Changes the properties of a custom key store. Use the CustomKeyStoreId
parameter to identify the custom key store you want to edit. Use the remaining parameters to change the properties of the custom key store.
You can only update a custom key store that is disconnected. To disconnect the custom key store, use DisconnectCustomKeyStore . To reconnect the custom key store after the update completes, use ConnectCustomKeyStore . To find the connection state of a custom key store, use the DescribeCustomKeyStores operation.
The CustomKeyStoreId
parameter is required in all commands. Use the other parameters of UpdateCustomKeyStore
to edit your key store settings.
Use the NewCustomKeyStoreName
parameter to change the friendly name of the custom key store to the value that you specify.
Use the KeyStorePassword
parameter tell KMS the current password of the ` kmsuser
crypto user (CU) <https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser>`__ in the associated CloudHSM cluster. You can use this parameter to fix connection failures that occur when KMS cannot log into the associated cluster because the kmsuser
password has changed. This value does not change the password in the CloudHSM cluster.
Use the CloudHsmClusterId
parameter to associate the custom key store with a different, but related, CloudHSM cluster. You can use this parameter to repair a custom key store if its CloudHSM cluster becomes corrupted or is deleted, or when you need to create or restore a cluster from a backup.
If the operation succeeds, it returns a JSON object with no properties.
This operation is part of the custom key store feature feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a single-tenant key store.
Cross-account use : No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
Required permissions : kms:UpdateCustomKeyStore (IAM policy)
Related operations:
ConnectCustomKeyStore
CreateCustomKeyStore
DeleteCustomKeyStore
DescribeCustomKeyStores
DisconnectCustomKeyStore
See also: AWS API Documentation
update-custom-key-store
--custom-key-store-id <value>
[--new-custom-key-store-name <value>]
[--key-store-password <value>]
[--cloud-hsm-cluster-id <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]
--custom-key-store-id
(string)
Identifies the custom key store that you want to update. Enter the ID of the custom key store. To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
--new-custom-key-store-name
(string)
Changes the friendly name of the custom key store to the value that you specify. The custom key store name must be unique in the Amazon Web Services account.
--key-store-password
(string)
Enter the current password of the
kmsuser
crypto user (CU) in the CloudHSM cluster that is associated with the custom key store.This parameter tells KMS the current password of the
kmsuser
crypto user (CU). It does not set or change the password of any users in the CloudHSM cluster.
--cloud-hsm-cluster-id
(string)
Associates the custom key store with a related CloudHSM cluster.
Enter the cluster ID of the cluster that you used to create the custom key store or a cluster that shares a backup history and has the same cluster certificate as the original cluster. You cannot use this parameter to associate a custom key store with an unrelated cluster. In addition, the replacement cluster must fulfill the requirements for a cluster associated with a custom key store. To view the cluster certificate of a cluster, use the DescribeClusters operation.
--cli-input-json
| --cli-input-yaml
(string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml
.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. Similarly, if provided yaml-input
it will print a sample input YAML that can be used with --cli-input-yaml
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command. The generated JSON skeleton is not stable between versions of the AWS CLI and there are no backwards compatibility guarantees in the JSON skeleton generated.
--debug
(boolean)
Turn on debug logging.
--endpoint-url
(string)
Override command’s default URL with the given URL.
--no-verify-ssl
(boolean)
By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.
--no-paginate
(boolean)
Disable automatic pagination.
--output
(string)
The formatting style for command output.
json
text
table
yaml
yaml-stream
--query
(string)
A JMESPath query to use in filtering the response data.
--profile
(string)
Use a specific profile from your credential file.
--region
(string)
The region to use. Overrides config/env settings.
--version
(string)
Display the version of this tool.
--color
(string)
Turn on/off color output.
on
off
auto
--no-sign-request
(boolean)
Do not sign requests. Credentials will not be loaded if this argument is provided.
--ca-bundle
(string)
The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.
--cli-read-timeout
(int)
The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.
--cli-connect-timeout
(int)
The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.
--cli-binary-format
(string)
The formatting style to be used for binary blobs. The default format is base64. The base64 format expects binary blobs to be provided as a base64 encoded string. The raw-in-base64-out format preserves compatibility with AWS CLI V1 behavior and binary values must be passed literally. When providing contents from a file that map to a binary blob fileb://
will always be treated as binary and use the file contents directly regardless of the cli-binary-format
setting. When using file://
the file contents will need to properly formatted for the configured cli-binary-format
.
base64
raw-in-base64-out
--no-cli-pager
(boolean)
Disable cli pager for output.
--cli-auto-prompt
(boolean)
Automatically prompt for CLI input parameters.
--no-cli-auto-prompt
(boolean)
Disable automatically prompt for CLI input parameters.
Note
To use the following examples, you must have the AWS CLI installed and configured. See the Getting started guide in the AWS CLI User Guide for more information.
Unless otherwise stated, all examples have unix-like quotation rules. These examples will need to be adapted to your terminal’s quoting rules. See Using quotation marks with strings in the AWS CLI User Guide .
To edit custom key store settings
The following update-custom-key-store
example provides the current password for the kmsuser
in the CloudHSM cluster that is associated with the specified key store. This command doesn’t change the kmsuser
password. It just tells AWS KMS the current password. If KMS doesn’t have the current kmsuser
password, it cannot connect to the custom key store.
NOTE: Before updating the custom key store, you must disconnect it. Use the disconnect-custom-key-store
command. After the command completes, you can reconnect the custom key store. Use the connect-custom-key-store
command.
aws kms update-custom-key-store \
--custom-key-store-id cks-1234567890abcdef0 \
--key-store-password ExamplePassword
This command does not return any output. To verify that the password change was effective, connect the custom key store.
For more information, see Editing custom key store settings in the AWS Key Management Service Developer Guide.
None