feat(client-kms): This release includes feature to import customer's …

…asymmetric (RSA and ECC) and HMAC keys into KMS. It also includes feature to allow customers to specify number of days to schedule a KMS key deletion as a policy condition key.

clients/client-kms/src/commands/CreateKeyCommand.ts

@@ -92,12 +92,6 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
  *             You can't change these properties after the KMS key is created.</p>
  *                <p>HMAC KMS keys are symmetric keys that never leave KMS unencrypted. You can use
  *             HMAC keys to generate (<a>GenerateMac</a>) and verify (<a>VerifyMac</a>) HMAC codes for messages up to 4096 bytes.</p>
- *                <p>HMAC KMS keys are not supported in all Amazon Web Services Regions. If you try to create an HMAC
- *             KMS key in an Amazon Web Services Region in which HMAC keys are not supported, the
- *               <code>CreateKey</code> operation returns an
- *             <code>UnsupportedOperationException</code>. For a list of Regions in which HMAC KMS keys
- *             are supported, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC keys in
- *               KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *                <p> </p>
  *             </dd>
  *             <dt>Multi-Region primary keys</dt>
@@ -120,17 +114,17 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
  *                <p> </p>
  *             </dd>
  *             <dd>
- *                <p>To import your own key material into a KMS key, begin by creating a symmetric
- *             encryption KMS key with no key material. To do this, use the <code>Origin</code>
- *             parameter of <code>CreateKey</code> with a value of <code>EXTERNAL</code>. Next, use
- *               <a>GetParametersForImport</a> operation to get a public key and import
- *             token, and use the public key to encrypt your key material. Then, use <a>ImportKeyMaterial</a> with your import token to import the key material. For
- *             step-by-step instructions, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in the <i>
+ *                <p>To import your own key material into a KMS key, begin by creating a KMS key with no
+ *             key material. To do this, use the <code>Origin</code> parameter of
+ *               <code>CreateKey</code> with a value of <code>EXTERNAL</code>. Next, use <a>GetParametersForImport</a> operation to get a public key and import token. Use
+ *             the wrapping public key to encrypt your key material. Then, use <a>ImportKeyMaterial</a> with your import token to import the key material. For step-by-step instructions, see
+ *               <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in the <i>
  *                      <i>Key Management Service Developer Guide</i>
  *                   </i>.</p>
- *                <p>This feature supports only symmetric encryption KMS keys, including multi-Region
- *             symmetric encryption KMS keys. You cannot import key material into any other type of KMS
- *             key.</p>
+ *                <p>You can import key material into KMS keys of all supported KMS key types: symmetric
+ *             encryption KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and asymmetric
+ *             signing KMS keys. You can also create multi-Region keys with imported key material.
+ *             However, you can't import key material into a KMS key in a custom key store.</p>
  *                <p>To create a multi-Region primary key with imported key material, use the
  *               <code>Origin</code> parameter of <code>CreateKey</code> with a value of
  *               <code>EXTERNAL</code> and the <code>MultiRegion</code> parameter with a value of

clients/client-kms/src/commands/DeleteImportedKeyMaterialCommand.ts

@@ -36,14 +36,13 @@ export interface DeleteImportedKeyMaterialCommandOutput extends __MetadataBearer
 
 /**
  * @public
- * <p>Deletes key material that you previously imported. This operation makes the specified KMS
- *       key unusable. For more information about importing key material into KMS, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a>
- *       in the <i>Key Management Service Developer Guide</i>. </p>
+ * <p>Deletes key material that was previously imported. This operation makes the specified KMS
+ *       key temporarily unusable. To restore the usability of the KMS key, reimport the same key
+ *       material. For more information about importing key material into KMS, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a>
+ *       in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>When the specified KMS key is in the <code>PendingDeletion</code> state, this operation
  *       does not change the KMS key's state. Otherwise, it changes the KMS key's state to
  *         <code>PendingImport</code>.</p>
- *          <p>After you delete key material, you can use <a>ImportKeyMaterial</a> to reimport
- *       the same key material into the KMS key.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>

clients/client-kms/src/commands/GetParametersForImportCommand.ts

@@ -40,19 +40,58 @@ export interface GetParametersForImportCommandOutput extends GetParametersForImp
 
 /**
  * @public
- * <p>Returns the items you need to import key material into a symmetric encryption KMS key. For
- *       more information about importing key material into KMS, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a> in the
- *       <i>Key Management Service Developer Guide</i>.</p>
- *          <p>This operation returns a public key and an import token. Use the public key to encrypt the
- *       symmetric key material. Store the import token to send with a subsequent <a>ImportKeyMaterial</a> request.</p>
- *          <p>You must specify the key ID of the symmetric encryption KMS key into which you will import
- *       key material. The KMS key <code>Origin</code> must be <code>EXTERNAL</code>. You must also
- *       specify the wrapping algorithm and type of wrapping key (public key) that you will use to
- *       encrypt the key material. You cannot perform this operation on an asymmetric KMS key, an HMAC KMS key, or on any KMS key in a different Amazon Web Services account.</p>
- *          <p>To import key material, you must use the public key and import token from the same
- *       response. These items are valid for 24 hours. The expiration date and time appear in the
- *         <code>GetParametersForImport</code> response. You cannot use an expired token in an <a>ImportKeyMaterial</a> request. If your key and token expire, send another
- *         <code>GetParametersForImport</code> request.</p>
+ * <p>Returns the public key and an import token you need to import or reimport key material for
+ *       a KMS key. </p>
+ *          <p>By default, KMS keys are created with key material that KMS generates. This operation
+ *       supports <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key
+ *         material</a>, an advanced feature that lets you generate and import the cryptographic
+ *       key material for a KMS key. For more information about importing key material into KMS, see
+ *         <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key
+ *         material</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *          <p>Before calling <code>GetParametersForImport</code>, use the <a>CreateKey</a>
+ *       operation with an <code>Origin</code> value of <code>EXTERNAL</code> to create a KMS key with
+ *       no key material. You can import key material for a symmetric encryption KMS key, HMAC KMS key,
+ *       asymmetric encryption KMS key, or asymmetric signing KMS key. You can also import key material
+ *       into a <a href="kms/latest/developerguide/multi-region-keys-overview.html">multi-Region key</a> of
+ *       any supported type. However, you can't import key material into a KMS key in a <a href="kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. You can also use
+ *       <code>GetParametersForImport</code> to get a public key and import token to <a href="kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport the original key material</a> into a KMS key whose key material expired or was
+ *       deleted.</p>
+ *          <p>
+ *             <code>GetParametersForImport</code> returns the items that you need to import your key
+ *       material.</p>
+ *          <ul>
+ *             <li>
+ *                <p>The public key (or "wrapping key") of an RSA key pair that KMS generates.</p>
+ *                <p>You will use this public key to encrypt ("wrap") your key material while it's in
+ *           transit to KMS. </p>
+ *             </li>
+ *             <li>
+ *                <p>A import token that ensures that KMS can decrypt your key material and associate it with the correct KMS key.</p>
+ *             </li>
+ *          </ul>
+ *          <p>The public key and its import token are permanently linked and must be used together. Each
+ *       public key and import token set is valid for 24 hours. The expiration date and time appear in
+ *       the <code>ParametersValidTo</code> field in the <code>GetParametersForImport</code> response.
+ *       You cannot use an expired public key or import token in an <a>ImportKeyMaterial</a>
+ *       request. If your key and token expire, send another <code>GetParametersForImport</code>
+ *       request.</p>
+ *          <p>
+ *             <code>GetParametersForImport</code> requires the following information:</p>
+ *          <ul>
+ *             <li>
+ *                <p>The key ID of the KMS key for which you are importing the key material.</p>
+ *             </li>
+ *             <li>
+ *                <p>The key spec of the public key ("wrapping key") that you will use to encrypt your key
+ *           material during import.</p>
+ *             </li>
+ *             <li>
+ *                <p>The wrapping algorithm that you will use with the public key to encrypt your key
+ *           material.</p>
+ *             </li>
+ *          </ul>
+ *          <p>You can use the same or a different public key spec and wrapping algorithm each time you
+ *       import or reimport the same key material. </p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
@@ -82,8 +121,8 @@ export interface GetParametersForImportCommandOutput extends GetParametersForImp
  * const client = new KMSClient(config);
  * const input = { // GetParametersForImportRequest
  *   KeyId: "STRING_VALUE", // required
- *   WrappingAlgorithm: "RSAES_PKCS1_V1_5" || "RSAES_OAEP_SHA_1" || "RSAES_OAEP_SHA_256", // required
- *   WrappingKeySpec: "RSA_2048", // required
+ *   WrappingAlgorithm: "RSAES_PKCS1_V1_5" || "RSAES_OAEP_SHA_1" || "RSAES_OAEP_SHA_256" || "RSA_AES_KEY_WRAP_SHA_1" || "RSA_AES_KEY_WRAP_SHA_256", // required
+ *   WrappingKeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096", // required
  * };
  * const command = new GetParametersForImportCommand(input);
  * const response = await client.send(command);