CreateCustomKeyStore
Creates a custom key store backed by a key store that you own and manage. When you use a KMS key in a custom key store for a cryptographic operation, the cryptographic operation is actually performed in your key store using your keys. AWS KMS supports AWS CloudHSM key stores backed by an AWS CloudHSM cluster and external key stores backed by an external key store proxy and external key manager outside of AWS.
This operation is part of the custom key stores feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a key store that you own and manage.
Before you create the custom key store, the required elements must be in place and operational. We recommend that you use the test tools that AWS KMS provides to verify the configuration your external key store proxy. For details about the required elements and verification tests, see Assemble the prerequisites (for AWS CloudHSM key stores) or Assemble the prerequisites (for external key stores) in the AWS Key Management Service Developer Guide.
To create a custom key store, use the following parameters.
-
To create an AWS CloudHSM key store, specify the
CustomKeyStoreName
,CloudHsmClusterId
,KeyStorePassword
, andTrustAnchorCertificate
. TheCustomKeyStoreType
parameter is optional for AWS CloudHSM key stores. If you include it, set it to the default value,AWS_CLOUDHSM
. For help with failures, see Troubleshooting an AWS CloudHSM key store in the AWS Key Management Service Developer Guide. -
To create an external key store, specify the
CustomKeyStoreName
and aCustomKeyStoreType
ofEXTERNAL_KEY_STORE
. Also, specify values forXksProxyConnectivity
,XksProxyAuthenticationCredential
,XksProxyUriEndpoint
, andXksProxyUriPath
. If yourXksProxyConnectivity
value isVPC_ENDPOINT_SERVICE
, specify theXksProxyVpcEndpointServiceName
parameter. For help with failures, see Troubleshooting an external key store in the AWS Key Management Service Developer Guide.
Note
For external key stores:
Some external key managers provide a simpler method for creating an external key store. For details, see your external key manager documentation.
When creating an external key store in the AWS KMS console, you can upload a JSON-based
proxy configuration file with the desired values. You cannot use a proxy configuration with
the CreateCustomKeyStore
operation. However, you can use the values in the file
to help you determine the correct values for the CreateCustomKeyStore
parameters.
When the operation completes successfully, it returns the ID of the new custom key store. Before you can use your new custom key store, you need to use the ConnectCustomKeyStore operation to connect a new AWS CloudHSM key store to its AWS CloudHSM cluster, or to connect a new external key store to the external key store proxy for your external key manager. Even if you are not going to use your custom key store immediately, you might want to connect it to verify that all settings are correct and then disconnect it until you are ready to use it.
Cross-account use: No. You cannot perform this operation on a custom key store in a different AWS account.
Required permissions: kms:CreateCustomKeyStore (IAM policy).
Related operations:
Eventual consistency: The AWS KMS API follows an eventual consistency model. For more information, see AWS KMS eventual consistency.
Request Syntax
{
"CloudHsmClusterId": "string
",
"CustomKeyStoreName": "string
",
"CustomKeyStoreType": "string
",
"KeyStorePassword": "string
",
"TrustAnchorCertificate": "string
",
"XksProxyAuthenticationCredential": {
"AccessKeyId": "string
",
"RawSecretAccessKey": "string
"
},
"XksProxyConnectivity": "string
",
"XksProxyUriEndpoint": "string
",
"XksProxyUriPath": "string
",
"XksProxyVpcEndpointServiceName": "string
"
}
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
Note
In the following list, the required parameters are described first.
- CustomKeyStoreName
-
Specifies a friendly name for the custom key store. The name must be unique in your AWS account and Region. This parameter is required for all custom key stores.
Important
Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 256.
Required: Yes
- CloudHsmClusterId
-
Identifies the AWS CloudHSM cluster for an AWS CloudHSM key store. This parameter is required for custom key stores with
CustomKeyStoreType
ofAWS_CLOUDHSM
.Enter the cluster ID of any active AWS CloudHSM cluster that is not already associated with a custom key store. To find the cluster ID, use the DescribeClusters operation.
Type: String
Length Constraints: Minimum length of 19. Maximum length of 24.
Pattern:
cluster-[2-7a-zA-Z]{11,16}
Required: No
- CustomKeyStoreType
-
Specifies the type of custom key store. The default value is
AWS_CLOUDHSM
.For a custom key store backed by an AWS CloudHSM cluster, omit the parameter or enter
AWS_CLOUDHSM
. For a custom key store backed by an external key manager outside of AWS, enterEXTERNAL_KEY_STORE
. You cannot change this property after the key store is created.Type: String
Valid Values:
AWS_CLOUDHSM | EXTERNAL_KEY_STORE
Required: No
- KeyStorePassword
-
Specifies the
kmsuser
password for an AWS CloudHSM key store. This parameter is required for custom key stores with aCustomKeyStoreType
ofAWS_CLOUDHSM
.Enter the password of the
kmsuser
crypto user (CU) account in the specified AWS CloudHSM cluster. AWS KMS logs into the cluster as this user to manage key material on your behalf.The password must be a string of 7 to 32 characters. Its value is case sensitive.
This parameter tells AWS KMS the
kmsuser
account password; it does not change the password in the AWS CloudHSM cluster.Type: String
Length Constraints: Minimum length of 7. Maximum length of 32.
Required: No
- TrustAnchorCertificate
-
Specifies the certificate for an AWS CloudHSM key store. This parameter is required for custom key stores with a
CustomKeyStoreType
ofAWS_CLOUDHSM
.Enter the content of the trust anchor certificate for the AWS CloudHSM cluster. This is the content of the
customerCA.crt
file that you created when you initialized the cluster.Type: String
Length Constraints: Minimum length of 1. Maximum length of 5000.
Required: No
- XksProxyAuthenticationCredential
-
Specifies an authentication credential for the external key store proxy (XKS proxy). This parameter is required for all custom key stores with a
CustomKeyStoreType
ofEXTERNAL_KEY_STORE
.The
XksProxyAuthenticationCredential
has two required elements:RawSecretAccessKey
, a secret key, andAccessKeyId
, a unique identifier for theRawSecretAccessKey
. For character requirements, see XksProxyAuthenticationCredentialType.AWS KMS uses this authentication credential to sign requests to the external key store proxy on your behalf. This credential is unrelated to AWS Identity and Access Management (IAM) and AWS credentials.
This parameter doesn't set or change the authentication credentials on the XKS proxy. It just tells AWS KMS the credential that you established on your external key store proxy. If you rotate your proxy authentication credential, use the UpdateCustomKeyStore operation to provide the new credential to AWS KMS.
Type: XksProxyAuthenticationCredentialType object
Required: No
- XksProxyConnectivity
-
Indicates how AWS KMS communicates with the external key store proxy. This parameter is required for custom key stores with a
CustomKeyStoreType
ofEXTERNAL_KEY_STORE
.If the external key store proxy uses a public endpoint, specify
PUBLIC_ENDPOINT
. If the external key store proxy uses a Amazon VPC endpoint service for communication with AWS KMS, specifyVPC_ENDPOINT_SERVICE
. For help making this choice, see Choosing a connectivity option in the AWS Key Management Service Developer Guide.An Amazon VPC endpoint service keeps your communication with AWS KMS in a private address space entirely within AWS, but it requires more configuration, including establishing a Amazon VPC with multiple subnets, a VPC endpoint service, a network load balancer, and a verified private DNS name. A public endpoint is simpler to set up, but it might be slower and might not fulfill your security requirements. You might consider testing with a public endpoint, and then establishing a VPC endpoint service for production tasks. Note that this choice does not determine the location of the external key store proxy. Even if you choose a VPC endpoint service, the proxy can be hosted within the VPC or outside of AWS such as in your corporate data center.
Type: String
Valid Values:
PUBLIC_ENDPOINT | VPC_ENDPOINT_SERVICE
Required: No
- XksProxyUriEndpoint
-
Specifies the endpoint that AWS KMS uses to send requests to the external key store proxy (XKS proxy). This parameter is required for custom key stores with a
CustomKeyStoreType
ofEXTERNAL_KEY_STORE
.The protocol must be HTTPS. AWS KMS communicates on port 443. Do not specify the port in the
XksProxyUriEndpoint
value.For external key stores with
XksProxyConnectivity
value ofVPC_ENDPOINT_SERVICE
, specifyhttps://
followed by the private DNS name of the VPC endpoint service.For external key stores with
PUBLIC_ENDPOINT
connectivity, this endpoint must be reachable before you create the custom key store. AWS KMS connects to the external key store proxy while creating the custom key store. For external key stores withVPC_ENDPOINT_SERVICE
connectivity, AWS KMS connects when you call the ConnectCustomKeyStore operation.The value of this parameter must begin with
https://
. The remainder can contain upper and lower case letters (A-Z and a-z), numbers (0-9), dots (.
), and hyphens (-
). Additional slashes (/
and\
) are not permitted.Uniqueness requirements:
-
The combined
XksProxyUriEndpoint
andXksProxyUriPath
values must be unique in the AWS account and Region. -
An external key store with
PUBLIC_ENDPOINT
connectivity cannot use the sameXksProxyUriEndpoint
value as an external key store withVPC_ENDPOINT_SERVICE
connectivity in this AWS Region. -
Each external key store with
VPC_ENDPOINT_SERVICE
connectivity must have its own private DNS name. TheXksProxyUriEndpoint
value for external key stores withVPC_ENDPOINT_SERVICE
connectivity (private DNS name) must be unique in the AWS account and Region.
Type: String
Length Constraints: Minimum length of 10. Maximum length of 128.
Pattern:
^https://[a-zA-Z0-9.-]+$
Required: No
-
- XksProxyUriPath
-
Specifies the base path to the proxy APIs for this external key store. To find this value, see the documentation for your external key store proxy. This parameter is required for all custom key stores with a
CustomKeyStoreType
ofEXTERNAL_KEY_STORE
.The value must start with
/
and must end with/kms/xks/v1
wherev1
represents the version of the AWS KMS external key store proxy API. This path can include an optional prefix between the required elements such as/prefix/kms/xks/v1
.Uniqueness requirements:
-
The combined
XksProxyUriEndpoint
andXksProxyUriPath
values must be unique in the AWS account and Region.
Type: String
Length Constraints: Minimum length of 10. Maximum length of 128.
Pattern:
^(/[a-zA-Z0-9\/_-]+/kms/xks/v\d{1,2})$|^(/kms/xks/v\d{1,2})$
Required: No
-
- XksProxyVpcEndpointServiceName
-
Specifies the name of the Amazon VPC endpoint service for interface endpoints that is used to communicate with your external key store proxy (XKS proxy). This parameter is required when the value of
CustomKeyStoreType
isEXTERNAL_KEY_STORE
and the value ofXksProxyConnectivity
isVPC_ENDPOINT_SERVICE
.The Amazon VPC endpoint service must fulfill all requirements for use with an external key store.
Uniqueness requirements:
-
External key stores with
VPC_ENDPOINT_SERVICE
connectivity can share an Amazon VPC, but each external key store must have its own VPC endpoint service and private DNS name.
Type: String
Length Constraints: Minimum length of 20. Maximum length of 64.
Pattern:
^com\.amazonaws\.vpce\.([a-z]+-){2,3}\d+\.vpce-svc-[0-9a-z]+$
Required: No
-
Response Syntax
{
"CustomKeyStoreId": "string"
}
Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- CustomKeyStoreId
-
A unique identifier for the new custom key store.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 64.
Errors
For information about the errors that are common to all actions, see Common Errors.
- CloudHsmClusterInUseException
-
The request was rejected because the specified AWS CloudHSM cluster is already associated with an AWS CloudHSM key store in the account, or it shares a backup history with an AWS CloudHSM key store in the account. Each AWS CloudHSM key store in the account must be associated with a different AWS CloudHSM cluster.
AWS CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster certificate of an AWS CloudHSM cluster, use the DescribeClusters operation.
HTTP Status Code: 400
- CloudHsmClusterInvalidConfigurationException
-
The request was rejected because the associated AWS CloudHSM cluster did not meet the configuration requirements for an AWS CloudHSM key store.
-
The AWS CloudHSM cluster must be configured with private subnets in at least two different Availability Zones in the Region.
-
The security group for the cluster (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the Destination in the outbound rules must match the security group ID. These rules are set by default when you create the AWS CloudHSM cluster. Do not delete or change them. To get information about a particular security group, use the DescribeSecurityGroups operation.
-
The AWS CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the AWS CloudHSM CreateHsm operation.
For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the AWS CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the ConnectCustomKeyStore operation, the AWS CloudHSM must contain at least one active HSM.
For information about the requirements for an AWS CloudHSM cluster that is associated with an AWS CloudHSM key store, see Assemble the Prerequisites in the AWS Key Management Service Developer Guide. For information about creating a private subnet for an AWS CloudHSM cluster, see Create a Private Subnet in the AWS CloudHSM User Guide. For information about cluster security groups, see Configure a Default Security Group in the AWS CloudHSM User Guide .
HTTP Status Code: 400
-
- CloudHsmClusterNotActiveException
-
The request was rejected because the AWS CloudHSM cluster associated with the AWS CloudHSM key store is not active. Initialize and activate the cluster and try the command again. For detailed instructions, see Getting Started in the AWS CloudHSM User Guide.
HTTP Status Code: 400
- CloudHsmClusterNotFoundException
-
The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster with the specified cluster ID. Retry the request with a different cluster ID.
HTTP Status Code: 400
- CustomKeyStoreNameInUseException
-
The request was rejected because the specified custom key store name is already assigned to another custom key store in the account. Try again with a custom key store name that is unique in the account.
HTTP Status Code: 400
- IncorrectTrustAnchorException
-
The request was rejected because the trust anchor certificate in the request to create an AWS CloudHSM key store is not the trust anchor certificate for the specified AWS CloudHSM cluster.
When you initialize the AWS CloudHSM cluster, you create the trust anchor certificate and save it in the
customerCA.crt
file.HTTP Status Code: 400
- KMSInternalException
-
The request was rejected because an internal exception occurred. The request can be retried.
HTTP Status Code: 500
- LimitExceededException
-
The request was rejected because a length constraint or quota was exceeded. For more information, see Quotas in the AWS Key Management Service Developer Guide.
HTTP Status Code: 400
- XksProxyIncorrectAuthenticationCredentialException
-
The request was rejected because the proxy credentials failed to authenticate to the specified external key store proxy. The specified external key store proxy rejected a status request from AWS KMS due to invalid credentials. This can indicate an error in the credentials or in the identification of the external key store proxy.
HTTP Status Code: 400
- XksProxyInvalidConfigurationException
-
The request was rejected because the external key store proxy is not configured correctly. To identify the cause, see the error message that accompanies the exception.
HTTP Status Code: 400
- XksProxyInvalidResponseException
-
AWS KMS cannot interpret the response it received from the external key store proxy. The problem might be a poorly constructed response, but it could also be a transient network issue. If you see this error repeatedly, report it to the proxy vendor.
HTTP Status Code: 400
- XksProxyUriEndpointInUseException
-
The request was rejected because the
XksProxyUriEndpoint
is already associated with another external key store in this AWS Region. To identify the cause, see the error message that accompanies the exception.HTTP Status Code: 400
- XksProxyUriInUseException
-
The request was rejected because the concatenation of the
XksProxyUriEndpoint
andXksProxyUriPath
is already associated with another external key store in this AWS Region. Each external key store in a Region must use a unique external key store proxy API address.HTTP Status Code: 400
- XksProxyUriUnreachableException
-
AWS KMS was unable to reach the specified
XksProxyUriPath
. The path must be reachable before you create the external key store or update its settings.This exception is also thrown when the external key store proxy response to a
GetHealthStatus
request indicates that all external key manager instances are unavailable.HTTP Status Code: 400
- XksProxyVpcEndpointServiceInUseException
-
The request was rejected because the specified Amazon VPC endpoint service is already associated with another external key store in this AWS Region. Each external key store in a Region must use a different Amazon VPC endpoint service.
HTTP Status Code: 400
- XksProxyVpcEndpointServiceInvalidConfigurationException
-
The request was rejected because the Amazon VPC endpoint service configuration does not fulfill the requirements for an external key store. To identify the cause, see the error message that accompanies the exception and review the requirements for Amazon VPC endpoint service connectivity for an external key store.
HTTP Status Code: 400
- XksProxyVpcEndpointServiceNotFoundException
-
The request was rejected because AWS KMS could not find the specified VPC endpoint service. Use DescribeCustomKeyStores to verify the VPC endpoint service name for the external key store. Also, confirm that the
Allow principals
list for the VPC endpoint service includes the AWS KMS service principal for the Region, such ascks.kms.us-east-1.amazonaws.com
.HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: