createCustomKeyStore method

Future<CreateCustomKeyStoreResponse> createCustomKeyStore({
  1. required String customKeyStoreName,
  2. String? cloudHsmClusterId,
  3. CustomKeyStoreType? customKeyStoreType,
  4. String? keyStorePassword,
  5. String? trustAnchorCertificate,
  6. XksProxyAuthenticationCredentialType? xksProxyAuthenticationCredential,
  7. XksProxyConnectivityType? xksProxyConnectivity,
  8. String? xksProxyUriEndpoint,
  9. String? xksProxyUriPath,
  10. String? xksProxyVpcEndpointServiceName,
  11. String? xksProxyVpcEndpointServiceOwner,
})

Creates a custom key store backed by a key store that you own and manage. When you use a KMS key in a custom key store for a cryptographic operation, the cryptographic operation is actually performed in your key store using your keys. KMS supports CloudHSM key stores backed by an CloudHSM cluster and external key stores backed by an external key store proxy and external key manager outside of Amazon Web Services.

This operation is part of the custom key stores feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a key store that you own and manage.

Before you create the custom key store, the required elements must be in place and operational. We recommend that you use the test tools that KMS provides to verify the configuration your external key store proxy. For details about the required elements and verification tests, see Assemble the prerequisites (for CloudHSM key stores) or Assemble the prerequisites (for external key stores) in the Key Management Service Developer Guide.

To create a custom key store, use the following parameters.

  • To create an CloudHSM key store, specify the CustomKeyStoreName, CloudHsmClusterId, KeyStorePassword, and TrustAnchorCertificate. The CustomKeyStoreType parameter is optional for CloudHSM key stores. If you include it, set it to the default value, AWS_CLOUDHSM. For help with failures, see Troubleshooting an CloudHSM key store in the Key Management Service Developer Guide.
  • To create an external key store, specify the CustomKeyStoreName and a CustomKeyStoreType of EXTERNAL_KEY_STORE. Also, specify values for XksProxyConnectivity, XksProxyAuthenticationCredential, XksProxyUriEndpoint, and XksProxyUriPath. If your XksProxyConnectivity value is VPC_ENDPOINT_SERVICE, specify the XksProxyVpcEndpointServiceName parameter. For help with failures, see Troubleshooting an external key store in the Key Management Service Developer Guide.

Implementation

Future<CreateCustomKeyStoreResponse> createCustomKeyStore({
  required String customKeyStoreName,
  String? cloudHsmClusterId,
  CustomKeyStoreType? customKeyStoreType,
  String? keyStorePassword,
  String? trustAnchorCertificate,
  XksProxyAuthenticationCredentialType? xksProxyAuthenticationCredential,
  XksProxyConnectivityType? xksProxyConnectivity,
  String? xksProxyUriEndpoint,
  String? xksProxyUriPath,
  String? xksProxyVpcEndpointServiceName,
  String? xksProxyVpcEndpointServiceOwner,
}) async {
  final headers = <String, String>{
    'Content-Type': 'application/x-amz-json-1.1',
    'X-Amz-Target': 'TrentService.CreateCustomKeyStore'
  };
  final jsonResponse = await _protocol.send(
    method: 'POST',
    requestUri: '/',
    exceptionFnMap: _exceptionFns,
    // TODO queryParams
    headers: headers,
    payload: {
      'CustomKeyStoreName': customKeyStoreName,
      if (cloudHsmClusterId != null) 'CloudHsmClusterId': cloudHsmClusterId,
      if (customKeyStoreType != null)
        'CustomKeyStoreType': customKeyStoreType.value,
      if (keyStorePassword != null) 'KeyStorePassword': keyStorePassword,
      if (trustAnchorCertificate != null)
        'TrustAnchorCertificate': trustAnchorCertificate,
      if (xksProxyAuthenticationCredential != null)
        'XksProxyAuthenticationCredential': xksProxyAuthenticationCredential,
      if (xksProxyConnectivity != null)
        'XksProxyConnectivity': xksProxyConnectivity.value,
      if (xksProxyUriEndpoint != null)
        'XksProxyUriEndpoint': xksProxyUriEndpoint,
      if (xksProxyUriPath != null) 'XksProxyUriPath': xksProxyUriPath,
      if (xksProxyVpcEndpointServiceName != null)
        'XksProxyVpcEndpointServiceName': xksProxyVpcEndpointServiceName,
      if (xksProxyVpcEndpointServiceOwner != null)
        'XksProxyVpcEndpointServiceOwner': xksProxyVpcEndpointServiceOwner,
    },
  );

  return CreateCustomKeyStoreResponse.fromJson(jsonResponse.body);
}