GenerateRandom - Amazon Key Management Service
Request SyntaxRequest ParametersResponse SyntaxResponse ElementsErrorsExamplesSee Also
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

GenerateRandom

Returns a random byte string that is cryptographically secure.

You must use the NumberOfBytes parameter to specify the length of the random byte string. There is no default value for string length.

By default, the random byte string is generated in Amazon KMS. To generate the byte string in the Amazon CloudHSM cluster associated with an Amazon CloudHSM key store, use the CustomKeyStoreId parameter.

Applications in Amazon Nitro Enclaves can call this operation by using the Amazon Nitro Enclaves Development Kit. For information about the supporting parameters, see How Amazon Nitro Enclaves use Amazon KMS in the Amazon Key Management Service Developer Guide.

For more information about entropy and random number generation, see Amazon Key Management Service Cryptographic Details.

Cross-account use: Not applicable. GenerateRandom does not use any account-specific resources, such as KMS keys.

Required permissions: kms:GenerateRandom (IAM policy)

Request Syntax

{
   "CustomKeyStoreId": "string",
   "NumberOfBytes": number
}

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

Note

In the following list, the required parameters are described first.

CustomKeyStoreId

Generates the random byte string in the Amazon CloudHSM cluster that is associated with the specified Amazon CloudHSM key store. To find the ID of a custom key store, use the DescribeCustomKeyStores operation.

External key store IDs are not valid for this parameter. If you specify the ID of an external key store, GenerateRandom throws an UnsupportedOperationException.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 64.

Required: No

NumberOfBytes

The length of the random byte string. This parameter is required.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 1024.

Required: No

Response Syntax

{
   "Plaintext": blob
}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Plaintext

The random byte string. When you use the HTTP API or the Amazon CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

Type: Base64-encoded binary data object

Length Constraints: Minimum length of 1. Maximum length of 4096.

Errors

For information about the errors that are common to all actions, see Common Errors.

CustomKeyStoreInvalidStateException

The request was rejected because of the ConnectionState of the custom key store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores operation.

This exception is thrown under the following conditions:

  • You requested the ConnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or FAILED. This operation is valid for all other ConnectionState values. To reconnect a custom key store in a FAILED state, disconnect it (DisconnectCustomKeyStore), then connect it (ConnectCustomKeyStore).

  • You requested the CreateKey operation in a custom key store that is not connected. This operations is valid only when the custom key store ConnectionState is CONNECTED.

  • You requested the DisconnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or DISCONNECTED. This operation is valid for all other ConnectionState values.

  • You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key store that is not disconnected. This operation is valid only when the custom key store ConnectionState is DISCONNECTED.

  • You requested the GenerateRandom operation in an Amazon CloudHSM key store that is not connected. This operation is valid only when the Amazon CloudHSM key store ConnectionState is CONNECTED.

HTTP Status Code: 400

CustomKeyStoreNotFoundException

The request was rejected because Amazon KMS cannot find a custom key store with the specified key store name or ID.

HTTP Status Code: 400

DependencyTimeoutException

The system timed out while trying to fulfill the request. You can retry the request.

HTTP Status Code: 500

KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 500

UnsupportedOperationException

The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation.

HTTP Status Code: 400

Examples

Example Request

The following example is formatted for legibility.

POST / HTTP/1.1
Host: kms.us-east-2.amazonaws.com
Content-Length: 21
X-Amz-Target: TrentService.GenerateRandom
X-Amz-Date: 20161114T215101Z
Content-Type: application/x-amz-json-1.1
Authorization: AWS4-HMAC-SHA256\
 Credential=AKIAI44QH8DHBEXAMPLE/20161114/us-east-2/kms/aws4_request,\
 SignedHeaders=content-type;host;x-amz-date;x-amz-target,\
 Signature=e3a0cfdbfb71fae5c89e422ad8322b6a44aed85bf68e3d11f3f315bbaa82ad22

{"NumberOfBytes": 32}

Example Response

This example illustrates one usage of GenerateRandom.

HTTP/1.1 200 OK
Server: Server
Date: Mon, 14 Nov 2016 21:51:02 GMT
Content-Type: application/x-amz-json-1.1
Content-Length: 60
Connection: keep-alive
x-amzn-RequestId: 6f79b0ad-aab4-11e6-971f-0f7b7e5b6782

{"Plaintext":"+Q2hxK6OBuU6K6ZIIBucFMCW2NJkhiSWDySSQyWp9zA="}

See Also

For more information about using this API in one of the language-specific Amazon SDKs, see the following: