Copyright | (c) 2013-2021 Brendan Hay |
---|---|
License | Mozilla Public License, v. 2.0. |
Maintainer | Brendan Hay <brendan.g.hay+amazonka@gmail.com> |
Stability | auto-generated |
Portability | non-portable (GHC extensions) |
Safe Haskell | None |
Creates a new key-signing key (KSK) associated with a hosted zone. You can only have two KSKs per hosted zone.
Synopsis
- data CreateKeySigningKey = CreateKeySigningKey' {}
- newCreateKeySigningKey :: Text -> ResourceId -> Text -> Text -> Text -> CreateKeySigningKey
- createKeySigningKey_callerReference :: Lens' CreateKeySigningKey Text
- createKeySigningKey_hostedZoneId :: Lens' CreateKeySigningKey ResourceId
- createKeySigningKey_keyManagementServiceArn :: Lens' CreateKeySigningKey Text
- createKeySigningKey_name :: Lens' CreateKeySigningKey Text
- createKeySigningKey_status :: Lens' CreateKeySigningKey Text
- data CreateKeySigningKeyResponse = CreateKeySigningKeyResponse' {}
- newCreateKeySigningKeyResponse :: Int -> ChangeInfo -> KeySigningKey -> Text -> CreateKeySigningKeyResponse
- createKeySigningKeyResponse_httpStatus :: Lens' CreateKeySigningKeyResponse Int
- createKeySigningKeyResponse_changeInfo :: Lens' CreateKeySigningKeyResponse ChangeInfo
- createKeySigningKeyResponse_keySigningKey :: Lens' CreateKeySigningKeyResponse KeySigningKey
- createKeySigningKeyResponse_location :: Lens' CreateKeySigningKeyResponse Text
Creating a Request
data CreateKeySigningKey Source #
See: newCreateKeySigningKey
smart constructor.
CreateKeySigningKey' | |
|
Instances
newCreateKeySigningKey Source #
:: Text | |
-> ResourceId | |
-> Text | |
-> Text | |
-> Text | |
-> CreateKeySigningKey |
Create a value of CreateKeySigningKey
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:callerReference:CreateKeySigningKey'
, createKeySigningKey_callerReference
- A unique string that identifies the request.
$sel:hostedZoneId:CreateKeySigningKey'
, createKeySigningKey_hostedZoneId
- The unique string (ID) used to identify a hosted zone.
$sel:keyManagementServiceArn:CreateKeySigningKey'
, createKeySigningKey_keyManagementServiceArn
- The Amazon resource name (ARN) for a customer managed customer master
key (CMK) in Key Management Service (KMS). The KeyManagementServiceArn
must be unique for each key-signing key (KSK) in a single hosted zone.
To see an example of KeyManagementServiceArn
that grants the correct
permissions for DNSSEC, scroll down to Example.
You must configure the customer managed CMK as follows:
- Status
- Enabled
- Key spec
- ECC_NIST_P256
- Key usage
- Sign and verify
- Key policy
- The key policy must give permission for the following actions:
- DescribeKey
- GetPublicKey
- Sign
The key policy must also include the Amazon Route 53 service in the principal for your account. Specify the following:
"Service": "dnssec-route53.amazonaws.com"
For more information about working with a customer managed CMK in KMS, see Key Management Service concepts.
$sel:name:CreateKeySigningKey'
, createKeySigningKey_name
- A string used to identify a key-signing key (KSK). Name
can include
numbers, letters, and underscores (_). Name
must be unique for each
key-signing key in the same hosted zone.
$sel:status:CreateKeySigningKey'
, createKeySigningKey_status
- A string specifying the initial status of the key-signing key (KSK). You
can set the value to ACTIVE
or INACTIVE
.
Request Lenses
createKeySigningKey_callerReference :: Lens' CreateKeySigningKey Text Source #
A unique string that identifies the request.
createKeySigningKey_hostedZoneId :: Lens' CreateKeySigningKey ResourceId Source #
The unique string (ID) used to identify a hosted zone.
createKeySigningKey_keyManagementServiceArn :: Lens' CreateKeySigningKey Text Source #
The Amazon resource name (ARN) for a customer managed customer master
key (CMK) in Key Management Service (KMS). The KeyManagementServiceArn
must be unique for each key-signing key (KSK) in a single hosted zone.
To see an example of KeyManagementServiceArn
that grants the correct
permissions for DNSSEC, scroll down to Example.
You must configure the customer managed CMK as follows:
- Status
- Enabled
- Key spec
- ECC_NIST_P256
- Key usage
- Sign and verify
- Key policy
- The key policy must give permission for the following actions:
- DescribeKey
- GetPublicKey
- Sign
The key policy must also include the Amazon Route 53 service in the principal for your account. Specify the following:
"Service": "dnssec-route53.amazonaws.com"
For more information about working with a customer managed CMK in KMS, see Key Management Service concepts.
createKeySigningKey_name :: Lens' CreateKeySigningKey Text Source #
A string used to identify a key-signing key (KSK). Name
can include
numbers, letters, and underscores (_). Name
must be unique for each
key-signing key in the same hosted zone.
createKeySigningKey_status :: Lens' CreateKeySigningKey Text Source #
A string specifying the initial status of the key-signing key (KSK). You
can set the value to ACTIVE
or INACTIVE
.
Destructuring the Response
data CreateKeySigningKeyResponse Source #
See: newCreateKeySigningKeyResponse
smart constructor.
CreateKeySigningKeyResponse' | |
|
Instances
newCreateKeySigningKeyResponse Source #
:: Int | |
-> ChangeInfo | |
-> KeySigningKey | |
-> Text | |
-> CreateKeySigningKeyResponse |
Create a value of CreateKeySigningKeyResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:httpStatus:CreateKeySigningKeyResponse'
, createKeySigningKeyResponse_httpStatus
- The response's http status code.
$sel:changeInfo:CreateKeySigningKeyResponse'
, createKeySigningKeyResponse_changeInfo
- Undocumented member.
$sel:keySigningKey:CreateKeySigningKeyResponse'
, createKeySigningKeyResponse_keySigningKey
- The key-signing key (KSK) that the request creates.
$sel:location:CreateKeySigningKeyResponse'
, createKeySigningKeyResponse_location
- The unique URL representing the new key-signing key (KSK).
Response Lenses
createKeySigningKeyResponse_httpStatus :: Lens' CreateKeySigningKeyResponse Int Source #
The response's http status code.
createKeySigningKeyResponse_changeInfo :: Lens' CreateKeySigningKeyResponse ChangeInfo Source #
Undocumented member.
createKeySigningKeyResponse_keySigningKey :: Lens' CreateKeySigningKeyResponse KeySigningKey Source #
The key-signing key (KSK) that the request creates.
createKeySigningKeyResponse_location :: Lens' CreateKeySigningKeyResponse Text Source #
The unique URL representing the new key-signing key (KSK).