updateAlias method

Future<void> updateAlias({ required String aliasName, required String targetKeyId, })

Associates an existing AWS KMS alias with a different customer master key (CMK). Each alias is associated with only one CMK at a time, although a CMK can have multiple aliases. The alias and the CMK must be in the same AWS account and region.

The current and new CMK must be the same type (both symmetric or both asymmetric), and they must have the same key usage (ENCRYPT_DECRYPT or SIGN_VERIFY). This restriction prevents errors in code that uses aliases. If you must assign an alias to a different type of CMK, use DeleteAlias to delete the old alias and CreateAlias to create a new alias.

You cannot use UpdateAlias to change an alias name. To change an alias name, use DeleteAlias to delete the old alias and CreateAlias to create a new alias.

Because an alias is not a property of a CMK, you can create, update, and delete the aliases of a CMK without affecting the CMK. Also, aliases do not appear in the response from the DescribeKey operation. To get the aliases of all CMKs in the account, use the ListAliases operation.

The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.

Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.

Required permissions

• kms:UpdateAlias on the alias (IAM policy).
• kms:UpdateAlias on the current CMK (key policy).
• kms:UpdateAlias on the new CMK (key policy).

For details, see Controlling access to aliases in the AWS Key Management Service Developer Guide.

Related operations:

• CreateAlias
• DeleteAlias
• ListAliases

May throw DependencyTimeoutException. May throw NotFoundException. May throw KMSInternalException. May throw LimitExceededException. May throw KMSInvalidStateException.

Parameter aliasName : Identifies the alias that is changing its CMK. This value must begin with alias/ followed by the alias name, such as alias/ExampleAlias. You cannot use UpdateAlias to change the alias name.

Parameter targetKeyId : Identifies the customer managed CMK to associate with the alias. You don't have permission to associate an alias with an AWS managed CMK.

The CMK must be in the same AWS account and Region as the alias. Also, the new target CMK must be the same type as the current target CMK (both symmetric or both asymmetric) and they must have the same key usage.

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

To verify that the alias is mapped to the correct CMK, use ListAliases.

Implementation

Future<void> updateAlias({
  required String aliasName,
  required String targetKeyId,
}) async {
  ArgumentError.checkNotNull(aliasName, 'aliasName');
  _s.validateStringLength(
    'aliasName',
    aliasName,
    1,
    256,
    isRequired: true,
  );
  ArgumentError.checkNotNull(targetKeyId, 'targetKeyId');
  _s.validateStringLength(
    'targetKeyId',
    targetKeyId,
    1,
    2048,
    isRequired: true,
  );
  final headers = <String, String>{
    'Content-Type': 'application/x-amz-json-1.1',
    'X-Amz-Target': 'TrentService.UpdateAlias'
  };
  await _protocol.send(
    method: 'POST',
    requestUri: '/',
    exceptionFnMap: _exceptionFns,
    // TODO queryParams
    headers: headers,
    payload: {
      'AliasName': aliasName,
      'TargetKeyId': targetKeyId,
    },
  );
}