AddKeyReplicationRegions - AWS Payment Cryptography Control Plane

AddKeyReplicationRegions

Adds replication AWS Regions to an existing AWS Payment Cryptography key, enabling the key to be used for cryptographic operations in additional AWS Regions.

Multi-region keys allow you to use the same key material across multiple AWS Regions, providing lower latency for applications distributed across regions. When you add Replication Regions, AWS Payment Cryptography securely replicates the key material to the specified AWS Regions.

The key must be in an active state to add Replication Regions. You can add multiple regions in a single operation, and the key will be available for use in those regions once replication is complete.

Cross-account use: This operation can't be used across different AWS accounts.

Related operations:

Request Syntax

{ "KeyIdentifier": "string", "ReplicationRegions": [ "string" ] }

Request Parameters

The request accepts the following data in JSON format.

KeyIdentifier

The key identifier (ARN or alias) of the key for which to add replication regions.

This key must exist and be in a valid state for replication operations.

Type: String

Length Constraints: Minimum length of 7. Maximum length of 322.

Pattern: arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:(key/[0-9a-zA-Z]{16,64}|alias/[a-zA-Z0-9/_-]+)$|^alias/[a-zA-Z0-9/_-]+

Required: Yes

ReplicationRegions

The list of AWS Regions to add to the key's replication configuration.

Each region must be a valid AWS Region where AWS Payment Cryptography is available. The key will be replicated to these regions, allowing cryptographic operations to be performed closer to your applications.

Type: Array of strings

Pattern: [a-z]{2}-[a-z]{1,16}-[0-9]+

Required: Yes

Response Syntax

{ "Key": { "CreateTimestamp": number, "DeletePendingTimestamp": number, "DeleteTimestamp": number, "DeriveKeyUsage": "string", "Enabled": boolean, "Exportable": boolean, "KeyArn": "string", "KeyAttributes": { "KeyAlgorithm": "string", "KeyClass": "string", "KeyModesOfUse": { "Decrypt": boolean, "DeriveKey": boolean, "Encrypt": boolean, "Generate": boolean, "NoRestrictions": boolean, "Sign": boolean, "Unwrap": boolean, "Verify": boolean, "Wrap": boolean }, "KeyUsage": "string" }, "KeyCheckValue": "string", "KeyCheckValueAlgorithm": "string", "KeyOrigin": "string", "KeyState": "string", "MultiRegionKeyType": "string", "PrimaryRegion": "string", "ReplicationStatus": { "string" : { "Status": "string", "StatusMessage": "string" } }, "UsageStartTimestamp": number, "UsageStopTimestamp": number, "UsingDefaultReplicationRegions": boolean } }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Key

The updated key metadata after adding the replication regions.

This includes the current state of the key and its replication configuration.

Type: Key object

Errors

AccessDeniedException

You do not have sufficient access to perform this action.

This exception is thrown when the caller lacks the necessary IAM permissions to perform the requested operation. Verify that your IAM policy includes the required permissions for the specific AWS Payment Cryptography action you're attempting.

HTTP Status Code: 400

ConflictException

This request can cause an inconsistent state for the resource.

The requested operation conflicts with the current state of the resource. For example, attempting to delete a key that is currently being used, or trying to create a resource that already exists.

HTTP Status Code: 400

InternalServerException

The request processing has failed because of an unknown error, exception, or failure.

This indicates a server-side error within the AWS Payment Cryptography service. If this error persists, contact support for assistance.

HTTP Status Code: 500

ResourceNotFoundException

The request was denied due to resource not found.

The specified key, alias, or other resource does not exist in your account or region. Verify that the resource identifier is correct and that the resource exists in the expected region.

HTTP Status Code: 400

ServiceQuotaExceededException

This request would cause a service quota to be exceeded.

You have reached the maximum number of keys, aliases, or other resources allowed in your account. Review your current usage and consider deleting unused resources or requesting a quota increase.

HTTP Status Code: 400

ThrottlingException

The request was denied due to request throttling.

You have exceeded the rate limits for AWS Payment Cryptography API calls. Implement exponential backoff and retry logic in your application to handle throttling gracefully.

HTTP Status Code: 400

ValidationException

The request was denied due to an invalid request error.

One or more parameters in your request are invalid. Check the parameter values, formats, and constraints specified in the API documentation.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: