| Copyright | (c) 2013-2021 Brendan Hay |
|---|---|
| License | Mozilla Public License, v. 2.0. |
| Maintainer | Brendan Hay <brendan.g.hay+amazonka@gmail.com> |
| Stability | auto-generated |
| Portability | non-portable (GHC extensions) |
| Safe Haskell | None |
Amazonka.Route53.CreateKeySigningKey
Description
Creates a new key-signing key (KSK) associated with a hosted zone. You can only have two KSKs per hosted zone.
Synopsis
- data CreateKeySigningKey = CreateKeySigningKey' {}
- newCreateKeySigningKey :: Text -> ResourceId -> Text -> Text -> Text -> CreateKeySigningKey
- createKeySigningKey_callerReference :: Lens' CreateKeySigningKey Text
- createKeySigningKey_hostedZoneId :: Lens' CreateKeySigningKey ResourceId
- createKeySigningKey_keyManagementServiceArn :: Lens' CreateKeySigningKey Text
- createKeySigningKey_name :: Lens' CreateKeySigningKey Text
- createKeySigningKey_status :: Lens' CreateKeySigningKey Text
- data CreateKeySigningKeyResponse = CreateKeySigningKeyResponse' {}
- newCreateKeySigningKeyResponse :: Int -> ChangeInfo -> KeySigningKey -> Text -> CreateKeySigningKeyResponse
- createKeySigningKeyResponse_httpStatus :: Lens' CreateKeySigningKeyResponse Int
- createKeySigningKeyResponse_changeInfo :: Lens' CreateKeySigningKeyResponse ChangeInfo
- createKeySigningKeyResponse_keySigningKey :: Lens' CreateKeySigningKeyResponse KeySigningKey
- createKeySigningKeyResponse_location :: Lens' CreateKeySigningKeyResponse Text
Creating a Request
data CreateKeySigningKey Source #
See: newCreateKeySigningKey smart constructor.
Constructors
| CreateKeySigningKey' | |
Fields
| |
Instances
newCreateKeySigningKey Source #
Arguments
| :: Text | |
| -> ResourceId | |
| -> Text | |
| -> Text | |
| -> Text | |
| -> CreateKeySigningKey |
Create a value of CreateKeySigningKey with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:callerReference:CreateKeySigningKey', createKeySigningKey_callerReference - A unique string that identifies the request.
$sel:hostedZoneId:CreateKeySigningKey', createKeySigningKey_hostedZoneId - The unique string (ID) used to identify a hosted zone.
$sel:keyManagementServiceArn:CreateKeySigningKey', createKeySigningKey_keyManagementServiceArn - The Amazon resource name (ARN) for a customer managed customer master
key (CMK) in Key Management Service (KMS). The KeyManagementServiceArn
must be unique for each key-signing key (KSK) in a single hosted zone.
To see an example of KeyManagementServiceArn that grants the correct
permissions for DNSSEC, scroll down to Example.
You must configure the customer managed CMK as follows:
- Status
- Enabled
- Key spec
- ECC_NIST_P256
- Key usage
- Sign and verify
- Key policy
- The key policy must give permission for the following actions:
- DescribeKey
- GetPublicKey
- Sign
The key policy must also include the Amazon Route 53 service in the principal for your account. Specify the following:
"Service": "dnssec-route53.amazonaws.com"
For more information about working with a customer managed CMK in KMS, see Key Management Service concepts.
$sel:name:CreateKeySigningKey', createKeySigningKey_name - A string used to identify a key-signing key (KSK). Name can include
numbers, letters, and underscores (_). Name must be unique for each
key-signing key in the same hosted zone.
$sel:status:CreateKeySigningKey', createKeySigningKey_status - A string specifying the initial status of the key-signing key (KSK). You
can set the value to ACTIVE or INACTIVE.
Request Lenses
createKeySigningKey_callerReference :: Lens' CreateKeySigningKey Text Source #
A unique string that identifies the request.
createKeySigningKey_hostedZoneId :: Lens' CreateKeySigningKey ResourceId Source #
The unique string (ID) used to identify a hosted zone.
createKeySigningKey_keyManagementServiceArn :: Lens' CreateKeySigningKey Text Source #
The Amazon resource name (ARN) for a customer managed customer master
key (CMK) in Key Management Service (KMS). The KeyManagementServiceArn
must be unique for each key-signing key (KSK) in a single hosted zone.
To see an example of KeyManagementServiceArn that grants the correct
permissions for DNSSEC, scroll down to Example.
You must configure the customer managed CMK as follows:
- Status
- Enabled
- Key spec
- ECC_NIST_P256
- Key usage
- Sign and verify
- Key policy
- The key policy must give permission for the following actions:
- DescribeKey
- GetPublicKey
- Sign
The key policy must also include the Amazon Route 53 service in the principal for your account. Specify the following:
"Service": "dnssec-route53.amazonaws.com"
For more information about working with a customer managed CMK in KMS, see Key Management Service concepts.
createKeySigningKey_name :: Lens' CreateKeySigningKey Text Source #
A string used to identify a key-signing key (KSK). Name can include
numbers, letters, and underscores (_). Name must be unique for each
key-signing key in the same hosted zone.
createKeySigningKey_status :: Lens' CreateKeySigningKey Text Source #
A string specifying the initial status of the key-signing key (KSK). You
can set the value to ACTIVE or INACTIVE.
Destructuring the Response
data CreateKeySigningKeyResponse Source #
See: newCreateKeySigningKeyResponse smart constructor.
Constructors
| CreateKeySigningKeyResponse' | |
Fields
| |
Instances
newCreateKeySigningKeyResponse Source #
Arguments
| :: Int | |
| -> ChangeInfo | |
| -> KeySigningKey | |
| -> Text | |
| -> CreateKeySigningKeyResponse |
Create a value of CreateKeySigningKeyResponse with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:httpStatus:CreateKeySigningKeyResponse', createKeySigningKeyResponse_httpStatus - The response's http status code.
$sel:changeInfo:CreateKeySigningKeyResponse', createKeySigningKeyResponse_changeInfo - Undocumented member.
$sel:keySigningKey:CreateKeySigningKeyResponse', createKeySigningKeyResponse_keySigningKey - The key-signing key (KSK) that the request creates.
$sel:location:CreateKeySigningKeyResponse', createKeySigningKeyResponse_location - The unique URL representing the new key-signing key (KSK).
Response Lenses
createKeySigningKeyResponse_httpStatus :: Lens' CreateKeySigningKeyResponse Int Source #
The response's http status code.
createKeySigningKeyResponse_changeInfo :: Lens' CreateKeySigningKeyResponse ChangeInfo Source #
Undocumented member.
createKeySigningKeyResponse_keySigningKey :: Lens' CreateKeySigningKeyResponse KeySigningKey Source #
The key-signing key (KSK) that the request creates.
createKeySigningKeyResponse_location :: Lens' CreateKeySigningKeyResponse Text Source #
The unique URL representing the new key-signing key (KSK).