GenerateDataKeyWithoutPlaintext
Generates an encrypted data key that you can use in your application.
Description
The GenerateDataKeyWithoutPlaintext operation returns only the encrypted copy of the data key. This operation is useful when you need to generate a data key but don't need to use it immediately.
note
- The KMS key that you use for this operation must be in a compatible key state.
- This operation is identical to
GenerateDataKeybut returns only the encrypted copy of the data key. - To get the plaintext data key, call the
Decryptoperation on the encrypted data key. - This operation is useful when you need to move encrypted data keys across security boundaries.
Request Syntax
Headers
| Name | Description | Required | Type |
|---|---|---|---|
| Content-Type | Must be "application/x-amz-json-1.1" | Yes | string |
| X-Amz-Target | Must be "TrentService.GenerateDataKeyWithoutPlaintext" | Yes | string |
Request Body
| Name | Description | Required | Type |
|---|---|---|---|
| KeyId | The identifier of the KMS key to use to encrypt the data key. This can be the key ID or key ARN of the KMS key. | Yes | string |
| KeySpec | The length and type of data key to generate. Valid Values: AES_256, AES_128. | No | string |
| NumberOfBytes | The length of the data key in bytes. Use either this parameter or KeySpec, but not both. | No | number |
| EncryptionContext | A set of key-value pairs that will be cryptographically bound to the data key. | No | object |
| GrantTokens | A list of grant tokens that represent grants that can be used to generate the data key. | No | array |
POST / HTTP/1.1
Content-Type: application/x-amz-json-1.1
X-Amz-Target: TrentService.GenerateDataKeyWithoutPlaintext
{
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"KeySpec": "AES_256",
"EncryptionContext": {
"Department": "Finance"
}
}
Values in italics indicate user input and should be replaced with actual values.
Response Elements
| Name | Description | Required | Type |
|---|---|---|---|
| CiphertextBlob | The encrypted copy of the data key. | No | String |
| KeyId | The Amazon Resource Name (ARN) of the KMS key that was used to encrypt the data key. | No | String |
Special Errors
| Error Code | Description |
|---|---|
| DependencyTimeoutException | The system timed out while trying to fulfill the request. |
| DisabledException | The request was rejected because the specified KMS key is disabled. |
| InvalidGrantTokenException | The request was rejected because the specified grant token is not valid. |
| InvalidKeyUsageException | The request was rejected because the specified KeyId value cannot be used for this operation. |
| KeyUnavailableException | The request was rejected because the specified KMS key was not available. |
| KMSInternalException | An internal error occurred. |
| KMSInvalidStateException | The request was rejected because the key state is not valid for this operation. |
| NotFoundException | The request was rejected because the specified key was not found. |
Permissions
To use the GenerateDataKeyWithoutPlaintext operation, you must have the following permissions:
kms:GenerateDataKeyWithoutPlaintexton the KMS key (specified in the policy)
Try It Out
Test GenerateDataKeyWithoutPlaintext
Generate an encrypted data key.
Coming Soon
This feature is currently under development and will be available soon.