To find the reason, use the DescribeCustomKeyStores operation and see the ConnectionErrorCode in the response. The ConnectCustomKeyStore operation might fail for various reasons. To get the connection state of the custom key store, use the DescribeCustomKeyStores operation.ĭuring the connection process, AWS KMS finds the AWS CloudHSM cluster that is associated with the custom key store, creates the connection infrastructure, connects to the cluster, logs into the AWS CloudHSM client as the kmsuser CU, and rotates its password. However, this response does not indicate that the custom key store is connected. When it succeeds, this operation quickly returns an HTTP 200 response and a JSON object with no properties. This operation starts the connection process, but it does not wait for it to complete. The connection process can take an extended amount of time to complete up to 20 minutes.
This prevents AWS KMS from using this account to log in. Also, the kmsuser crypto user (CU) must not be logged into the cluster. To add HSMs to the cluster, use the CreateHsm operation. To get the number of active HSMs in a cluster, use the DescribeClusters operation. To connect a custom key store, its associated AWS CloudHSM cluster must have at least one active HSM. You can disconnect and reconnect a custom key store at any time. The custom key store must be connected before you can create customer master keys (CMKs) in the key store or use the CMKs it contains. AvoidĬonfiguring credentials statically and never commit them to source control.Ĭonnects or reconnects a custom key store to its associated AWS CloudHSM cluster. new ( access_key_id: creds, secret_access_key: creds )Īlways load your credentials from outside your application. read ( ' /path/to/secrets ' ) ) Aws :: KMS :: Client. :secret_access_key: # load credentials from diskĬreds = YAML. You can also construct a credentials object from one of the followingĪlternatively, you configure credentials with :access_key_id and From an instance profile when running on EC2.The shared credentials ini file at ~/.aws/credentials ( more information).Credentialsĭefault credentials are loaded automatically from the following locations: You can configure a default region in the following locations:
Kms client key full#
See #initialize for a full list of supported configuration options. new ( region: region_name, credentials: credentials, #. To construct a client, you need to configure a :region and :credentials.
An API client for AWS Key Management Service.
0 kommentar(er)
