Smaws_Client_KMS.CreateCustomKeyStoreval request :
Smaws_Lib.Context.t ->
create_custom_key_store_request ->
(create_custom_key_store_response,
[> Smaws_Lib.Protocols.AwsJson.error
| `CloudHsmClusterInUseException of cloud_hsm_cluster_in_use_exception
| `CloudHsmClusterInvalidConfigurationException of
cloud_hsm_cluster_invalid_configuration_exception
| `CloudHsmClusterNotActiveException of
cloud_hsm_cluster_not_active_exception
| `CloudHsmClusterNotFoundException of
cloud_hsm_cluster_not_found_exception
| `CustomKeyStoreNameInUseException of
custom_key_store_name_in_use_exception
| `IncorrectTrustAnchorException of incorrect_trust_anchor_exception
| `KMSInternalException of kms_internal_exception
| `LimitExceededException of limit_exceeded_exception
| `XksProxyIncorrectAuthenticationCredentialException of
xks_proxy_incorrect_authentication_credential_exception
| `XksProxyInvalidConfigurationException of
xks_proxy_invalid_configuration_exception
| `XksProxyInvalidResponseException of xks_proxy_invalid_response_exception
| `XksProxyUriEndpointInUseException of
xks_proxy_uri_endpoint_in_use_exception
| `XksProxyUriInUseException of xks_proxy_uri_in_use_exception
| `XksProxyUriUnreachableException of xks_proxy_uri_unreachable_exception
| `XksProxyVpcEndpointServiceInUseException of
xks_proxy_vpc_endpoint_service_in_use_exception
| `XksProxyVpcEndpointServiceInvalidConfigurationException of
xks_proxy_vpc_endpoint_service_invalid_configuration_exception
| `XksProxyVpcEndpointServiceNotFoundException of
xks_proxy_vpc_endpoint_service_not_found_exception ])
Stdlib.resultCreates a custom key store backed by a key store that you own and manage. When you use a KMS key in a custom key store for a cryptographic operation, the cryptographic operation is actually performed in your key store using your keys. KMS supports CloudHSM key stores backed by an CloudHSM cluster and external key stores backed by an external key store proxy and external key manager outside of Amazon Web Services.
This operation is part of the custom key stores feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a key store that you own and manage.
Before you create the custom key store, the required elements must be in place and operational. We recommend that you use the test tools that KMS provides to verify the configuration your external key store proxy. For details about the required elements and verification tests, see Assemble the prerequisites (for CloudHSM key stores) or Assemble the prerequisites (for external key stores) in the Key Management Service Developer Guide.
To create a custom key store, use the following parameters.
CustomKeyStoreName, CloudHsmClusterId, KeyStorePassword, and TrustAnchorCertificate. The CustomKeyStoreType parameter is optional for CloudHSM key stores. If you include it, set it to the default value, AWS_CLOUDHSM. For help with failures, see Troubleshooting an CloudHSM key store in the Key Management Service Developer Guide.CustomKeyStoreName and a CustomKeyStoreType of EXTERNAL_KEY_STORE. Also, specify values for XksProxyConnectivity, XksProxyAuthenticationCredential, XksProxyUriEndpoint, and XksProxyUriPath. If your XksProxyConnectivity value is VPC_ENDPOINT_SERVICE, specify the XksProxyVpcEndpointServiceName parameter. For help with failures, see Troubleshooting an external key store in the Key Management Service Developer Guide.For external key stores:
Some external key managers provide a simpler method for creating an external key store. For details, see your external key manager documentation.
When creating an external key store in the KMS console, you can upload a JSON-based proxy configuration file with the desired values. You cannot use a proxy configuration with the CreateCustomKeyStore operation. However, you can use the values in the file to help you determine the correct values for the CreateCustomKeyStore parameters.
When the operation completes successfully, it returns the ID of the new custom key store. Before you can use your new custom key store, you need to use the ConnectCustomKeyStore operation to connect a new CloudHSM key store to its CloudHSM cluster, or to connect a new external key store to the external key store proxy for your external key manager. Even if you are not going to use your custom key store immediately, you might want to connect it to verify that all settings are correct and then disconnect it until you are ready to use it.
For help with failures, see Troubleshooting a custom key store in the Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
Required permissions: kms:CreateCustomKeyStore (IAM policy).
Related operations:
ConnectCustomKeyStoreDeleteCustomKeyStoreDescribeCustomKeyStoresDisconnectCustomKeyStoreUpdateCustomKeyStoreEventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.