKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)la *referencia sobre el AWS SDK para la API de Kotlin*.
------
#### [ PHP ]
**SDK para PHP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples).
```
/***
* @param string $keySpec
* @param string $keyUsage
* @param string $description
* @return array
*/
public function createKey(string $keySpec = "", string $keyUsage = "", string $description = "Created by the SDK for PHP")
{
$parameters = ['Description' => $description];
if($keySpec && $keyUsage){
$parameters['KeySpec'] = $keySpec;
$parameters['KeyUsage'] = $keyUsage;
}
try {
$result = $this->client->createKey($parameters);
return $result['KeyMetadata'];
}catch(KmsException $caught){
// Check for error specific to createKey operations
if ($caught->getAwsErrorMessage() == "LimitExceededException"){
echo "The request was rejected because a quota was exceeded. For more information, see Quotas in the Key Management Service Developer Guide.";
}
throw $caught;
}
}
```
+ Para obtener más información sobre la API, consulta [CreateKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/CreateKey)la *Referencia AWS SDK para PHP de la API*.
------
#### [ Python ]
**SDK para Python (Boto3)**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples).
```
class KeyManager:
def __init__(self, kms_client):
self.kms_client = kms_client
self.created_keys = []
@classmethod
def from_client(cls) -> "KeyManager":
"""
Creates a KeyManager instance with a default KMS client.
:return: An instance of KeyManager initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def create_key(self, key_description: str) -> dict[str, any]:
"""
Creates a key with a user-provided description.
:param key_description: A description for the key.
:return: The key ID.
"""
try:
key = self.kms_client.create_key(Description=key_description)["KeyMetadata"]
self.created_keys.append(key)
return key
except ClientError as err:
logging.error(
"Couldn't create your key. Here's why: %s",
err.response["Error"]["Message"],
)
raise
```
+ Para obtener más información sobre la API, consulta [CreateKey](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/CreateKey)la *AWS Referencia de API de SDK for Python (Boto3*).
------
#### [ Ruby ]
**SDK para Ruby**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/kms#code-examples).
```
require 'aws-sdk-kms' # v2: require 'aws-sdk'
# Create a AWS KMS key.
# As long we are only encrypting small amounts of data (4 KiB or less) directly,
# a KMS key is fine for our purposes.
# For larger amounts of data,
# use the KMS key to encrypt a data encryption key (DEK).
client = Aws::KMS::Client.new
resp = client.create_key({
tags: [
{
tag_key: 'CreatedBy',
tag_value: 'ExampleUser'
}
]
})
puts resp.key_metadata.key_id
```
+ Para obtener más información sobre la API, consulta [CreateKey](https://docs.aws.amazon.com/goto/SdkForRubyV3/kms-2014-11-01/CreateKey)la *Referencia AWS SDK para Ruby de la API*.
------
#### [ Rust ]
**SDK para Rust**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/kms#code-examples).
```
async fn make_key(client: &Client) -> Result<(), Error> {
let resp = client.create_key().send().await?;
let id = resp.key_metadata.as_ref().unwrap().key_id();
println!("Key: {}", id);
Ok(())
}
```
+ Para obtener más información sobre la API, consulta [CreateKey](https://docs.rs/aws-sdk-kms/latest/aws_sdk_kms/client/struct.Client.html#method.create_key)la *referencia sobre la API de AWS SDK para Rust*.
------
#### [ SAP ABAP ]
**SDK para SAP ABAP**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples).
```
TRY.
" iv_description = 'Created by the AWS SDK for SAP ABAP'
oo_result = lo_kms->createkey( iv_description = iv_description ).
MESSAGE 'KMS key created successfully.' TYPE 'I'.
CATCH /aws1/cx_kmskmsinternalex.
MESSAGE 'An internal error occurred.' TYPE 'E'.
CATCH /aws1/cx_kmslimitexceededex.
MESSAGE 'Limit exceeded for KMS resources.' TYPE 'E'.
ENDTRY.
```
+ Para obtener más información sobre la API, consulte [CreateKey](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)la *referencia sobre la API ABAP del AWS SDK para SAP*.
------
Para obtener una lista completa de guías para desarrolladores del AWS SDK y ejemplos de código, consulte[Uso de este servicio con un AWS SDK](sdk-general-information-section.md). En este tema también se incluye información sobre cómo comenzar a utilizar el SDK y detalles sobre sus versiones anteriores.
# Úselo `Decrypt` con un AWS SDK o CLI
decryptDataAsync(SdkBytes encryptedData, String keyId) {
DecryptRequest decryptRequest = DecryptRequest.builder()
.ciphertextBlob(encryptedData)
.keyId(keyId)
.build();
CompletableFuture responseFuture = getAsyncClient().decrypt(decryptRequest);
responseFuture.whenComplete((decryptResponse, exception) -> {
if (exception == null) {
logger.info("Data decrypted successfully for key ID: " + keyId);
} else {
if (exception instanceof KmsException kmsEx) {
throw new RuntimeException("KMS error occurred while decrypting data: " + kmsEx.getMessage(), kmsEx);
} else {
throw new RuntimeException("An unexpected error occurred while decrypting data: " + exception.getMessage(), exception);
}
}
});
return responseFuture.thenApply(decryptResponse -> decryptResponse.plaintext().asString(StandardCharsets.UTF_8));
}
```
+ Para obtener información sobre la API, consulte [Decrypt](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/Decrypt) en la *Referencia de la API de AWS SDK for Java 2.x *.
------
#### [ Kotlin ]
**SDK para Kotlin**
Hay más información GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples).
```
suspend fun encryptData(keyIdValue: String): ByteArray? {
val text = "This is the text to encrypt by using the AWS KMS Service"
val myBytes: ByteArray = text.toByteArray()
val encryptRequest =
EncryptRequest {
keyId = keyIdValue
plaintext = myBytes
}
KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient ->
val response = kmsClient.encrypt(encryptRequest)
val algorithm: String = response.encryptionAlgorithm.toString()
println("The encryption algorithm is $algorithm")
// Return the encrypted data.
return response.ciphertextBlob
}
}
suspend fun decryptData(
encryptedDataVal: ByteArray?,
keyIdVal: String?,
) {
val decryptRequest =
DecryptRequest {
ciphertextBlob = encryptedDataVal
keyId = keyIdVal
}
KmsClient { region = "us-west-2" }.use { kmsClient ->
val decryptResponse = kmsClient.decrypt(decryptRequest)
val myVal = decryptResponse.plaintext
// Print the decrypted data.
print(myVal)
}
}
```
+ Para obtener información sobre la API, consulte [Decrypt](https://sdk.amazonaws.com/kotlin/api/latest/index.html) en la *Referencia de la API de AWS SDK para Kotlin*.
------
#### [ PHP ]
**SDK para PHP**
Hay más información GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples).
```
/***
* @param string $keyId
* @param string $ciphertext
* @param string $algorithm
* @return Result
*/
public function decrypt(string $keyId, string $ciphertext, string $algorithm = "SYMMETRIC_DEFAULT")
{
try{
return $this->client->decrypt([
'CiphertextBlob' => $ciphertext,
'EncryptionAlgorithm' => $algorithm,
'KeyId' => $keyId,
]);
}catch(KmsException $caught){
echo "There was a problem decrypting the data: {$caught->getAwsErrorMessage()}\n";
throw $caught;
}
}
```
+ Para obtener información sobre la API, consulte [Decrypt](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/Decrypt) en la *Referencia de la API de AWS SDK para PHP *.
------
#### [ Python ]
**SDK para Python (Boto3)**
Hay más información GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples).
```
class KeyEncrypt:
def __init__(self, kms_client):
self.kms_client = kms_client
@classmethod
def from_client(cls) -> "KeyEncrypt":
"""
Creates a KeyEncrypt instance with a default KMS client.
:return: An instance of KeyEncrypt initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def decrypt(self, key_id: str, cipher_text: bytes) -> str:
"""
Decrypts text previously encrypted with a key.
:param key_id: The ARN or ID of the key used to decrypt the data.
:param cipher_text: The encrypted text to decrypt.
:return: The decrypted text.
"""
try:
return self.kms_client.decrypt(KeyId=key_id, CiphertextBlob=cipher_text)[
"Plaintext"
].decode()
except ClientError as err:
logger.error(
"Couldn't decrypt your ciphertext. Here's why: %s",
err.response["Error"]["Message"],
)
raise
```
+ Para obtener información sobre la API, consulte [Decrypt](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/Decrypt) en la *Referencia de la API de AWS SDK para Python (Boto3)*.
------
#### [ Ruby ]
**SDK para Ruby**
Hay más información GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/kms#code-examples).
```
require 'aws-sdk-kms' # v2: require 'aws-sdk'
# Decrypted blob
blob = '01020200785d68faeec386af1057904926253051eb2919d3c16078badf65b808b26dd057c101747cadf3593596e093d4ffbf22434a6d00000068306606092a864886f70d010706a0593057020100305206092a864886f70d010701301e060960864801650304012e3011040c9d629e573683972cdb7d94b30201108025b20b060591b02ca0deb0fbdfc2f86c8bfcb265947739851ad56f3adce91eba87c59691a9a1'
blob_packed = [blob].pack('H*')
client = Aws::KMS::Client.new(region: 'us-west-2')
resp = client.decrypt({
ciphertext_blob: blob_packed
})
puts 'Raw text: '
puts resp.plaintext
```
+ Para obtener información sobre la API, consulte [Decrypt](https://docs.aws.amazon.com/goto/SdkForRubyV3/kms-2014-11-01/Decrypt) en la *Referencia de la API de AWS SDK para Ruby *.
------
#### [ Rust ]
**SDK para Rust**
Hay más información GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/kms#code-examples).
```
async fn decrypt_key(client: &Client, key: &str, filename: &str) -> Result<(), Error> {
// Open input text file and get contents as a string
// input is a base-64 encoded string, so decode it:
let data = fs::read_to_string(filename)
.map(|input| {
base64::decode(input).expect("Input file does not contain valid base 64 characters.")
})
.map(Blob::new);
let resp = client
.decrypt()
.key_id(key)
.ciphertext_blob(data.unwrap())
.send()
.await?;
let inner = resp.plaintext.unwrap();
let bytes = inner.as_ref();
let s = String::from_utf8(bytes.to_vec()).expect("Could not convert to UTF-8");
println!();
println!("Decoded string:");
println!("{}", s);
Ok(())
}
```
+ Para obtener información sobre la API, consulte [Decrypt](https://docs.rs/aws-sdk-kms/latest/aws_sdk_kms/client/struct.Client.html#method.decrypt) en la *Referencia de la API de AWS SDK para Rust*.
------
#### [ SAP ABAP ]
**SDK para SAP ABAP**
Hay más información GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples).
```
TRY.
" iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab'
" iv_ciphertext_blob contains the encrypted data
oo_result = lo_kms->decrypt(
iv_keyid = iv_key_id
iv_ciphertextblob = iv_ciphertext_blob
).
MESSAGE 'Text decrypted successfully.' TYPE 'I'.
CATCH /aws1/cx_kmsdisabledexception.
MESSAGE 'The key is disabled.' TYPE 'E'.
CATCH /aws1/cx_kmsincorrectkeyex.
MESSAGE 'Incorrect key for decryption.' TYPE 'E'.
CATCH /aws1/cx_kmsnotfoundexception.
MESSAGE 'Key not found.' TYPE 'E'.
CATCH /aws1/cx_kmskmsinternalex.
MESSAGE 'An internal error occurred.' TYPE 'E'.
ENDTRY.
```
+ Para obtener más información sobre la API, consulta [Cómo descifrar](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html) en el *AWS SDK para obtener información sobre la API ABAP de SAP*.
------
Para obtener una lista completa de guías para desarrolladores del AWS SDK y ejemplos de código, consulte. [Uso de este servicio con un AWS SDK](sdk-general-information-section.md) En este tema también se incluye información sobre cómo comenzar a utilizar el SDK y detalles sobre sus versiones anteriores.
# Úselo `DeleteAlias` con un AWS SDK o CLI
deleteSpecificAliasAsync(String aliasName) {
DeleteAliasRequest deleteAliasRequest = DeleteAliasRequest.builder()
.aliasName(aliasName)
.build();
return getAsyncClient().deleteAlias(deleteAliasRequest)
.thenRun(() -> {
logger.info("Alias {} has been deleted successfully", aliasName);
})
.exceptionally(throwable -> {
throw new RuntimeException("Failed to delete alias: " + aliasName, throwable);
});
}
```
+ Para obtener más información sobre la API, consulta [DeleteAlias](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/DeleteAlias)la *Referencia AWS SDK for Java 2.x de la API*.
------
#### [ PHP ]
**SDK para PHP**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples).
```
/***
* @param string $aliasName
* @return void
*/
public function deleteAlias(string $aliasName)
{
try {
$this->client->deleteAlias([
'AliasName' => $aliasName,
]);
}catch(KmsException $caught){
echo "There was a problem deleting the alias: {$caught->getAwsErrorMessage()}\n";
throw $caught;
}
}
```
+ Para obtener más información sobre la API, consulta [DeleteAlias](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/DeleteAlias)la *Referencia AWS SDK para PHP de la API*.
------
#### [ Python ]
**SDK para Python (Boto3)**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples).
```
class AliasManager:
def __init__(self, kms_client):
self.kms_client = kms_client
self.created_key = None
@classmethod
def from_client(cls) -> "AliasManager":
"""
Creates an AliasManager instance with a default KMS client.
:return: An instance of AliasManager initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def delete_alias(self, alias: str) -> None:
"""
Deletes an alias.
:param alias: The alias to delete.
"""
try:
self.kms_client.delete_alias(AliasName=alias)
except ClientError as err:
logger.error(
"Couldn't delete alias %s. Here's why: %s",
alias,
err.response["Error"]["Message"],
)
raise
```
+ Para obtener más información sobre la API, consulta [DeleteAlias](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/DeleteAlias)la *AWS Referencia de API de SDK for Python (Boto3*).
------
#### [ SAP ABAP ]
**SDK para SAP ABAP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples).
```
TRY.
" iv_alias_name = 'alias/my-key-alias'
lo_kms->deletealias( iv_aliasname = iv_alias_name ).
MESSAGE 'Alias deleted successfully.' TYPE 'I'.
CATCH /aws1/cx_kmsnotfoundexception.
MESSAGE 'Alias not found.' TYPE 'E'.
CATCH /aws1/cx_kmskmsinternalex.
MESSAGE 'An internal error occurred.' TYPE 'E'.
ENDTRY.
```
+ Para obtener más información sobre la API, consulte [DeleteAlias](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)la *referencia sobre la API ABAP del AWS SDK para SAP*.
------
Para obtener una lista completa de guías para desarrolladores del AWS SDK y ejemplos de código, consulte[Uso de este servicio con un AWS SDK](sdk-general-information-section.md). En este tema también se incluye información sobre cómo comenzar a utilizar el SDK y detalles sobre sus versiones anteriores.
# Úselo `DescribeKey` con un AWS SDK o CLI
/// Retrieve information about an AWS Key Management Service (AWS KMS) key.
/// You can supply either the key Id or the key Amazon Resource Name (ARN)
/// to the DescribeKeyRequest KeyId property.
///
public class DescribeKey
{
public static async Task Main()
{
var keyId = "7c9eccc2-38cb-4c4f-9db3-766ee8dd3ad4";
var request = new DescribeKeyRequest
{
KeyId = keyId,
};
var client = new AmazonKeyManagementServiceClient();
var response = await client.DescribeKeyAsync(request);
var metadata = response.KeyMetadata;
Console.WriteLine($"{metadata.KeyId} created on: {metadata.CreationDate}");
Console.WriteLine($"State: {metadata.KeyState}");
Console.WriteLine($"{metadata.Description}");
}
}
```
+ Para obtener más información sobre la API, consulta [DescribeKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/DescribeKey)la *Referencia AWS SDK para .NET de la API*.
------
#### [ CLI ]
**AWS CLI**
**Ejemplo 1: Búsqueda de información detallada sobre una clave de KMS**
En el siguiente `describe-key` ejemplo, se obtiene información detallada sobre la clave AWS gestionada de Amazon S3 en la cuenta y la región de ejemplo. Puede usar este comando para obtener detalles sobre las claves AWS administradas y las claves administradas por el cliente.
Para especificar la clave de KMS, utilice el parámetro `key-id`. En este ejemplo, se utiliza un valor de nombre de alias, pero puede utilizar un ID de clave, un ARN de clave, un nombre de alias o un ARN de alias en este comando.
```
aws kms describe-key \
--key-id alias/aws/s3
```
Salida:
```
{
"KeyMetadata": {
"AWSAccountId": "846764612917",
"KeyId": "b8a9477d-836c-491f-857e-07937918959b",
"Arn": "arn:aws:kms:us-west-2:846764612917:key/b8a9477d-836c-491f-857e-07937918959b",
"CurrentKeyMaterialId": "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6",
"CreationDate": 2017-06-30T21:44:32.140000+00:00,
"Enabled": true,
"Description": "Default KMS key that protects my S3 objects when no other key is defined",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "AWS",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
```
Para obtener más información, consulte [Visualización de claves](https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html) en la *Guía para desarrolladores de AWS Key Management Service*.
**Ejemplo 2: Obtención de detalles sobre una clave KMS de RSA asimétrica**
En el siguiente ejemplo de `describe-key` se obtiene información detallada acerca de una clave KMS de RSA asimétrica que se utiliza para la firma y la verificación.
```
aws kms describe-key \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab
```
Salida:
```
{
"KeyMetadata": {
"AWSAccountId": "111122223333",
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"CreationDate": "2019-12-02T19:47:14.861000+00:00",
"CustomerMasterKeySpec": "RSA_2048",
"Enabled": false,
"Description": "",
"KeyState": "Disabled",
"Origin": "AWS_KMS",
"MultiRegion": false,
"KeyManager": "CUSTOMER",
"KeySpec": "RSA_2048",
"KeyUsage": "SIGN_VERIFY",
"SigningAlgorithms": [
"RSASSA_PKCS1_V1_5_SHA_256",
"RSASSA_PKCS1_V1_5_SHA_384",
"RSASSA_PKCS1_V1_5_SHA_512",
"RSASSA_PSS_SHA_256",
"RSASSA_PSS_SHA_384",
"RSASSA_PSS_SHA_512"
]
}
}
```
**Ejemplo 3: obtención de detalles sobre una clave de réplica de varias regiones**
En el siguiente ejemplo de `describe-key` se obtienen los metadatos de una clave de réplica de varias regiones. Esta clave de varias regiones es una clave de cifrado simétrica. La salida de un comando `describe-key` para cualquier clave de varias regiones devuelve información sobre la clave principal y todas sus réplicas.
```
aws kms describe-key \
--key-id arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab
```
Salida:
```
{
"KeyMetadata": {
"MultiRegion": true,
"AWSAccountId": "111122223333",
"Arn": "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab",
"CreationDate": "2021-06-28T21:09:16.114000+00:00",
"CurrentKeyMaterialId": "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6",
"Description": "",
"Enabled": true,
"KeyId": "mrk-1234abcd12ab34cd56ef1234567890ab",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"MultiRegionConfiguration": {
"MultiRegionKeyType": "PRIMARY",
"PrimaryKey": {
"Arn": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab",
"Region": "us-west-2"
},
"ReplicaKeys": [
{
"Arn": "arn:aws:kms:eu-west-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab",
"Region": "eu-west-1"
},
{
"Arn": "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab",
"Region": "ap-northeast-1"
},
{
"Arn": "arn:aws:kms:sa-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab",
"Region": "sa-east-1"
}
]
}
}
}
```
**Ejemplo 4: obtención de detalles sobre una clave HMAC KMS**
En el siguiente ejemplo de `describe-key` se obtiene información detallada acerca de una clave KMS de HMAC.
```
aws kms describe-key \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab
```
Salida:
```
{
"KeyMetadata": {
"AWSAccountId": "123456789012",
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"Arn": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"CreationDate": "2022-04-03T22:23:10.194000+00:00",
"Enabled": true,
"Description": "Test key",
"KeyUsage": "GENERATE_VERIFY_MAC",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "HMAC_256",
"MacAlgorithms": [
"HMAC_SHA_256"
],
"MultiRegion": false
}
}
```
+ Para obtener más información sobre la API, consulte [DescribeKey](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/describe-key.html)la *Referencia de AWS CLI comandos*.
------
#### [ Java ]
**SDK para Java 2.x**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples).
```
/**
* Asynchronously checks if a specified key is enabled.
*
* @param keyId the ID of the key to check
* @return a {@link CompletableFuture} that, when completed, indicates whether the key is enabled or not
*
* @throws RuntimeException if an exception occurs while checking the key state
*/
public CompletableFuture isKeyEnabledAsync(String keyId) {
DescribeKeyRequest keyRequest = DescribeKeyRequest.builder()
.keyId(keyId)
.build();
CompletableFuture responseFuture = getAsyncClient().describeKey(keyRequest);
return responseFuture.whenComplete((resp, ex) -> {
if (resp != null) {
KeyState keyState = resp.keyMetadata().keyState();
if (keyState == KeyState.ENABLED) {
logger.info("The key is enabled.");
} else {
logger.info("The key is not enabled. Key state: {}", keyState);
}
} else {
throw new RuntimeException(ex);
}
}).thenApply(resp -> resp.keyMetadata().keyState() == KeyState.ENABLED);
}
```
+ Para obtener más información sobre la API, consulta [DescribeKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/DescribeKey)la *Referencia AWS SDK for Java 2.x de la API*.
------
#### [ Kotlin ]
**SDK para Kotlin**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples).
```
suspend fun describeSpecifcKey(keyIdVal: String?) {
val request =
DescribeKeyRequest {
keyId = keyIdVal
}
KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient ->
val response = kmsClient.describeKey(request)
println("The key description is ${response.keyMetadata?.description}")
println("The key ARN is ${response.keyMetadata?.arn}")
}
}
```
+ Para obtener más información sobre la API, consulta [DescribeKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)la *referencia sobre el AWS SDK para la API de Kotlin*.
------
#### [ PHP ]
**SDK para PHP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples).
```
/***
* @param string $keyId
* @return array
*/
public function describeKey(string $keyId)
{
try {
$result = $this->client->describeKey([
"KeyId" => $keyId,
]);
return $result['KeyMetadata'];
}catch(KmsException $caught){
if($caught->getAwsErrorMessage() == "NotFoundException"){
echo "The request was rejected because the specified entity or resource could not be found.\n";
}
throw $caught;
}
}
```
+ Para obtener más información sobre la API, consulta [DescribeKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/DescribeKey)la *Referencia AWS SDK para PHP de la API*.
------
#### [ Python ]
**SDK para Python (Boto3)**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples).
```
class KeyManager:
def __init__(self, kms_client):
self.kms_client = kms_client
self.created_keys = []
@classmethod
def from_client(cls) -> "KeyManager":
"""
Creates a KeyManager instance with a default KMS client.
:return: An instance of KeyManager initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def describe_key(self, key_id: str) -> dict[str, any]:
"""
Describes a key.
:param key_id: The ARN or ID of the key to describe.
:return: Information about the key.
"""
try:
key = self.kms_client.describe_key(KeyId=key_id)["KeyMetadata"]
return key
except ClientError as err:
logging.error(
"Couldn't get key '%s'. Here's why: %s",
key_id,
err.response["Error"]["Message"],
)
raise
```
+ Para obtener más información sobre la API, consulta [DescribeKey](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/DescribeKey)la *AWS Referencia de API de SDK for Python (Boto3*).
------
#### [ SAP ABAP ]
**SDK para SAP ABAP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples).
```
TRY.
" iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab'
oo_result = lo_kms->describekey( iv_keyid = iv_key_id ).
DATA(lo_key) = oo_result->get_keymetadata( ).
MESSAGE 'Retrieved key information successfully.' TYPE 'I'.
CATCH /aws1/cx_kmsnotfoundexception.
MESSAGE 'Key not found.' TYPE 'E'.
CATCH /aws1/cx_kmskmsinternalex.
MESSAGE 'An internal error occurred.' TYPE 'E'.
ENDTRY.
```
+ Para obtener más información sobre la API, consulte [DescribeKey](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)la *referencia sobre la API ABAP del AWS SDK para SAP*.
------
Para obtener una lista completa de guías para desarrolladores del AWS SDK y ejemplos de código, consulte[Uso de este servicio con un AWS SDK](sdk-general-information-section.md). En este tema también se incluye información sobre cómo comenzar a utilizar el SDK y detalles sobre sus versiones anteriores.
# Úselo `DisableKey` con un AWS SDK o CLI
/// Disable an AWS Key Management Service (AWS KMS) key and then retrieve
/// the key's status to show that it has been disabled.
///
public class DisableKey
{
public static async Task Main()
{
var client = new AmazonKeyManagementServiceClient();
// The identifier of the AWS KMS key to disable. You can use the
// key Id or the Amazon Resource Name (ARN) of the AWS KMS key.
var keyId = "1234abcd-12ab-34cd-56ef-1234567890ab";
var request = new DisableKeyRequest
{
KeyId = keyId,
};
var response = await client.DisableKeyAsync(request);
if (response.HttpStatusCode == System.Net.HttpStatusCode.OK)
{
// Retrieve information about the key to show that it has now
// been disabled.
var describeResponse = await client.DescribeKeyAsync(new DescribeKeyRequest
{
KeyId = keyId,
});
Console.WriteLine($"{describeResponse.KeyMetadata.KeyId} - state: {describeResponse.KeyMetadata.KeyState}");
}
}
}
```
+ Para obtener más información sobre la API, consulta [DisableKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/DisableKey)la *Referencia AWS SDK para .NET de la API*.
------
#### [ CLI ]
**AWS CLI**
**Desactivación temporal de una clave de KMS**
El siguiente comando `disable-key` desactiva una clave de KMS administrada por el cliente. Para volver a habilitar la clave de KMS, utilice el comando `enable-key`.
```
aws kms disable-key \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab
```
Este comando no genera ninguna salida.
Para obtener más información, consulte [Habilitar y deshabilitar claves](https://docs.aws.amazon.com/kms/latest/developerguide/enabling-keys.html) en la *Guía para desarrolladores de AWS Key Management Service*.
+ Para obtener más información sobre la API, consulta [DisableKey](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/disable-key.html)la *Referencia de AWS CLI comandos*.
------
#### [ Java ]
**SDK para Java 2.x**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples).
```
/**
* Asynchronously disables the specified AWS Key Management Service (KMS) key.
*
* @param keyId the ID or Amazon Resource Name (ARN) of the KMS key to be disabled
* @return a CompletableFuture that, when completed, indicates that the key has been disabled successfully
*/
public CompletableFuture disableKeyAsync(String keyId) {
DisableKeyRequest keyRequest = DisableKeyRequest.builder()
.keyId(keyId)
.build();
return getAsyncClient().disableKey(keyRequest)
.thenRun(() -> {
logger.info("Key {} has been disabled successfully",keyId);
})
.exceptionally(throwable -> {
throw new RuntimeException("Failed to disable key: " + keyId, throwable);
});
}
```
+ Para obtener más información sobre la API, consulta [DisableKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/DisableKey)la *Referencia AWS SDK for Java 2.x de la API*.
------
#### [ Kotlin ]
**SDK para Kotlin**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples).
```
suspend fun disableKey(keyIdVal: String?) {
val request =
DisableKeyRequest {
keyId = keyIdVal
}
KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient ->
kmsClient.disableKey(request)
println("$keyIdVal was successfully disabled")
}
}
```
+ Para obtener más información sobre la API, consulta [DisableKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)la *referencia sobre el AWS SDK para la API de Kotlin*.
------
#### [ PHP ]
**SDK para PHP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples).
```
/***
* @param string $keyId
* @return void
*/
public function disableKey(string $keyId)
{
try {
$this->client->disableKey([
'KeyId' => $keyId,
]);
}catch(KmsException $caught){
echo "There was a problem disabling the key: {$caught->getAwsErrorMessage()}\n";
throw $caught;
}
}
```
+ Para obtener más información sobre la API, consulta [DisableKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/DisableKey)la *Referencia AWS SDK para PHP de la API*.
------
#### [ Python ]
**SDK para Python (Boto3)**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples).
```
class KeyManager:
def __init__(self, kms_client):
self.kms_client = kms_client
self.created_keys = []
@classmethod
def from_client(cls) -> "KeyManager":
"""
Creates a KeyManager instance with a default KMS client.
:return: An instance of KeyManager initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def disable_key(self, key_id: str) -> None:
try:
self.kms_client.disable_key(KeyId=key_id)
except ClientError as err:
logging.error(
"Couldn't disable key '%s'. Here's why: %s",
key_id,
err.response["Error"]["Message"],
)
raise
```
+ Para obtener más información sobre la API, consulta [DisableKey](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/DisableKey)la *AWS Referencia de API de SDK for Python (Boto3*).
------
#### [ SAP ABAP ]
**SDK para SAP ABAP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples).
```
TRY.
" iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab'
lo_kms->disablekey( iv_keyid = iv_key_id ).
MESSAGE 'KMS key disabled successfully.' TYPE 'I'.
CATCH /aws1/cx_kmsnotfoundexception.
MESSAGE 'Key not found.' TYPE 'E'.
CATCH /aws1/cx_kmskmsinternalex.
MESSAGE 'An internal error occurred.' TYPE 'E'.
ENDTRY.
```
+ Para obtener más información sobre la API, consulte [DisableKey](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)la *referencia sobre la API ABAP del AWS SDK para SAP*.
------
Para obtener una lista completa de guías para desarrolladores del AWS SDK y ejemplos de código, consulte[Uso de este servicio con un AWS SDK](sdk-general-information-section.md). En este tema también se incluye información sobre cómo comenzar a utilizar el SDK y detalles sobre sus versiones anteriores.
# Úselo `EnableKey` con un AWS SDK o CLI
/// Enable an AWS Key Management Service (AWS KMS) key.
///
public class EnableKey
{
public static async Task Main()
{
var client = new AmazonKeyManagementServiceClient();
// The identifier of the AWS KMS key to enable. You can use the
// key Id or the Amazon Resource Name (ARN) of the AWS KMS key.
var keyId = "1234abcd-12ab-34cd-56ef-1234567890ab";
var request = new EnableKeyRequest
{
KeyId = keyId,
};
var response = await client.EnableKeyAsync(request);
if (response.HttpStatusCode == System.Net.HttpStatusCode.OK)
{
// Retrieve information about the key to show that it has now
// been enabled.
var describeResponse = await client.DescribeKeyAsync(new DescribeKeyRequest
{
KeyId = keyId,
});
Console.WriteLine($"{describeResponse.KeyMetadata.KeyId} - state: {describeResponse.KeyMetadata.KeyState}");
}
}
}
```
+ Para obtener más información sobre la API, consulta [EnableKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/EnableKey)la *Referencia AWS SDK para .NET de la API*.
------
#### [ CLI ]
**AWS CLI**
**Activación de una clave de KMS**
En el siguiente ejemplo de `enable-key` se habilita una clave administrada por el cliente. Puede utilizar un comando como este para habilitar una clave de KMS que deshabilitó temporalmente mediante el comando `disable-key`. También puede usarlo para habilitar una clave de KMS que esté deshabilitada porque la eliminación estaba programada y esta se canceló.
Para especificar la clave de KMS, utilice el parámetro `key-id`. En este ejemplo, se utiliza un valor de ID de clave, pero puede utilizar un ID de clave o un valor de ARN de clave en este comando.
Antes de ejecutar este comando, reemplace el ID de claves de ejemplo por uno válido.
```
aws kms enable-key \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab
```
Este comando no genera ninguna salida. Utilice el comando `describe-key` para comprobar que la clave de KMS está habilitada. Consulte los valores de los campos `KeyState` y `Enabled` en la salida `describe-key`.
Para obtener más información, consulte [Habilitar y deshabilitar claves](https://docs.aws.amazon.com/kms/latest/developerguide/enabling-keys.html) en la *Guía para desarrolladores de AWS Key Management Service*.
+ Para obtener más información sobre la API, consulta [EnableKey](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/enable-key.html)la *Referencia de AWS CLI comandos*.
------
#### [ Java ]
**SDK para Java 2.x**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples).
```
/**
* Asynchronously enables the specified key.
*
* @param keyId the ID of the key to enable
* @return a {@link CompletableFuture} that completes when the key has been enabled
*/
public CompletableFuture enableKeyAsync(String keyId) {
EnableKeyRequest enableKeyRequest = EnableKeyRequest.builder()
.keyId(keyId)
.build();
CompletableFuture responseFuture = getAsyncClient().enableKey(enableKeyRequest);
responseFuture.whenComplete((response, exception) -> {
if (exception == null) {
logger.info("Key with ID [{}] has been enabled.", keyId);
} else {
if (exception instanceof KmsException kmsEx) {
throw new RuntimeException("KMS error occurred while enabling key: " + kmsEx.getMessage(), kmsEx);
} else {
throw new RuntimeException("An unexpected error occurred while enabling key: " + exception.getMessage(), exception);
}
}
});
return responseFuture.thenApply(response -> null);
}
```
+ Para obtener más información sobre la API, consulta [EnableKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/EnableKey)la *Referencia AWS SDK for Java 2.x de la API*.
------
#### [ Kotlin ]
**SDK para Kotlin**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples).
```
suspend fun enableKey(keyIdVal: String?) {
val request =
EnableKeyRequest {
keyId = keyIdVal
}
KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient ->
kmsClient.enableKey(request)
println("$keyIdVal was successfully enabled.")
}
}
```
+ Para obtener más información sobre la API, consulta [EnableKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)la *referencia sobre el AWS SDK para la API de Kotlin*.
------
#### [ PHP ]
**SDK para PHP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples).
```
/***
* @param string $keyId
* @return void
*/
public function enableKey(string $keyId)
{
try {
$this->client->enableKey([
'KeyId' => $keyId,
]);
}catch(KmsException $caught){
if($caught->getAwsErrorMessage() == "NotFoundException"){
echo "The request was rejected because the specified entity or resource could not be found.\n";
}
throw $caught;
}
}
```
+ Para obtener más información sobre la API, consulta [EnableKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/EnableKey)la *Referencia AWS SDK para PHP de la API*.
------
#### [ Python ]
**SDK para Python (Boto3)**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples).
```
class KeyManager:
def __init__(self, kms_client):
self.kms_client = kms_client
self.created_keys = []
@classmethod
def from_client(cls) -> "KeyManager":
"""
Creates a KeyManager instance with a default KMS client.
:return: An instance of KeyManager initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def enable_key(self, key_id: str) -> None:
"""
Enables a key. Gets the key state after each state change.
:param key_id: The ARN or ID of the key to enable.
"""
try:
self.kms_client.enable_key(KeyId=key_id)
except ClientError as err:
logging.error(
"Couldn't enable key '%s'. Here's why: %s",
key_id,
err.response["Error"]["Message"],
)
raise
```
+ Para obtener más información sobre la API, consulta [EnableKey](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/EnableKey)la *AWS Referencia de API de SDK for Python (Boto3*).
------
#### [ SAP ABAP ]
**SDK para SAP ABAP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples).
```
TRY.
" iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab'
lo_kms->enablekey( iv_keyid = iv_key_id ).
MESSAGE 'KMS key enabled successfully.' TYPE 'I'.
CATCH /aws1/cx_kmsnotfoundexception.
MESSAGE 'Key not found.' TYPE 'E'.
CATCH /aws1/cx_kmskmsinternalex.
MESSAGE 'An internal error occurred.' TYPE 'E'.
ENDTRY.
```
+ Para obtener más información sobre la API, consulte [EnableKey](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)la *referencia sobre la API ABAP del AWS SDK para SAP*.
------
Para obtener una lista completa de guías para desarrolladores del AWS SDK y ejemplos de código, consulte[Uso de este servicio con un AWS SDK](sdk-general-information-section.md). En este tema también se incluye información sobre cómo comenzar a utilizar el SDK y detalles sobre sus versiones anteriores.
# Úselo `EnableKeyRotation` con un AWS SDK o CLI
encryptDataAsync(String keyId, String text) {
SdkBytes myBytes = SdkBytes.fromUtf8String(text);
EncryptRequest encryptRequest = EncryptRequest.builder()
.keyId(keyId)
.plaintext(myBytes)
.build();
CompletableFuture responseFuture = getAsyncClient().encrypt(encryptRequest).toCompletableFuture();
return responseFuture.whenComplete((response, ex) -> {
if (response != null) {
String algorithm = response.encryptionAlgorithm().toString();
logger.info("The string was encrypted with algorithm {}.", algorithm);
} else {
throw new RuntimeException(ex);
}
}).thenApply(EncryptResponse::ciphertextBlob);
}
```
+ Para obtener información sobre la API, consulte [Encrypt](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/Encrypt) en la *referencia de la API de AWS SDK for Java 2.x *.
------
#### [ Kotlin ]
**SDK para Kotlin**
Hay más información GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples).
```
suspend fun encryptData(keyIdValue: String): ByteArray? {
val text = "This is the text to encrypt by using the AWS KMS Service"
val myBytes: ByteArray = text.toByteArray()
val encryptRequest =
EncryptRequest {
keyId = keyIdValue
plaintext = myBytes
}
KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient ->
val response = kmsClient.encrypt(encryptRequest)
val algorithm: String = response.encryptionAlgorithm.toString()
println("The encryption algorithm is $algorithm")
// Return the encrypted data.
return response.ciphertextBlob
}
}
suspend fun decryptData(
encryptedDataVal: ByteArray?,
keyIdVal: String?,
) {
val decryptRequest =
DecryptRequest {
ciphertextBlob = encryptedDataVal
keyId = keyIdVal
}
KmsClient { region = "us-west-2" }.use { kmsClient ->
val decryptResponse = kmsClient.decrypt(decryptRequest)
val myVal = decryptResponse.plaintext
// Print the decrypted data.
print(myVal)
}
}
```
+ Para obtener información sobre la API, consulte [Encrypt](https://sdk.amazonaws.com/kotlin/api/latest/index.html) en la *referencia de la API de AWS SDK para Kotlin*.
------
#### [ PHP ]
**SDK para PHP**
Hay más información GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples).
```
/***
* @param string $keyId
* @param string $text
* @return Result
*/
public function encrypt(string $keyId, string $text)
{
try {
return $this->client->encrypt([
'KeyId' => $keyId,
'Plaintext' => $text,
]);
}catch(KmsException $caught){
if($caught->getAwsErrorMessage() == "DisabledException"){
echo "The request was rejected because the specified KMS key is not enabled.\n";
}
throw $caught;
}
}
```
+ Para obtener información sobre la API, consulte [Encrypt](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/Encrypt) en la *referencia de la API de AWS SDK para PHP *.
------
#### [ Python ]
**SDK para Python (Boto3)**
Hay más información GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples).
```
class KeyEncrypt:
def __init__(self, kms_client):
self.kms_client = kms_client
@classmethod
def from_client(cls) -> "KeyEncrypt":
"""
Creates a KeyEncrypt instance with a default KMS client.
:return: An instance of KeyEncrypt initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def encrypt(self, key_id: str, text: str) -> bytes:
"""
Encrypts text by using the specified key.
:param key_id: The ARN or ID of the key to use for encryption.
:param text: The text to encrypt.
:return: The encrypted version of the text.
"""
try:
response = self.kms_client.encrypt(KeyId=key_id, Plaintext=text.encode())
print(
f"The string was encrypted with algorithm {response['EncryptionAlgorithm']}"
)
return response["CiphertextBlob"]
except ClientError as err:
if err.response["Error"]["Code"] == "DisabledException":
logger.error(
"Could not encrypt because the key %s is disabled.", key_id
)
else:
logger.error(
"Couldn't encrypt text. Here's why: %s",
err.response["Error"]["Message"],
)
raise
```
+ Para obtener información sobre la API, consulte [Encrypt](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/Encrypt) en la *referencia de la API de AWS SDK para Python (Boto3)*.
------
#### [ Ruby ]
**SDK para Ruby**
Hay más información GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/kms#code-examples).
```
require 'aws-sdk-kms' # v2: require 'aws-sdk'
# ARN of the AWS KMS key.
#
# Replace the fictitious key ARN with a valid key ID
keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
text = '1234567890'
client = Aws::KMS::Client.new(region: 'us-west-2')
resp = client.encrypt({
key_id: keyId,
plaintext: text
})
# Display a readable version of the resulting encrypted blob.
puts 'Blob:'
puts resp.ciphertext_blob.unpack('H*')
```
+ Para obtener información sobre la API, consulte [Encrypt](https://docs.aws.amazon.com/goto/SdkForRubyV3/kms-2014-11-01/Encrypt) en la *referencia de la API de AWS SDK para Ruby *.
------
#### [ Rust ]
**SDK para Rust**
Hay más información GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/kms#code-examples).
```
async fn encrypt_string(
verbose: bool,
client: &Client,
text: &str,
key: &str,
out_file: &str,
) -> Result<(), Error> {
let blob = Blob::new(text.as_bytes());
let resp = client.encrypt().key_id(key).plaintext(blob).send().await?;
// Did we get an encrypted blob?
let blob = resp.ciphertext_blob.expect("Could not get encrypted text");
let bytes = blob.as_ref();
let s = base64::encode(bytes);
let mut ofile = File::create(out_file).expect("unable to create file");
ofile.write_all(s.as_bytes()).expect("unable to write");
if verbose {
println!("Wrote the following to {:?}", out_file);
println!("{}", s);
}
Ok(())
}
```
+ Para obtener información sobre la API, consulte [Encrypt](https://docs.rs/aws-sdk-kms/latest/aws_sdk_kms/client/struct.Client.html#method.encrypt) en la *Referencia de la API de AWS SDK para Rust*.
------
#### [ SAP ABAP ]
**SDK para SAP ABAP**
Hay más información GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples).
```
TRY.
" iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab'
" iv_plaintext contains the data to encrypt
oo_result = lo_kms->encrypt(
iv_keyid = iv_key_id
iv_plaintext = iv_plaintext
).
MESSAGE 'Text encrypted successfully.' TYPE 'I'.
CATCH /aws1/cx_kmsdisabledexception.
MESSAGE 'The key is disabled.' TYPE 'E'.
CATCH /aws1/cx_kmsnotfoundexception.
MESSAGE 'Key not found.' TYPE 'E'.
CATCH /aws1/cx_kmskmsinternalex.
MESSAGE 'An internal error occurred.' TYPE 'E'.
ENDTRY.
```
+ Para obtener más información sobre la API, consulte [Cifrar](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html) en el *AWS SDK para obtener información sobre la API ABAP de SAP*.
------
Para obtener una lista completa de guías para desarrolladores del AWS SDK y ejemplos de código, consulte. [Uso de este servicio con un AWS SDK](sdk-general-information-section.md) En este tema también se incluye información sobre cómo comenzar a utilizar el SDK y detalles sobre sus versiones anteriores.
# Úselo `GenerateDataKey` con un AWS SDK o CLI
/// List the AWS Key Management Service (AWS KMS) aliases that have been defined for
/// the keys in the same AWS Region as the default user. If you want to list
/// the aliases in a different Region, pass the Region to the client
/// constructor.
///
public class ListAliases
{
public static async Task Main()
{
var client = new AmazonKeyManagementServiceClient();
var request = new ListAliasesRequest();
var response = new ListAliasesResponse();
do
{
response = await client.ListAliasesAsync(request);
response.Aliases.ForEach(alias =>
{
Console.WriteLine($"Created: {alias.CreationDate} Last Update: {alias.LastUpdatedDate} Name: {alias.AliasName}");
});
request.Marker = response.NextMarker;
}
while (response.Truncated);
}
}
```
+ Para obtener más información sobre la API, consulta [ListAliases](https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/ListAliases)la *Referencia AWS SDK para .NET de la API*.
------
#### [ CLI ]
**AWS CLI**
**Ejemplo 1: Para enumerar todos los alias de una AWS cuenta y una región**
En el siguiente ejemplo, se utiliza el `list-aliases` comando para enumerar todos los alias de la región predeterminada de la AWS cuenta. El resultado incluye los alias asociados a las claves de KMS AWS administradas y a las claves de KMS administradas por el cliente.
```
aws kms list-aliases
```
Salida:
```
{
"Aliases": [
{
"AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/testKey",
"AliasName": "alias/testKey",
"TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
{
"AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/FinanceDept",
"AliasName": "alias/FinanceDept",
"TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321"
},
{
"AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/aws/dynamodb",
"AliasName": "alias/aws/dynamodb",
"TargetKeyId": "1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d"
},
{
"AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/aws/ebs",
"AliasName": "alias/aws/ebs",
"TargetKeyId": "0987ab65-43cd-21ef-09ab-87654321cdef"
},
...
]
}
```
**Ejemplo 2: Creación de una lista de todos los alias de una clave de KMS concreta**
En el siguiente ejemplo se utiliza el comando `list-aliases` y su parámetro `key-id` para mostrar todos los alias que están asociados con una determinada clave de KMS.
Cada alias está asociado a una sola clave de KMS, pero una clave de KMS puede tener varios alias. Este comando es muy útil porque la consola de AWS KMS solo muestra un alias para cada clave de KMS. Debe utilizar el comando `list-aliases` para encontrar todos los alias de una clave de KMS.
En este ejemplo, se utiliza el ID de la clave de KMS del parámetro `--key-id`, pero puede utilizar un ID de clave, un ARN de clave, un nombre de alias o un ARN de alias en este comando.
```
aws kms list-aliases --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
```
Salida:
```
{
"Aliases": [
{
"TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/oregon-test-key",
"AliasName": "alias/oregon-test-key"
},
{
"TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/project121-test",
"AliasName": "alias/project121-test"
}
]
}
```
Para obtener más información, consulte [Uso de alias](https://docs.aws.amazon.com/kms/latest/developerguide/programming-aliases.html) en la *Guía para desarrolladores de AWS Key Management Service*.
+ Para obtener más información sobre la API, consulte [ListAliases](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/list-aliases.html)la *Referencia de AWS CLI comandos*.
------
#### [ Java ]
**SDK para Java 2.x**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples).
```
/**
* Asynchronously lists all the aliases in the current AWS account.
*
* @return a {@link CompletableFuture} that completes when the list of aliases has been processed
*/
public CompletableFuture listAllAliasesAsync() {
ListAliasesRequest aliasesRequest = ListAliasesRequest.builder()
.limit(15)
.build();
ListAliasesPublisher paginator = getAsyncClient().listAliasesPaginator(aliasesRequest);
return paginator.subscribe(response -> {
response.aliases().forEach(alias ->
logger.info("The alias name is: " + alias.aliasName())
);
})
.thenApply(v -> null)
.exceptionally(ex -> {
if (ex.getCause() instanceof KmsException) {
KmsException e = (KmsException) ex.getCause();
throw new RuntimeException("A KMS exception occurred: " + e.getMessage());
} else {
throw new RuntimeException("An unexpected error occurred: " + ex.getMessage());
}
});
}
```
+ Para obtener más información sobre la API, consulta [ListAliases](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/ListAliases)la *Referencia AWS SDK for Java 2.x de la API*.
------
#### [ Kotlin ]
**SDK para Kotlin**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples).
```
suspend fun listAllAliases() {
val request =
ListAliasesRequest {
limit = 15
}
KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient ->
val response = kmsClient.listAliases(request)
response.aliases?.forEach { alias ->
println("The alias name is ${alias.aliasName}")
}
}
}
```
+ Para obtener más información sobre la API, consulta [ListAliases](https://sdk.amazonaws.com/kotlin/api/latest/index.html)la *referencia sobre el AWS SDK para la API de Kotlin*.
------
#### [ PHP ]
**SDK para PHP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples).
```
/***
* @param string $keyId
* @param int $limit
* @return ResultPaginator
*/
public function listAliases(string $keyId = "", int $limit = 0)
{
$args = [];
if($keyId){
$args['KeyId'] = $keyId;
}
if($limit){
$args['Limit'] = $limit;
}
try{
return $this->client->getPaginator("ListAliases", $args);
}catch(KmsException $caught){
if($caught->getAwsErrorMessage() == "InvalidMarkerException"){
echo "The request was rejected because the marker that specifies where pagination should next begin is not valid.\n";
}
throw $caught;
}
}
```
+ Para obtener más información sobre la API, consulta [ListAliases](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ListAliases)la *Referencia AWS SDK para PHP de la API*.
------
#### [ Python ]
**SDK para Python (Boto3)**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples).
```
class AliasManager:
def __init__(self, kms_client):
self.kms_client = kms_client
self.created_key = None
@classmethod
def from_client(cls) -> "AliasManager":
"""
Creates an AliasManager instance with a default KMS client.
:return: An instance of AliasManager initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def list_aliases(self, page_size: int) -> None:
"""
Lists aliases for the current account.
:param page_size: The number of aliases to list per page.
"""
try:
alias_paginator = self.kms_client.get_paginator("list_aliases")
for alias_page in alias_paginator.paginate(
PaginationConfig={"PageSize": page_size}
):
print(f"Here are {page_size} aliases:")
pprint(alias_page["Aliases"])
if alias_page["Truncated"]:
answer = input(
f"Do you want to see the next {page_size} aliases (y/n)? "
)
if answer.lower() != "y":
break
else:
print("That's all your aliases!")
except ClientError as err:
logging.error(
"Couldn't list your aliases. Here's why: %s",
err.response["Error"]["Message"],
)
raise
```
+ Para obtener más información sobre la API, consulta [ListAliases](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListAliases)la *AWS Referencia de API de SDK for Python (Boto3*).
------
#### [ SAP ABAP ]
**SDK para SAP ABAP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples).
```
TRY.
oo_result = lo_kms->listaliases( ).
MESSAGE 'Retrieved KMS aliases list.' TYPE 'I'.
CATCH /aws1/cx_kmskmsinternalex.
MESSAGE 'An internal error occurred.' TYPE 'E'.
ENDTRY.
```
+ Para obtener más información sobre la API, consulte [ListAliases](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)la *referencia sobre la API ABAP del AWS SDK para SAP*.
------
Para obtener una lista completa de guías para desarrolladores del AWS SDK y ejemplos de código, consulte[Uso de este servicio con un AWS SDK](sdk-general-information-section.md). En este tema también se incluye información sobre cómo comenzar a utilizar el SDK y detalles sobre sus versiones anteriores.
# Úselo `ListGrants` con un AWS SDK o CLI
/// List the AWS Key Management Service (AWS KMS) grants that are associated with
/// a specific key.
///
public class ListGrants
{
public static async Task Main()
{
// The identifier of the AWS KMS key to disable. You can use the
// key Id or the Amazon Resource Name (ARN) of the AWS KMS key.
var keyId = "1234abcd-12ab-34cd-56ef-1234567890ab";
var client = new AmazonKeyManagementServiceClient();
var request = new ListGrantsRequest
{
KeyId = keyId,
};
var response = new ListGrantsResponse();
do
{
response = await client.ListGrantsAsync(request);
response.Grants.ForEach(grant =>
{
Console.WriteLine($"{grant.GrantId}");
});
request.Marker = response.NextMarker;
}
while (response.Truncated);
}
}
```
+ Para obtener más información sobre la API, consulta [ListGrants](https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/ListGrants)la *Referencia AWS SDK para .NET de la API*.
------
#### [ CLI ]
**AWS CLI**
**Para ver las concesiones de una clave de AWS KMS**
En el siguiente `list-grants` ejemplo, se muestran todas las concesiones de la clave de KMS AWS gestionada especificada para Amazon DynamoDB en su cuenta. Esta concesión permite a DynamoDB utilizar la clave de KMS en su nombre para cifrar una tabla de DynamoDB antes de escribirla en el disco. Puede usar un comando como este para ver las concesiones de las claves de KMS AWS administradas y las claves de KMS administradas por el cliente en la AWS cuenta y la región.
Este comando usa el parámetro `key-id` con un ID de la clave para identificar la clave de KMS. Puede utilizar un ID o ARN de clave para identificar la clave de KMS. Para obtener el identificador de clave o el ARN de clave de una clave de KMS AWS administrada, utilice el comando `list-keys` o`list-aliases`.
```
aws kms list-grants \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab
```
La salida muestra que la concesión otorga a Amazon DynamoDB permiso para usar la clave de KMS para operaciones criptográficas y le da permiso para ver detalles sobre la clave de KMS (`DescribeKey`) y para retirar concesiones (`RetireGrant`). La restricción `EncryptionContextSubset` limita estos permisos a las solicitudes que incluyen los pares de contexto de cifrado especificados. Como resultado, los permisos de la concesión solo son efectivos en la cuenta y la tabla de DynamoDB especificadas.
```
{
"Grants": [
{
"Constraints": {
"EncryptionContextSubset": {
"aws:dynamodb:subscriberId": "123456789012",
"aws:dynamodb:tableName": "Services"
}
},
"IssuingAccount": "arn:aws:iam::123456789012:root",
"Name": "8276b9a6-6cf0-46f1-b2f0-7993a7f8c89a",
"Operations": [
"Decrypt",
"Encrypt",
"GenerateDataKey",
"ReEncryptFrom",
"ReEncryptTo",
"RetireGrant",
"DescribeKey"
],
"GrantId": "1667b97d27cf748cf05b487217dd4179526c949d14fb3903858e25193253fe59",
"KeyId": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"RetiringPrincipal": "dynamodb.us-west-2.amazonaws.com",
"GranteePrincipal": "dynamodb.us-west-2.amazonaws.com",
"CreationDate": "2021-05-13T18:32:45.144000+00:00"
}
]
}
```
Para obtener más información, consulte las [concesiones en AWS KMS en](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) la *Guía para desarrolladores del servicio de administración de AWS claves*.
+ Para obtener más información sobre la API, consulte [ListGrants](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/list-grants.html)la *Referencia de AWS CLI comandos*.
------
#### [ Java ]
**SDK para Java 2.x**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples).
```
/**
* Asynchronously displays the grant IDs for the specified key ID.
*
* @param keyId the ID of the AWS KMS key for which to list the grants
* @return a {@link CompletableFuture} that, when completed, will be null if the operation succeeded, or will throw a {@link RuntimeException} if the operation failed
* @throws RuntimeException if there was an error listing the grants, either due to an {@link KmsException} or an unexpected error
*/
public CompletableFuture displayGrantIdsAsync(String keyId) {
ListGrantsRequest grantsRequest = ListGrantsRequest.builder()
.keyId(keyId)
.limit(15)
.build();
ListGrantsPublisher paginator = getAsyncClient().listGrantsPaginator(grantsRequest);
return paginator.subscribe(response -> {
response.grants().forEach(grant -> {
logger.info("The grant Id is: " + grant.grantId());
});
})
.thenApply(v -> null)
.exceptionally(ex -> {
Throwable cause = ex.getCause();
if (cause instanceof KmsException) {
throw new RuntimeException("Failed to list grants: " + cause.getMessage(), cause);
} else {
throw new RuntimeException("An unexpected error occurred: " + cause.getMessage(), cause);
}
});
}
```
+ Para obtener más información sobre la API, consulta [ListGrants](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/ListGrants)la *Referencia AWS SDK for Java 2.x de la API*.
------
#### [ Kotlin ]
**SDK para Kotlin**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples).
```
suspend fun displayGrantIds(keyIdVal: String?) {
val request =
ListGrantsRequest {
keyId = keyIdVal
limit = 15
}
KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient ->
val response = kmsClient.listGrants(request)
response.grants?.forEach { grant ->
println("The grant Id is ${grant.grantId}")
}
}
}
```
+ Para obtener más información sobre la API, consulta [ListGrants](https://sdk.amazonaws.com/kotlin/api/latest/index.html)la *referencia sobre el AWS SDK para la API de Kotlin*.
------
#### [ PHP ]
**SDK para PHP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples).
```
/***
* @param string $keyId
* @return Result
*/
public function listGrants(string $keyId)
{
try{
return $this->client->listGrants([
'KeyId' => $keyId,
]);
}catch(KmsException $caught){
if($caught->getAwsErrorMessage() == "NotFoundException"){
echo " The request was rejected because the specified entity or resource could not be found.\n";
}
throw $caught;
}
}
```
+ Para obtener más información sobre la API, consulta [ListGrants](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ListGrants)la *Referencia AWS SDK para PHP de la API*.
------
#### [ Python ]
**SDK para Python (Boto3)**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples).
```
class GrantManager:
def __init__(self, kms_client):
self.kms_client = kms_client
@classmethod
def from_client(cls) -> "GrantManager":
"""
Creates a GrantManager instance with a default KMS client.
:return: An instance of GrantManager initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def list_grants(self, key_id):
"""
Lists grants for a key.
:param key_id: The ARN or ID of the key to query.
:return: The grants for the key.
"""
try:
paginator = self.kms_client.get_paginator("list_grants")
grants = []
page_iterator = paginator.paginate(KeyId=key_id)
for page in page_iterator:
grants.extend(page["Grants"])
print(f"Grants for key {key_id}:")
pprint(grants)
return grants
except ClientError as err:
logger.error(
"Couldn't list grants for key %s. Here's why: %s",
key_id,
err.response["Error"]["Message"],
)
raise
```
+ Para obtener más información sobre la API, consulta [ListGrants](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListGrants)la *AWS Referencia de API de SDK for Python (Boto3*).
------
#### [ SAP ABAP ]
**SDK para SAP ABAP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples).
```
TRY.
" iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab'
oo_result = lo_kms->listgrants( iv_keyid = iv_key_id ).
MESSAGE 'Retrieved grants list.' TYPE 'I'.
CATCH /aws1/cx_kmsnotfoundexception.
MESSAGE 'Key not found.' TYPE 'E'.
CATCH /aws1/cx_kmskmsinternalex.
MESSAGE 'An internal error occurred.' TYPE 'E'.
ENDTRY.
```
+ Para obtener más información sobre la API, consulte [ListGrants](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)la *referencia sobre la API ABAP del AWS SDK para SAP*.
------
Para obtener una lista completa de guías para desarrolladores del AWS SDK y ejemplos de código, consulte[Uso de este servicio con un AWS SDK](sdk-general-information-section.md). En este tema también se incluye información sobre cómo comenzar a utilizar el SDK y detalles sobre sus versiones anteriores.
# Úselo `ListKeyPolicies` con un AWS SDK o CLI
getKeyPolicyAsync(String keyId, String policyName) {
GetKeyPolicyRequest policyRequest = GetKeyPolicyRequest.builder()
.keyId(keyId)
.policyName(policyName)
.build();
return getAsyncClient().getKeyPolicy(policyRequest)
.thenApply(response -> {
String policy = response.policy();
logger.info("The response is: " + policy);
return policy;
})
.exceptionally(ex -> {
throw new RuntimeException("Failed to get key policy", ex);
});
}
```
+ Para obtener más información sobre la API, consulta [ListKeyPolicies](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/ListKeyPolicies)la *Referencia AWS SDK for Java 2.x de la API*.
------
#### [ Python ]
**SDK para Python (Boto3)**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples).
```
class KeyPolicy:
def __init__(self, kms_client):
self.kms_client = kms_client
@classmethod
def from_client(cls) -> "KeyPolicy":
"""
Creates a KeyPolicy instance with a default KMS client.
:return: An instance of KeyPolicy initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def list_policies(self, key_id):
"""
Lists the names of the policies for a key.
:param key_id: The ARN or ID of the key to query.
"""
try:
policy_names = self.kms_client.list_key_policies(KeyId=key_id)[
"PolicyNames"
]
except ClientError as err:
logging.error(
"Couldn't list your policies. Here's why: %s",
err.response["Error"]["Message"],
)
raise
else:
print(f"The policies for key {key_id} are:")
pprint(policy_names)
```
+ Para obtener más información sobre la API, consulta [ListKeyPolicies](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListKeyPolicies)la *AWS Referencia de API de SDK for Python (Boto3*).
------
#### [ SAP ABAP ]
**SDK para SAP ABAP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples).
```
TRY.
" iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab'
oo_result = lo_kms->listkeypolicies( iv_keyid = iv_key_id ).
MESSAGE 'Retrieved key policies list.' TYPE 'I'.
CATCH /aws1/cx_kmsnotfoundexception.
MESSAGE 'Key not found.' TYPE 'E'.
CATCH /aws1/cx_kmskmsinternalex.
MESSAGE 'An internal error occurred.' TYPE 'E'.
ENDTRY.
```
+ Para obtener más información sobre la API, consulte [ListKeyPolicies](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)la *referencia sobre la API ABAP del AWS SDK para SAP*.
------
Para obtener una lista completa de guías para desarrolladores del AWS SDK y ejemplos de código, consulte[Uso de este servicio con un AWS SDK](sdk-general-information-section.md). En este tema también se incluye información sobre cómo comenzar a utilizar el SDK y detalles sobre sus versiones anteriores.
# Úselo `ListKeys` con un AWS SDK o CLI
/// List the AWS Key Managements Service (AWS KMS) keys for the AWS Region
/// of the default user. To list keys in another AWS Region, supply the Region
/// as a parameter to the client constructor.
///
public class ListKeys
{
public static async Task Main()
{
var client = new AmazonKeyManagementServiceClient();
var request = new ListKeysRequest();
var response = new ListKeysResponse();
do
{
response = await client.ListKeysAsync(request);
response.Keys.ForEach(key =>
{
Console.WriteLine($"ID: {key.KeyId}, {key.KeyArn}");
});
// Set the Marker property when response.Truncated is true
// in order to get the next keys.
request.Marker = response.NextMarker;
}
while (response.Truncated);
}
}
```
+ Para obtener más información sobre la API, consulta [ListKeys](https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/ListKeys)la *Referencia AWS SDK para .NET de la API*.
------
#### [ CLI ]
**AWS CLI**
**Obtención de las claves KMS de una cuenta y una región**
En el siguiente ejemplo de `list-keys` se obtienen las claves de KMS de una cuenta y una región. Este comando devuelve tanto las claves AWS administradas como las claves administradas por el cliente.
```
aws kms list-keys
```
Salida:
```
{
"Keys": [
{
"KeyArn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
{
"KeyArn": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321",
"KeyId": "0987dcba-09fe-87dc-65ba-ab0987654321"
},
{
"KeyArn": "arn:aws:kms:us-east-2:111122223333:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d",
"KeyId": "1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d"
}
]
}
```
Para obtener más información, consulte [Visualización de claves](https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html) en la *Guía para desarrolladores de AWS Key Management Service*.
+ Para obtener más información sobre la API, consulte [ListKeys](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/list-keys.html)la *Referencia de AWS CLI comandos*.
------
#### [ Java ]
**SDK para Java 2.x**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples).
```
import software.amazon.awssdk.services.kms.KmsAsyncClient;
import software.amazon.awssdk.services.kms.model.ListKeysRequest;
import software.amazon.awssdk.services.kms.paginators.ListKeysPublisher;
import java.util.concurrent.CompletableFuture;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class HelloKMS {
public static void main(String[] args) {
listAllKeys();
}
public static void listAllKeys() {
KmsAsyncClient kmsAsyncClient = KmsAsyncClient.builder()
.build();
ListKeysRequest listKeysRequest = ListKeysRequest.builder()
.limit(15)
.build();
/*
* The `subscribe` method is required when using paginator methods in the AWS SDK
* because paginator methods return an instance of a `ListKeysPublisher`, which is
* based on a reactive stream. This allows asynchronous retrieval of paginated
* results as they become available. By subscribing to the stream, we can process
* each page of results as they are emitted.
*/
ListKeysPublisher keysPublisher = kmsAsyncClient.listKeysPaginator(listKeysRequest);
CompletableFuture future = keysPublisher
.subscribe(r -> r.keys().forEach(key ->
System.out.println("The key ARN is: " + key.keyArn() + ". The key Id is: " + key.keyId())))
.whenComplete((result, exception) -> {
if (exception != null) {
System.err.println("Error occurred: " + exception.getMessage());
} else {
System.out.println("Successfully listed all keys.");
}
});
try {
future.join();
} catch (Exception e) {
System.err.println("Failed to list keys: " + e.getMessage());
}
}
}
```
+ Para obtener más información sobre la API, consulta [ListKeys](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/ListKeys)la *Referencia AWS SDK for Java 2.x de la API*.
------
#### [ Kotlin ]
**SDK para Kotlin**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples).
```
suspend fun listAllKeys() {
val request =
ListKeysRequest {
limit = 15
}
KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient ->
val response = kmsClient.listKeys(request)
response.keys?.forEach { key ->
println("The key ARN is ${key.keyArn}")
println("The key Id is ${key.keyId}")
}
}
}
```
+ Para obtener más información sobre la API, consulta [ListKeys](https://sdk.amazonaws.com/kotlin/api/latest/index.html)la *referencia sobre el AWS SDK para la API de Kotlin*.
------
#### [ PHP ]
**SDK para PHP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples).
```
/***
* @return array
*/
public function listKeys()
{
try {
$contents = [];
$paginator = $this->client->getPaginator("ListKeys");
foreach($paginator as $result){
foreach ($result['Content'] as $object) {
$contents[] = $object;
}
}
return $contents;
}catch(KmsException $caught){
echo "There was a problem listing the keys: {$caught->getAwsErrorMessage()}\n";
throw $caught;
}
}
```
+ Para obtener más información sobre la API, consulta [ListKeys](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ListKeys)la *Referencia AWS SDK para PHP de la API*.
------
#### [ Python ]
**SDK para Python (Boto3)**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples).
```
class KeyManager:
def __init__(self, kms_client):
self.kms_client = kms_client
self.created_keys = []
@classmethod
def from_client(cls) -> "KeyManager":
"""
Creates a KeyManager instance with a default KMS client.
:return: An instance of KeyManager initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def list_keys(self):
"""
Lists the keys for the current account by using a paginator.
"""
try:
page_size = 10
print("\nLet's list your keys.")
key_paginator = self.kms_client.get_paginator("list_keys")
for key_page in key_paginator.paginate(PaginationConfig={"PageSize": 10}):
print(f"Here are {len(key_page['Keys'])} keys:")
pprint(key_page["Keys"])
if key_page["Truncated"]:
answer = input(
f"Do you want to see the next {page_size} keys (y/n)? "
)
if answer.lower() != "y":
break
else:
print("That's all your keys!")
except ClientError as err:
logging.error(
"Couldn't list your keys. Here's why: %s",
err.response["Error"]["Message"],
)
```
+ Para obtener más información sobre la API, consulta [ListKeys](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListKeys)la *AWS Referencia de API de SDK for Python (Boto3*).
------
#### [ Rust ]
**SDK para Rust**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/kms#code-examples).
```
async fn show_keys(client: &Client) -> Result<(), Error> {
let resp = client.list_keys().send().await?;
let keys = resp.keys.unwrap_or_default();
let len = keys.len();
for key in keys {
println!("Key ARN: {}", key.key_arn.as_deref().unwrap_or_default());
}
println!();
println!("Found {} keys", len);
Ok(())
}
```
+ Para obtener más información sobre la API, consulta [ListKeys](https://docs.rs/aws-sdk-kms/latest/aws_sdk_kms/client/struct.Client.html#method.list_keys)la *referencia sobre la API de AWS SDK para Rust*.
------
#### [ SAP ABAP ]
**SDK para SAP ABAP**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples).
```
TRY.
oo_result = lo_kms->listkeys( ).
MESSAGE 'Retrieved KMS keys list.' TYPE 'I'.
CATCH /aws1/cx_kmskmsinternalex.
MESSAGE 'An internal error occurred.' TYPE 'E'.
ENDTRY.
```
+ Para obtener más información sobre la API, consulte [ListKeys](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)la *referencia sobre la API ABAP del AWS SDK para SAP*.
------
Para obtener una lista completa de guías para desarrolladores del AWS SDK y ejemplos de código, consulte[Uso de este servicio con un AWS SDK](sdk-general-information-section.md). En este tema también se incluye información sobre cómo comenzar a utilizar el SDK y detalles sobre sus versiones anteriores.
# Úselo `PutKeyPolicy` con un AWS SDK o CLI
revokeKeyGrantAsync(String keyId, String grantId) {
RevokeGrantRequest grantRequest = RevokeGrantRequest.builder()
.keyId(keyId)
.grantId(grantId)
.build();
CompletableFuture responseFuture = getAsyncClient().revokeGrant(grantRequest);
responseFuture.whenComplete((response, exception) -> {
if (exception == null) {
logger.info("Grant ID: [" + grantId + "] was successfully revoked!");
} else {
if (exception instanceof KmsException kmsEx) {
if (kmsEx.getMessage().contains("Grant does not exist")) {
logger.info("The grant ID '" + grantId + "' does not exist. Moving on...");
} else {
throw new RuntimeException("KMS error occurred: " + kmsEx.getMessage(), kmsEx);
}
} else {
throw new RuntimeException("An unexpected error occurred: " + exception.getMessage(), exception);
}
}
});
return responseFuture;
}
```
+ Para obtener más información sobre la API, consulta [RevokeGrant](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/RevokeGrant)la *Referencia AWS SDK for Java 2.x de la API*.
------
#### [ PHP ]
**SDK para PHP**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples).
```
/***
* @param string $grantId
* @param string $keyId
* @return void
*/
public function revokeGrant(string $grantId, string $keyId)
{
try{
$this->client->revokeGrant([
'GrantId' => $grantId,
'KeyId' => $keyId,
]);
}catch(KmsException $caught){
echo "There was a problem with revoking the grant: {$caught->getAwsErrorMessage()}.\n";
throw $caught;
}
}
```
+ Para obtener más información sobre la API, consulta [RevokeGrant](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/RevokeGrant)la *Referencia AWS SDK para PHP de la API*.
------
#### [ Python ]
**SDK para Python (Boto3)**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples).
```
class GrantManager:
def __init__(self, kms_client):
self.kms_client = kms_client
@classmethod
def from_client(cls) -> "GrantManager":
"""
Creates a GrantManager instance with a default KMS client.
:return: An instance of GrantManager initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def revoke_grant(self, key_id: str, grant_id: str) -> None:
"""
Revokes a grant so that it can no longer be used.
:param key_id: The ARN or ID of the key associated with the grant.
:param grant_id: The ID of the grant to revoke.
"""
try:
self.kms_client.revoke_grant(KeyId=key_id, GrantId=grant_id)
except ClientError as err:
logger.error(
"Couldn't revoke grant %s. Here's why: %s",
grant_id,
err.response["Error"]["Message"],
)
raise
```
+ Para obtener más información sobre la API, consulta [RevokeGrant](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/RevokeGrant)la *AWS Referencia de API de SDK for Python (Boto3*).
------
#### [ SAP ABAP ]
**SDK para SAP ABAP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples).
```
TRY.
" iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab'
" iv_grant_id = '1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p'
lo_kms->revokegrant(
iv_keyid = iv_key_id
iv_grantid = iv_grant_id
).
MESSAGE 'Grant revoked successfully.' TYPE 'I'.
CATCH /aws1/cx_kmsnotfoundexception.
MESSAGE 'Grant or key not found.' TYPE 'E'.
CATCH /aws1/cx_kmsinvalidgrantidex.
MESSAGE 'Invalid grant ID.' TYPE 'E'.
CATCH /aws1/cx_kmskmsinternalex.
MESSAGE 'An internal error occurred.' TYPE 'E'.
ENDTRY.
```
+ Para obtener más información sobre la API, consulte [RevokeGrant](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)la *referencia sobre la API ABAP del AWS SDK para SAP*.
------
Para obtener una lista completa de guías para desarrolladores del AWS SDK y ejemplos de código, consulte[Uso de este servicio con un AWS SDK](sdk-general-information-section.md). En este tema también se incluye información sobre cómo comenzar a utilizar el SDK y detalles sobre sus versiones anteriores.
# Úselo `ScheduleKeyDeletion` con un AWS SDK o CLI
Warning: Deleting a KMS key is a destructive and potentially dangerous operation.
* When a KMS key is deleted, all data that was encrypted under the KMS key becomes unrecoverable.
* This means that any files, databases, or other data that were encrypted using the deleted KMS key
* will become permanently inaccessible. Exercise extreme caution when deleting KMS keys.
*
* @param keyId the ID of the KMS key to delete
* @return a {@link CompletableFuture} that completes when the key deletion is scheduled
*/
public CompletableFuture deleteKeyAsync(String keyId) {
ScheduleKeyDeletionRequest deletionRequest = ScheduleKeyDeletionRequest.builder()
.keyId(keyId)
.pendingWindowInDays(7)
.build();
return getAsyncClient().scheduleKeyDeletion(deletionRequest)
.thenRun(() -> {
logger.info("Key {} will be deleted in 7 days", keyId);
})
.exceptionally(throwable -> {
throw new RuntimeException("Failed to schedule key deletion for key ID: " + keyId, throwable);
});
}
```
+ Para obtener más información sobre la API, consulta [ScheduleKeyDeletion](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/ScheduleKeyDeletion)la *Referencia AWS SDK for Java 2.x de la API*.
------
#### [ PHP ]
**SDK para PHP**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples).
```
/***
* @param string $keyId
* @param int $pendingWindowInDays
* @return void
*/
public function scheduleKeyDeletion(string $keyId, int $pendingWindowInDays = 7)
{
try {
$this->client->scheduleKeyDeletion([
'KeyId' => $keyId,
'PendingWindowInDays' => $pendingWindowInDays,
]);
}catch(KmsException $caught){
echo "There was a problem scheduling the key deletion: {$caught->getAwsErrorMessage()}\n";
throw $caught;
}
}
```
+ Para obtener más información sobre la API, consulta [ScheduleKeyDeletion](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ScheduleKeyDeletion)la *Referencia AWS SDK para PHP de la API*.
------
#### [ Python ]
**SDK para Python (Boto3)**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples).
```
class KeyManager:
def __init__(self, kms_client):
self.kms_client = kms_client
self.created_keys = []
@classmethod
def from_client(cls) -> "KeyManager":
"""
Creates a KeyManager instance with a default KMS client.
:return: An instance of KeyManager initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def delete_key(self, key_id: str, window: int) -> None:
"""
Deletes a list of keys.
Warning:
Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted,
all data that was encrypted under the KMS key is unrecoverable.
:param key_id: The ARN or ID of the key to delete.
:param window: The waiting period, in days, before the KMS key is deleted.
"""
try:
self.kms_client.schedule_key_deletion(
KeyId=key_id, PendingWindowInDays=window
)
except ClientError as err:
logging.error(
"Couldn't delete key %s. Here's why: %s",
key_id,
err.response["Error"]["Message"],
)
raise
```
+ Para obtener más información sobre la API, consulta [ScheduleKeyDeletion](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ScheduleKeyDeletion)la *AWS Referencia de API de SDK for Python (Boto3*).
------
#### [ SAP ABAP ]
**SDK para SAP ABAP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples).
```
TRY.
" iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab'
" iv_pending_window_days = 7
oo_result = lo_kms->schedulekeydeletion(
iv_keyid = iv_key_id
iv_pendingwindowindays = iv_pending_window_days
).
MESSAGE 'Key scheduled for deletion.' TYPE 'I'.
CATCH /aws1/cx_kmsnotfoundexception.
MESSAGE 'Key not found.' TYPE 'E'.
CATCH /aws1/cx_kmskmsinternalex.
MESSAGE 'An internal error occurred.' TYPE 'E'.
ENDTRY.
```
+ Para obtener más información sobre la API, consulte [ScheduleKeyDeletion](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)la *referencia sobre la API ABAP del AWS SDK para SAP*.
------
Para obtener una lista completa de guías para desarrolladores del AWS SDK y ejemplos de código, consulte[Uso de este servicio con un AWS SDK](sdk-general-information-section.md). En este tema también se incluye información sobre cómo comenzar a utilizar el SDK y detalles sobre sus versiones anteriores.
# Úselo `Sign` con un AWS SDK o CLI
The method performs the following steps:
*
* Creates an AWS KMS key with the specified key spec, key usage, and origin.
* Signs the provided message using the created KMS key and the RSASSA-PSS-SHA-256 algorithm.
* Verifies the signature of the message using the created KMS key and the RSASSA-PSS-SHA-256 algorithm.
*
*
* @return a {@link CompletableFuture} that completes with the result of the signature verification,
* {@code true} if the signature is valid, {@code false} otherwise.
* @throws KmsException if any error occurs during the KMS operations.
* @throws RuntimeException if an unexpected error occurs.
*/
public CompletableFuture signVerifyDataAsync() {
String signMessage = "Here is the message that will be digitally signed";
// Create an AWS KMS key used to digitally sign data.
CreateKeyRequest createKeyRequest = CreateKeyRequest.builder()
.keySpec(KeySpec.RSA_2048)
.keyUsage(KeyUsageType.SIGN_VERIFY)
.origin(OriginType.AWS_KMS)
.build();
return getAsyncClient().createKey(createKeyRequest)
.thenCompose(createKeyResponse -> {
String keyId = createKeyResponse.keyMetadata().keyId();
SdkBytes messageBytes = SdkBytes.fromString(signMessage, Charset.defaultCharset());
SignRequest signRequest = SignRequest.builder()
.keyId(keyId)
.message(messageBytes)
.signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256)
.build();
return getAsyncClient().sign(signRequest)
.thenCompose(signResponse -> {
byte[] signedBytes = signResponse.signature().asByteArray();
VerifyRequest verifyRequest = VerifyRequest.builder()
.keyId(keyId)
.message(SdkBytes.fromByteArray(signMessage.getBytes(Charset.defaultCharset())))
.signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(signedBytes)))
.signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256)
.build();
return getAsyncClient().verify(verifyRequest)
.thenApply(verifyResponse -> {
return (boolean) verifyResponse.signatureValid();
});
});
})
.exceptionally(throwable -> {
throw new RuntimeException("Failed to sign or verify data", throwable);
});
}
```
+ Para obtener información sobre la API, consulte [Sign](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/Sign) en la *referencia de la API de AWS SDK for Java 2.x *.
------
#### [ PHP ]
**SDK para PHP**
Hay más información GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples).
```
/***
* @param string $keyId
* @param string $message
* @param string $algorithm
* @return Result
*/
public function sign(string $keyId, string $message, string $algorithm)
{
try {
return $this->client->sign([
'KeyId' => $keyId,
'Message' => $message,
'SigningAlgorithm' => $algorithm,
]);
}catch(KmsException $caught){
echo "There was a problem signing the data: {$caught->getAwsErrorMessage()}\n";
throw $caught;
}
}
```
+ Para obtener información sobre la API, consulte [Sign](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/Sign) en la *referencia de la API de AWS SDK para PHP *.
------
#### [ Python ]
**SDK para Python (Boto3)**
Hay más información GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples).
```
class KeyEncrypt:
def __init__(self, kms_client):
self.kms_client = kms_client
@classmethod
def from_client(cls) -> "KeyEncrypt":
"""
Creates a KeyEncrypt instance with a default KMS client.
:return: An instance of KeyEncrypt initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def sign(self, key_id: str, message: str) -> str:
"""
Signs a message with a key.
:param key_id: The ARN or ID of the key to use for signing.
:param message: The message to sign.
:return: The signature of the message.
"""
try:
return self.kms_client.sign(
KeyId=key_id,
Message=message.encode(),
SigningAlgorithm="RSASSA_PSS_SHA_256",
)["Signature"]
except ClientError as err:
logger.error(
"Couldn't sign your message. Here's why: %s",
err.response["Error"]["Message"],
)
raise
```
+ Para obtener información sobre la API, consulte [Sign](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/Sign) en la *referencia de la API de AWS SDK para Python (Boto3)*.
------
#### [ SAP ABAP ]
**SDK para SAP ABAP**
Hay más información GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples).
```
TRY.
" iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' (asymmetric key)
" iv_message contains the message to sign
" iv_signing_algorithm = 'RSASSA_PSS_SHA_256'
oo_result = lo_kms->sign(
iv_keyid = iv_key_id
iv_message = iv_message
iv_signingalgorithm = iv_signing_algorithm
).
MESSAGE 'Message signed successfully.' TYPE 'I'.
CATCH /aws1/cx_kmsdisabledexception.
MESSAGE 'The key is disabled.' TYPE 'E'.
CATCH /aws1/cx_kmsnotfoundexception.
MESSAGE 'Key not found.' TYPE 'E'.
CATCH /aws1/cx_kmsinvalidkeyusageex.
MESSAGE 'Key cannot be used for signing.' TYPE 'E'.
CATCH /aws1/cx_kmskmsinternalex.
MESSAGE 'An internal error occurred.' TYPE 'E'.
ENDTRY.
```
+ Para obtener más información sobre la API, consulte la *referencia sobre el AWS SDK de inicio de [sesión](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html) para la API ABAP de SAP*.
------
Para obtener una lista completa de guías para desarrolladores del AWS SDK y ejemplos de código, consulte[Uso de este servicio con un AWS SDK](sdk-general-information-section.md). En este tema también se incluye información sobre cómo comenzar a utilizar el SDK y detalles sobre sus versiones anteriores.
# Úselo `TagResource` con un AWS SDK o CLI
tagKMSKeyAsync(String keyId) {
Tag tag = Tag.builder()
.tagKey("Environment")
.tagValue("Production")
.build();
TagResourceRequest tagResourceRequest = TagResourceRequest.builder()
.keyId(keyId)
.tags(tag)
.build();
return getAsyncClient().tagResource(tagResourceRequest)
.thenRun(() -> {
logger.info("{} key was tagged", keyId);
})
.exceptionally(throwable -> {
throw new RuntimeException("Failed to tag the KMS key", throwable);
});
}
```
+ Para obtener más información sobre la API, consulta [TagResource](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/TagResource)la *Referencia AWS SDK for Java 2.x de la API*.
------
#### [ PHP ]
**SDK para PHP**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples).
```
/***
* @param string $keyId
* @param array $tags
* @return void
*/
public function tagResource(string $keyId, array $tags)
{
try {
$this->client->tagResource([
'KeyId' => $keyId,
'Tags' => $tags,
]);
}catch(KmsException $caught){
echo "There was a problem applying the tag(s): {$caught->getAwsErrorMessage()}\n";
throw $caught;
}
}
```
+ Para obtener más información sobre la API, consulta [TagResource](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/TagResource)la *Referencia AWS SDK para PHP de la API*.
------
#### [ Python ]
**SDK para Python (Boto3)**
Hay más información al respecto GitHub. Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples).
```
class KeyManager:
def __init__(self, kms_client):
self.kms_client = kms_client
self.created_keys = []
@classmethod
def from_client(cls) -> "KeyManager":
"""
Creates a KeyManager instance with a default KMS client.
:return: An instance of KeyManager initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
def tag_resource(self, key_id: str, tag_key: str, tag_value: str) -> None:
"""
Add or edit tags on a customer managed key.
:param key_id: The ARN or ID of the key to enable rotation for.
:param tag_key: Key for the tag.
:param tag_value: Value for the tag.
"""
try:
self.kms_client.tag_resource(
KeyId=key_id, Tags=[{"TagKey": tag_key, "TagValue": tag_value}]
)
except ClientError as err:
logging.error(
"Couldn't add a tag for the key '%s'. Here's why: %s",
key_id,
err.response["Error"]["Message"],
)
raise
```
+ Para obtener más información sobre la API, consulta [TagResource](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/TagResource)la *AWS Referencia de API de SDK for Python (Boto3*).
------
#### [ SAP ABAP ]
**SDK para SAP ABAP**
Hay más información al respecto. GitHub Busque el ejemplo completo y aprenda a configurar y ejecutar en el [Repositorio de ejemplos de código de AWS](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples).
```
DATA lt_tags TYPE /aws1/cl_kmstag=>tt_taglist.
TRY.
" iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab'
" iv_tag_key = 'Environment'
" iv_tag_value = 'Production'
APPEND NEW /aws1/cl_kmstag(
iv_tagkey = iv_tag_key
iv_tagvalue = iv_tag_value
) TO lt_tags.
lo_kms->tagresource(
iv_keyid = iv_key_id
it_tags = lt_tags
).
MESSAGE 'Tag added to KMS key successfully.' TYPE 'I'.
CATCH /aws1/cx_kmsnotfoundexception.
MESSAGE 'Key not found.' TYPE 'E'.
CATCH /aws1/cx_kmstagexception.
MESSAGE 'Invalid tag format.' TYPE 'E'.
CATCH /aws1/cx_kmskmsinternalex.
MESSAGE 'An internal error occurred.' TYPE 'E'.
ENDTRY.
```
+ Para obtener más información sobre la API, consulte [TagResource](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)la *referencia sobre la API ABAP del AWS SDK para SAP*.
------
Para obtener una lista completa de guías para desarrolladores del AWS SDK y ejemplos de código, consulte[Uso de este servicio con un AWS SDK](sdk-general-information-section.md). En este tema también se incluye información sobre cómo comenzar a utilizar el SDK y detalles sobre sus versiones anteriores.
# Úselo `UpdateAlias` con un AWS SDK o CLI