class Aws::KMS::Types::KeyMetadata

Contains metadata about a KMS key.

This data type is used as a response element for the CreateKey and DescribeKey operations.

@!attribute [rw] aws_account_id

The twelve-digit account ID of the Amazon Web Services account that
owns the KMS key.
@return [String]

@!attribute [rw] key_id

The globally unique identifier for the KMS key.
@return [String]

@!attribute [rw] arn

The Amazon Resource Name (ARN) of the KMS key. For examples, see
[Key Management Service (KMS)][1] in the Example ARNs section of the
*Amazon Web Services General Reference*.

[1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms
@return [String]

@!attribute [rw] creation_date

The date and time when the KMS key was created.
@return [Time]

@!attribute [rw] enabled

Specifies whether the KMS key is enabled. When `KeyState` is
`Enabled` this value is true, otherwise it is false.
@return [Boolean]

@!attribute [rw] description

The description of the KMS key.
@return [String]

@!attribute [rw] key_usage

The [cryptographic operations][1] for which you can use the KMS key.

[1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
@return [String]

@!attribute [rw] key_state

The current status of the KMS key.

For more information about how key state affects the use of a KMS
key, see [Key state: Effect on your KMS key][1] in the *Key
Management Service Developer Guide*.

[1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
@return [String]

@!attribute [rw] deletion_date

The date and time after which KMS deletes this KMS key. This value
is present only when the KMS key is scheduled for deletion, that is,
when its `KeyState` is `PendingDeletion`.

When the primary key in a multi-Region key is scheduled for deletion
but still has replica keys, its key state is
`PendingReplicaDeletion` and the length of its waiting period is
displayed in the `PendingDeletionWindowInDays` field.
@return [Time]

@!attribute [rw] valid_to

The time at which the imported key material expires. When the key
material expires, KMS deletes the key material and the KMS key
becomes unusable. This value is present only for KMS keys whose
`Origin` is `EXTERNAL` and whose `ExpirationModel` is
`KEY_MATERIAL_EXPIRES`, otherwise this value is omitted.
@return [Time]

@!attribute [rw] origin

The source of the key material for the KMS key. When this value is
`AWS_KMS`, KMS created the key material. When this value is
`EXTERNAL`, the key material was imported or the KMS key doesn't
have any key material. When this value is `AWS_CLOUDHSM`, the key
material was created in the CloudHSM cluster associated with a
custom key store.
@return [String]

@!attribute [rw] custom_key_store_id

A unique identifier for the [custom key store][1] that contains the
KMS key. This value is present only when the KMS key is created in a
custom key store.

[1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
@return [String]

@!attribute [rw] cloud_hsm_cluster_id

The cluster ID of the CloudHSM cluster that contains the key
material for the KMS key. When you create a KMS key in a [custom key
store][1], KMS creates the key material for the KMS key in the
associated CloudHSM cluster. This value is present only when the KMS
key is created in a custom key store.

[1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
@return [String]

@!attribute [rw] expiration_model

Specifies whether the KMS key's key material expires. This value is
present only when `Origin` is `EXTERNAL`, otherwise this value is
omitted.
@return [String]

@!attribute [rw] key_manager

The manager of the KMS key. KMS keys in your Amazon Web Services
account are either customer managed or Amazon Web Services managed.
For more information about the difference, see [KMS keys][1] in the
*Key Management Service Developer Guide*.

[1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys
@return [String]

@!attribute [rw] customer_master_key_spec

Instead, use the `KeySpec` field.

The `KeySpec` and `CustomerMasterKeySpec` fields have the same
value. We recommend that you use the `KeySpec` field in your code.
However, to avoid breaking changes, KMS will support both fields.
@return [String]

@!attribute [rw] key_spec

Describes the type of key material in the KMS key.
@return [String]

@!attribute [rw] encryption_algorithms

The encryption algorithms that the KMS key supports. You cannot use
the KMS key with other encryption algorithms within KMS.

This value is present only when the `KeyUsage` of the KMS key is
`ENCRYPT_DECRYPT`.
@return [Array<String>]

@!attribute [rw] signing_algorithms

The signing algorithms that the KMS key supports. You cannot use the
KMS key with other signing algorithms within KMS.

This field appears only when the `KeyUsage` of the KMS key is
`SIGN_VERIFY`.
@return [Array<String>]

@!attribute [rw] multi_region

Indicates whether the KMS key is a multi-Region (`True`) or regional
(`False`) key. This value is `True` for multi-Region primary and
replica keys and `False` for regional KMS keys.

For more information about multi-Region keys, see [Using
multi-Region keys][1] in the *Key Management Service Developer
Guide*.

[1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
@return [Boolean]

@!attribute [rw] multi_region_configuration

Lists the primary and replica keys in same multi-Region key. This
field is present only when the value of the `MultiRegion` field is
`True`.

For more information about any listed KMS key, use the DescribeKey
operation.

* `MultiRegionKeyType` indicates whether the KMS key is a `PRIMARY`
  or `REPLICA` key.

* `PrimaryKey` displays the key ARN and Region of the primary key.
  This field displays the current KMS key if it is the primary key.

* `ReplicaKeys` displays the key ARNs and Regions of all replica
  keys. This field includes the current KMS key if it is a replica
  key.
@return [Types::MultiRegionConfiguration]

@!attribute [rw] pending_deletion_window_in_days

The waiting period before the primary key in a multi-Region key is
deleted. This waiting period begins when the last of its replica
keys is deleted. This value is present only when the `KeyState` of
the KMS key is `PendingReplicaDeletion`. That indicates that the KMS
key is the primary key in a multi-Region key, it is scheduled for
deletion, and it still has existing replica keys.

When a single-Region KMS key or a multi-Region replica key is
scheduled for deletion, its deletion date is displayed in the
`DeletionDate` field. However, when the primary key in a
multi-Region key is scheduled for deletion, its waiting period
doesn't begin until all of its replica keys are deleted. This value
displays that waiting period. When the last replica key in the
multi-Region key is deleted, the `KeyState` of the scheduled primary
key changes from `PendingReplicaDeletion` to `PendingDeletion` and
the deletion date appears in the `DeletionDate` field.
@return [Integer]

@see docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation

Constants

SENSITIVE