GenerateRandom
Returns a random byte string that is cryptographically secure.
You must use the NumberOfBytes
parameter to specify the length of the random
byte string. There is no default value for string length.
By default, the random byte string is generated in AWS KMS. To generate the byte string in
the AWS CloudHSM cluster associated with an AWS CloudHSM key store, use the CustomKeyStoreId
parameter.
GenerateRandom
also supports AWS Nitro Enclaves, which provide an
isolated compute environment in Amazon EC2. To call GenerateRandom
for a Nitro
enclave, use the AWS Nitro Enclaves SDK or any AWS SDK. Use the Recipient
parameter
to provide the attestation document for the enclave. Instead of plaintext bytes, the response
includes the plaintext bytes encrypted under the public key from the attestation document
(CiphertextForRecipient
).For information about the interaction between AWS KMS and AWS Nitro Enclaves, see How AWS Nitro Enclaves uses AWS KMS in the
AWS Key Management Service Developer Guide.
For more information about entropy and random number generation, see Entropy and random number generation in the AWS Key Management Service Developer Guide.
Cross-account use: Not applicable.
GenerateRandom
does not use any account-specific resources, such as KMS
keys.
Required permissions: kms:GenerateRandom (IAM policy)
Eventual consistency: The AWS KMS API follows an eventual consistency model. For more information, see AWS KMS eventual consistency.
Request Syntax
{
"CustomKeyStoreId": "string
",
"NumberOfBytes": number
,
"Recipient": {
"AttestationDocument": blob
,
"KeyEncryptionAlgorithm": "string
"
}
}
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
Note
In the following list, the required parameters are described first.
- CustomKeyStoreId
-
Generates the random byte string in the AWS CloudHSM cluster that is associated with the specified AWS CloudHSM key store. To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
External key store IDs are not valid for this parameter. If you specify the ID of an external key store,
GenerateRandom
throws anUnsupportedOperationException
.Type: String
Length Constraints: Minimum length of 1. Maximum length of 64.
Required: No
- NumberOfBytes
-
The length of the random byte string. This parameter is required.
Type: Integer
Valid Range: Minimum value of 1. Maximum value of 1024.
Required: No
- Recipient
-
A signed attestation document from an AWS Nitro enclave and the encryption algorithm to use with the enclave's public key. The only valid encryption algorithm is
RSAES_OAEP_SHA_256
.This parameter only supports attestation documents for AWS Nitro Enclaves. To include this parameter, use the AWS Nitro Enclaves SDK or any AWS SDK.
When you use this parameter, instead of returning plaintext bytes, AWS KMS encrypts the plaintext bytes under the public key in the attestation document, and returns the resulting ciphertext in the
CiphertextForRecipient
field in the response. This ciphertext can be decrypted only with the private key in the enclave. ThePlaintext
field in the response is null or empty.For information about the interaction between AWS KMS and AWS Nitro Enclaves, see How AWS Nitro Enclaves uses AWS KMS in the AWS Key Management Service Developer Guide.
Type: RecipientInfo object
Required: No
Response Syntax
{
"CiphertextForRecipient": blob,
"Plaintext": blob
}
Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- CiphertextForRecipient
-
The plaintext random bytes encrypted with the public key from the Nitro enclave. This ciphertext can be decrypted only by using a private key in the Nitro enclave.
This field is included in the response only when the
Recipient
parameter in the request includes a valid attestation document from an AWS Nitro enclave. For information about the interaction between AWS KMS and AWS Nitro Enclaves, see How AWS Nitro Enclaves uses AWS KMS in the AWS Key Management Service Developer Guide.Type: Base64-encoded binary data object
Length Constraints: Minimum length of 1. Maximum length of 6144.
- Plaintext
-
The random byte string. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
If the response includes the
CiphertextForRecipient
field, thePlaintext
field is null or empty.Type: Base64-encoded binary data object
Length Constraints: Minimum length of 1. Maximum length of 4096.
Errors
For information about the errors that are common to all actions, see Common Errors.
- CustomKeyStoreInvalidStateException
-
The request was rejected because of the
ConnectionState
of the custom key store. To get theConnectionState
of a custom key store, use the DescribeCustomKeyStores operation.This exception is thrown under the following conditions:
-
You requested the ConnectCustomKeyStore operation on a custom key store with a
ConnectionState
ofDISCONNECTING
orFAILED
. This operation is valid for all otherConnectionState
values. To reconnect a custom key store in aFAILED
state, disconnect it (DisconnectCustomKeyStore), then connect it (ConnectCustomKeyStore
). -
You requested the CreateKey operation in a custom key store that is not connected. This operations is valid only when the custom key store
ConnectionState
isCONNECTED
. -
You requested the DisconnectCustomKeyStore operation on a custom key store with a
ConnectionState
ofDISCONNECTING
orDISCONNECTED
. This operation is valid for all otherConnectionState
values. -
You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key store that is not disconnected. This operation is valid only when the custom key store
ConnectionState
isDISCONNECTED
. -
You requested the GenerateRandom operation in an AWS CloudHSM key store that is not connected. This operation is valid only when the AWS CloudHSM key store
ConnectionState
isCONNECTED
.
HTTP Status Code: 400
-
- CustomKeyStoreNotFoundException
-
The request was rejected because AWS KMS cannot find a custom key store with the specified key store name or ID.
HTTP Status Code: 400
- DependencyTimeoutException
-
The system timed out while trying to fulfill the request. You can retry the request.
HTTP Status Code: 500
- KMSInternalException
-
The request was rejected because an internal exception occurred. The request can be retried.
HTTP Status Code: 500
- UnsupportedOperationException
-
The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation.
HTTP Status Code: 400
Examples
Example Request
The following example is formatted for legibility.
POST / HTTP/1.1 Host: kms.us-east-2.amazonaws.com Content-Length: 21 X-Amz-Target: TrentService.GenerateRandom X-Amz-Date: 20161114T215101Z Content-Type: application/x-amz-json-1.1 Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161114/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=e3a0cfdbfb71fae5c89e422ad8322b6a44aed85bf68e3d11f3f315bbaa82ad22 {"NumberOfBytes": 32}
Example Response
This example illustrates one usage of GenerateRandom.
HTTP/1.1 200 OK Server: Server Date: Mon, 14 Nov 2016 21:51:02 GMT Content-Type: application/x-amz-json-1.1 Content-Length: 60 Connection: keep-alive x-amzn-RequestId: 6f79b0ad-aab4-11e6-971f-0f7b7e5b6782 {"Plaintext":"+Q2hxK6OBuU6K6ZIIBucFMCW2NJkhiSWDySSQyWp9zA="}
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: