Gets information about custom key stores in the account and region.
This operation is part of the Custom Key Store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a single-tenant key store.
By default, this operation returns information about all custom key stores in the account and region. To get only information about a particular custom key store, use either the CustomKeyStoreName
or CustomKeyStoreId
parameter (but not both).
To determine whether the custom key store is connected to its AWS CloudHSM cluster, use the ConnectionState
element in the response. If an attempt to connect the custom key store failed, the ConnectionState
value is FAILED
and the ConnectionErrorCode
element in the response indicates the cause of the failure. For help interpreting the ConnectionErrorCode
, see CustomKeyStoresListEntry .
Custom key stores have a DISCONNECTED
connection state if the key store has never been connected or you use the DisconnectCustomKeyStore operation to disconnect it. If your custom key store state is CONNECTED
but you are having trouble using it, make sure that its associated AWS CloudHSM cluster is active and contains the minimum number of HSMs required for the operation, if any.
For help repairing your custom key store, see the Troubleshooting Custom Key Stores topic in the AWS Key Management Service Developer Guide .
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
describe-custom-key-stores
[--custom-key-store-id <value>]
[--custom-key-store-name <value>]
[--limit <value>]
[--marker <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--cli-auto-prompt <value>]
--custom-key-store-id
(string)
Gets only information about the specified custom key store. Enter the key store ID.
By default, this operation gets information about all custom key stores in the account and region. To limit the output to a particular custom key store, you can use either the
CustomKeyStoreId
orCustomKeyStoreName
parameter, but not both.
--custom-key-store-name
(string)
Gets only information about the specified custom key store. Enter the friendly name of the custom key store.
By default, this operation gets information about all custom key stores in the account and region. To limit the output to a particular custom key store, you can use either the
CustomKeyStoreId
orCustomKeyStoreName
parameter, but not both.
--limit
(integer)
Use this parameter to specify the maximum number of items to return. When this value is present, AWS KMS does not return more than the specified number of items, but it might return fewer.
--marker
(string)
Use this parameter in a subsequent request after you receive a response with truncated results. Set it to the value of
NextMarker
from the truncated response you just received.
--cli-input-json
| --cli-input-yaml
(string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml
.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. Similarly, if provided yaml-input
it will print a sample input YAML that can be used with --cli-input-yaml
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command.
--cli-auto-prompt
(boolean)
Automatically prompt for CLI input parameters.
See ‘aws help’ for descriptions of global parameters.
To get details about a custom key store
The following describe-custom-key-store
example displays details for the specified custom key store. You can use this command to get details about a particular custom key store or all custom key stores in an AWS account and Region.
To identify a particular custom key store, this example uses the custom-key-store-name
parameter with the key store name. If you prefer, you can use the custom-key-store-id
parameter with the key store ID. To get all custom key stores in the account and Region, omit all parameters.
aws kms describe-custom-key-stores \
--custom-key-store-name ExampleKeyStore
The output of this command includes useful details about the custom key store including its connection state (ConnectionState
). If the connection state is FAILED
, the output includes a ConnectionErrorCode
field that describes the problem.
{
"CustomKeyStores": [
{
"CloudHsmClusterId": "cluster-1a23b4cdefg",
"ConnectionState": "CONNECTED",
"CreationDate": "1.599288695918E9",
"CustomKeyStoreId": "cks-1234567890abcdef0",
"CustomKeyStoreName": "ExampleKeyStore",
"TrustAnchorCertificate": "<certificate appears here>"
}
]
}
For more information, see Viewing a Custom Key Store in the AWS Key Management Service Developer Guide.
CustomKeyStores -> (list)
Contains metadata about each custom key store.
(structure)
Contains information about each custom key store in the custom key store list.
CustomKeyStoreId -> (string)
A unique identifier for the custom key store.
CustomKeyStoreName -> (string)
The user-specified friendly name for the custom key store.
CloudHsmClusterId -> (string)
A unique identifier for the AWS CloudHSM cluster that is associated with the custom key store.
TrustAnchorCertificate -> (string)
The trust anchor certificate of the associated AWS CloudHSM cluster. When you initialize the cluster , you create this certificate and save it in the
customerCA.crt
file.ConnectionState -> (string)
Indicates whether the custom key store is connected to its AWS CloudHSM cluster.
You can create and use CMKs in your custom key stores only when its connection state is
CONNECTED
.The value is
DISCONNECTED
if the key store has never been connected or you use the DisconnectCustomKeyStore operation to disconnect it. If the value isCONNECTED
but you are having trouble using the custom key store, make sure that its associated AWS CloudHSM cluster is active and contains at least one active HSM.A value of
FAILED
indicates that an attempt to connect was unsuccessful. TheConnectionErrorCode
field in the response indicates the cause of the failure. For help resolving a connection failure, see Troubleshooting a Custom Key Store in the AWS Key Management Service Developer Guide .ConnectionErrorCode -> (string)
Describes the connection error. This field appears in the response only when the
ConnectionState
isFAILED
. For help resolving these errors, see How to Fix a Connection Failure in AWS Key Management Service Developer Guide .Valid values are:
CLUSTER_NOT_FOUND
- AWS KMS cannot find the AWS CloudHSM cluster with the specified cluster ID.
INSUFFICIENT_CLOUDHSM_HSMS
- The associated AWS CloudHSM cluster does not contain any active HSMs. To connect a custom key store to its AWS CloudHSM cluster, the cluster must contain at least one active HSM.
INTERNAL_ERROR
- AWS KMS could not complete the request due to an internal error. Retry the request. ForConnectCustomKeyStore
requests, disconnect the custom key store before trying to connect again.
INVALID_CREDENTIALS
- AWS KMS does not have the correct password for thekmsuser
crypto user in the AWS CloudHSM cluster. Before you can connect your custom key store to its AWS CloudHSM cluster, you must change thekmsuser
account password and update the key store password value for the custom key store.
NETWORK_ERRORS
- Network errors are preventing AWS KMS from connecting to the custom key store.
SUBNET_NOT_FOUND
- A subnet in the AWS CloudHSM cluster configuration was deleted. If AWS KMS cannot find all of the subnets in the cluster configuration, attempts to connect the custom key store to the AWS CloudHSM cluster fail. To fix this error, create a cluster from a recent backup and associate it with your custom key store. (This process creates a new cluster configuration with a VPC and private subnets.) For details, see How to Fix a Connection Failure in the AWS Key Management Service Developer Guide .
USER_LOCKED_OUT
- Thekmsuser
CU account is locked out of the associated AWS CloudHSM cluster due to too many failed password attempts. Before you can connect your custom key store to its AWS CloudHSM cluster, you must change thekmsuser
account password and update the key store password value for the custom key store.
USER_LOGGED_IN
- Thekmsuser
CU account is logged into the the associated AWS CloudHSM cluster. This prevents AWS KMS from rotating thekmsuser
account password and logging into the cluster. Before you can connect your custom key store to its AWS CloudHSM cluster, you must log thekmsuser
CU out of the cluster. If you changed thekmsuser
password to log into the cluster, you must also and update the key store password value for the custom key store. For help, see How to Log Out and Reconnect in the AWS Key Management Service Developer Guide .
USER_NOT_FOUND
- AWS KMS cannot find akmsuser
CU account in the associated AWS CloudHSM cluster. Before you can connect your custom key store to its AWS CloudHSM cluster, you must create akmsuser
CU account in the cluster, and then update the key store password value for the custom key store.CreationDate -> (timestamp)
The date and time when the custom key store was created.
NextMarker -> (string)
When
Truncated
is true, this element is present and contains the value to use for theMarker
parameter in a subsequent request.
Truncated -> (boolean)
A flag that indicates whether there are more items in the list. When this value is true, the list in this response is truncated. To get more items, pass the value of the
NextMarker
element in thisresponse to theMarker
parameter in a subsequent request.