**Example 1: To create an AWS CloudHSM key store**
The following ``create-custom-key-store`` example creates an AWS CloudHSM key store backed by an AWS CloudHSM cluster using the required parameters. You can also add the ``custom-key-store-type``parameter with the default value: ``AWS_CLOUDHSM``.
To specify the file input for the ``trust-anchor-certificate`` command in the AWS CLI, the ``file://`` prefix is required. ::
aws kms create-custom-key-store \
--custom-key-store-name ExampleCloudHSMKeyStore \
--cloud-hsm-cluster-id cluster-1a23b4cdefg \
--key-store-password kmsPswd \
--trust-anchor-certificate file://customerCA.crt
Output::
{
"CustomKeyStoreId": cks-1234567890abcdef0
}
For more information, see `Creating an AWS CloudHSM key store <https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html>`__ in the *AWS Key Management Service Developer Guide*.
**Example 2: To create an external key store with public endpoint connectivity**
The following ``create-custom-key-store`` example creates an external key store (XKS) that communicates with AWS KMS over the internet.
In this example, the ``XksProxyUriPath`` uses an optional prefix of ``example-prefix``.
NOTE: If you use AWS CLI version 1.0, run the following command before specifying a parameter with an HTTP or HTTPS value, such as the XksProxyUriEndpoint parameter. ::
aws configure set cli_follow_urlparam false
Otherwise, AWS CLI version 1.0 replaces the parameter value with the content found at that URI address. ::
aws kms create-custom-key-store \
--custom-key-store-name ExamplePublicEndpointXKS \
--custom-key-store-type EXTERNAL_KEY_STORE \
--xks-proxy-connectivity PUBLIC_ENDPOINT \
--xks-proxy-uri-endpoint "https://myproxy.xks.example.com" \
--xks-proxy-uri-path "/example-prefix/kms/xks/v1" \
--xks-proxy-authentication-credential "AccessKeyId=ABCDE12345670EXAMPLE, RawSecretAccessKey=DXjSUawnel2fr6SKC7G25CNxTyWKE5PF9XX6H/u9pSo="
Output::
{
"CustomKeyStoreId": cks-2234567890abcdef0
}
For more information, see `Creating an external key store <https://docs.aws.amazon.com/kms/latest/developerguide/create-keystorecreate-xks-keystore.html>`__ in the *AWS Key Management Service Developer Guide*.
**Example 3: To create an external key store with VPC endpoint service connectivity**
The following ``create-custom-key-store`` example creates an external key store (XKS) that uses an Amazon VPC endpoint service to communicate with AWS KMS.
NOTE: If you use AWS CLI version 1.0, run the following command before specifying a parameter with an HTTP or HTTPS value, such as the XksProxyUriEndpoint parameter. ::
aws configure set cli_follow_urlparam false
Otherwise, AWS CLI version 1.0 replaces the parameter value with the content found at that URI address. ::
aws kms create-custom-key-store \
--custom-key-store-name ExampleVPCEndpointXKS \
--custom-key-store-type EXTERNAL_KEY_STORE \
--xks-proxy-connectivity VPC_ENDPOINT_SERVICE \
--xks-proxy-uri-endpoint "https://myproxy-private.xks.example.com" \
--xks-proxy-uri-path "/kms/xks/v1" \
--xks-proxy-vpc-endpoint-service-name "com.amazonaws.vpce.us-east-1.vpce-svc-example1" \
--xks-proxy-authentication-credential "AccessKeyId=ABCDE12345670EXAMPLE, RawSecretAccessKey=DXjSUawnel2fr6SKC7G25CNxTyWKE5PF9XX6H/u9pSo="
Output::
{
"CustomKeyStoreId": cks-3234567890abcdef0
}
For more information, see `Creating an external key store <https://docs.aws.amazon.com/kms/latest/developerguide/create-keystorecreate-xks-keystore.html>`__ in the *AWS Key Management Service Developer Guide*.