vendor dependencies

4 files changed, 10691 insertions, 0 deletions

diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/api.go b/vendor/github.com/aws/aws-sdk-go/service/kms/api.go
new file mode 100644
index 00000000..e669ba46
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go/service/kms/api.go
@@ -0,0 +1,10216 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+package kms
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awsutil"
+	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/private/protocol"
+	"github.com/aws/aws-sdk-go/private/protocol/jsonrpc"
+)
+
+const opCancelKeyDeletion = "CancelKeyDeletion"
+
+// CancelKeyDeletionRequest generates a "aws/request.Request" representing the
+// client's request for the CancelKeyDeletion operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See CancelKeyDeletion for more information on using the CancelKeyDeletion
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the CancelKeyDeletionRequest method.
+//    req, resp := client.CancelKeyDeletionRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletion
+func (c *KMS) CancelKeyDeletionRequest(input *CancelKeyDeletionInput) (req *request.Request, output *CancelKeyDeletionOutput) {
+	op := &request.Operation{
+		Name:       opCancelKeyDeletion,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &CancelKeyDeletionInput{}
+	}
+
+	output = &CancelKeyDeletionOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// CancelKeyDeletion API operation for AWS Key Management Service.
+//
+// Cancels the deletion of a customer master key (CMK). When this operation
+// is successful, the CMK is set to the Disabled state. To enable a CMK, use
+// EnableKey. You cannot perform this operation on a CMK in a different AWS
+// account.
+//
+// For more information about scheduling and canceling deletion of a CMK, see
+// Deleting Customer Master Keys (http://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation CancelKeyDeletion for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletion
+func (c *KMS) CancelKeyDeletion(input *CancelKeyDeletionInput) (*CancelKeyDeletionOutput, error) {
+	req, out := c.CancelKeyDeletionRequest(input)
+	return out, req.Send()
+}
+
+// CancelKeyDeletionWithContext is the same as CancelKeyDeletion with the addition of
+// the ability to pass a context and additional request options.
+//
+// See CancelKeyDeletion for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) CancelKeyDeletionWithContext(ctx aws.Context, input *CancelKeyDeletionInput, opts ...request.Option) (*CancelKeyDeletionOutput, error) {
+	req, out := c.CancelKeyDeletionRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opConnectCustomKeyStore = "ConnectCustomKeyStore"
+
+// ConnectCustomKeyStoreRequest generates a "aws/request.Request" representing the
+// client's request for the ConnectCustomKeyStore operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See ConnectCustomKeyStore for more information on using the ConnectCustomKeyStore
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the ConnectCustomKeyStoreRequest method.
+//    req, resp := client.ConnectCustomKeyStoreRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore
+func (c *KMS) ConnectCustomKeyStoreRequest(input *ConnectCustomKeyStoreInput) (req *request.Request, output *ConnectCustomKeyStoreOutput) {
+	op := &request.Operation{
+		Name:       opConnectCustomKeyStore,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &ConnectCustomKeyStoreInput{}
+	}
+
+	output = &ConnectCustomKeyStoreOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// ConnectCustomKeyStore API operation for AWS Key Management Service.
+//
+// Connects or reconnects a custom key store (http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html)
+// to its associated AWS CloudHSM cluster.
+//
+// The custom key store must be connected before you can create customer master
+// keys (CMKs) in the key store or use the CMKs it contains. You can disconnect
+// and reconnect a custom key store at any time.
+//
+// To connect a custom key store, its associated AWS CloudHSM cluster must have
+// at least one active HSM. To get the number of active HSMs in a cluster, use
+// the DescribeClusters (http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters)
+// operation. To add HSMs to the cluster, use the CreateHsm (http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm)
+// operation.
+//
+// The connection process can take an extended amount of time to complete; up
+// to 20 minutes. This operation starts the connection process, but it does
+// not wait for it to complete. When it succeeds, this operation quickly returns
+// an HTTP 200 response and a JSON object with no properties. However, this
+// response does not indicate that the custom key store is connected. To get
+// the connection state of the custom key store, use the DescribeCustomKeyStores
+// operation.
+//
+// During the connection process, AWS KMS finds the AWS CloudHSM cluster that
+// is associated with the custom key store, creates the connection infrastructure,
+// connects to the cluster, logs into the AWS CloudHSM client as the kmsuser
+// (http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser)
+// crypto user (CU), and rotates its password.
+//
+// The ConnectCustomKeyStore operation might fail for various reasons. To find
+// the reason, use the DescribeCustomKeyStores operation and see the ConnectionErrorCode
+// in the response. For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry.
+//
+// To fix the failure, use the DisconnectCustomKeyStore operation to disconnect
+// the custom key store, correct the error, use the UpdateCustomKeyStore operation
+// if necessary, and then use ConnectCustomKeyStore again.
+//
+// If you are having trouble connecting or disconnecting a custom key store,
+// see Troubleshooting a Custom Key Store (http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation ConnectCustomKeyStore for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeCloudHsmClusterNotActiveException "CloudHsmClusterNotActiveException"
+//   The request was rejected because the AWS CloudHSM cluster that is associated
+//   with the custom key store is not active. Initialize and activate the cluster
+//   and try the command again. For detailed instructions, see Getting Started
+//   (http://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
+//   in the AWS CloudHSM User Guide.
+//
+//   * ErrCodeCustomKeyStoreInvalidStateException "CustomKeyStoreInvalidStateException"
+//   The request was rejected because of the ConnectionState of the custom key
+//   store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores
+//   operation.
+//
+//   This exception is thrown under the following conditions:
+//
+//      * You requested the CreateKey or GenerateRandom operation in a custom
+//      key store that is not connected. These operations are valid only when
+//      the custom key store ConnectionState is CONNECTED.
+//
+//      * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
+//      on a custom key store that is not disconnected. This operation is valid
+//      only when the custom key store ConnectionState is DISCONNECTED.
+//
+//      * You requested the ConnectCustomKeyStore operation on a custom key store
+//      with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
+//      for all other ConnectionState values.
+//
+//   * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException"
+//   The request was rejected because AWS KMS cannot find a custom key store with
+//   the specified key store name or ID.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeCloudHsmClusterInvalidConfigurationException "CloudHsmClusterInvalidConfigurationException"
+//   The request was rejected because the associated AWS CloudHSM cluster did
+//   not meet the configuration requirements for a custom key store. The cluster
+//   must be configured with private subnets in at least two different Availability
+//   Zones in the Region. Also, it must contain at least as many HSMs as the operation
+//   requires.
+//
+//   For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations,
+//   the AWS CloudHSM cluster must have at least two active HSMs, each in a different
+//   Availability Zone. For the ConnectCustomKeyStore operation, the AWS CloudHSM
+//   must contain at least one active HSM.
+//
+//   For information about creating a private subnet for a AWS CloudHSM cluster,
+//   see Create a Private Subnet (http://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html)
+//   in the AWS CloudHSM User Guide. To add HSMs, use the AWS CloudHSM CreateHsm
+//   (http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
+//   operation.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore
+func (c *KMS) ConnectCustomKeyStore(input *ConnectCustomKeyStoreInput) (*ConnectCustomKeyStoreOutput, error) {
+	req, out := c.ConnectCustomKeyStoreRequest(input)
+	return out, req.Send()
+}
+
+// ConnectCustomKeyStoreWithContext is the same as ConnectCustomKeyStore with the addition of
+// the ability to pass a context and additional request options.
+//
+// See ConnectCustomKeyStore for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) ConnectCustomKeyStoreWithContext(ctx aws.Context, input *ConnectCustomKeyStoreInput, opts ...request.Option) (*ConnectCustomKeyStoreOutput, error) {
+	req, out := c.ConnectCustomKeyStoreRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opCreateAlias = "CreateAlias"
+
+// CreateAliasRequest generates a "aws/request.Request" representing the
+// client's request for the CreateAlias operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See CreateAlias for more information on using the CreateAlias
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the CreateAliasRequest method.
+//    req, resp := client.CreateAliasRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAlias
+func (c *KMS) CreateAliasRequest(input *CreateAliasInput) (req *request.Request, output *CreateAliasOutput) {
+	op := &request.Operation{
+		Name:       opCreateAlias,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &CreateAliasInput{}
+	}
+
+	output = &CreateAliasOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// CreateAlias API operation for AWS Key Management Service.
+//
+// Creates a display name for a customer master key (CMK). You can use an alias
+// to identify a CMK in selected operations, such as Encrypt and GenerateDataKey.
+//
+// Each CMK can have multiple aliases, but each alias points to only one CMK.
+// The alias name must be unique in the AWS account and region. To simplify
+// code that runs in multiple regions, use the same alias name, but point it
+// to a different CMK in each region.
+//
+// Because an alias is not a property of a CMK, you can delete and change the
+// aliases of a CMK without affecting the CMK. Also, aliases do not appear in
+// the response from the DescribeKey operation. To get the aliases of all CMKs,
+// use the ListAliases operation.
+//
+// An alias must start with the word alias followed by a forward slash (alias/).
+// The alias name can contain only alphanumeric characters, forward slashes
+// (/), underscores (_), and dashes (-). Alias names cannot begin with aws;
+// that alias name prefix is reserved by Amazon Web Services (AWS).
+//
+// The alias and the CMK it is mapped to must be in the same AWS account and
+// the same region. You cannot perform this operation on an alias in a different
+// AWS account.
+//
+// To map an existing alias to a different CMK, call UpdateAlias.
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation CreateAlias for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeAlreadyExistsException "AlreadyExistsException"
+//   The request was rejected because it attempted to create a resource that already
+//   exists.
+//
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInvalidAliasNameException "InvalidAliasNameException"
+//   The request was rejected because the specified alias name is not valid.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeLimitExceededException "LimitExceededException"
+//   The request was rejected because a limit was exceeded. For more information,
+//   see Limits (http://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAlias
+func (c *KMS) CreateAlias(input *CreateAliasInput) (*CreateAliasOutput, error) {
+	req, out := c.CreateAliasRequest(input)
+	return out, req.Send()
+}
+
+// CreateAliasWithContext is the same as CreateAlias with the addition of
+// the ability to pass a context and additional request options.
+//
+// See CreateAlias for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) CreateAliasWithContext(ctx aws.Context, input *CreateAliasInput, opts ...request.Option) (*CreateAliasOutput, error) {
+	req, out := c.CreateAliasRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opCreateCustomKeyStore = "CreateCustomKeyStore"
+
+// CreateCustomKeyStoreRequest generates a "aws/request.Request" representing the
+// client's request for the CreateCustomKeyStore operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See CreateCustomKeyStore for more information on using the CreateCustomKeyStore
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the CreateCustomKeyStoreRequest method.
+//    req, resp := client.CreateCustomKeyStoreRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore
+func (c *KMS) CreateCustomKeyStoreRequest(input *CreateCustomKeyStoreInput) (req *request.Request, output *CreateCustomKeyStoreOutput) {
+	op := &request.Operation{
+		Name:       opCreateCustomKeyStore,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &CreateCustomKeyStoreInput{}
+	}
+
+	output = &CreateCustomKeyStoreOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// CreateCustomKeyStore API operation for AWS Key Management Service.
+//
+// Creates a custom key store (http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html)
+// that is associated with an AWS CloudHSM cluster (http://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html)
+// that you own and manage.
+//
+// This operation is part of the Custom Key Store feature (http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
+// feature in AWS KMS, which combines the convenience and extensive integration
+// of AWS KMS with the isolation and control of a single-tenant key store.
+//
+// When the operation completes successfully, it returns the ID of the new custom
+// key store. Before you can use your new custom key store, you need to use
+// the ConnectCustomKeyStore operation to connect the new key store to its AWS
+// CloudHSM cluster.
+//
+// The CreateCustomKeyStore operation requires the following elements.
+//
+//    * You must specify an active AWS CloudHSM cluster in the same account
+//    and AWS Region as the custom key store. You can use an existing cluster
+//    or create and activate a new AWS CloudHSM cluster (http://docs.aws.amazon.com/cloudhsm/latest/userguide/create-cluster.html)
+//    for the key store. AWS KMS does not require exclusive use of the cluster.
+//
+//    * You must include the content of the trust anchor certificate for the
+//    cluster. You created this certificate, and saved it in the customerCA.crt
+//    file, when you initialized the cluster (http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr).
+//
+//    * You must provide the password of the dedicated kmsuser (http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser)
+//    crypto user (CU) account in the cluster.
+//
+// Before you create the custom key store, use the createUser (http://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_mgmt_util-createUser.html)
+//    command in cloudhsm_mgmt_util to create a crypto user (CU) named  (http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser)kmsuserin
+//    specified AWS CloudHSM cluster. AWS KMS uses the kmsuser CU account to
+//    create and manage key material on your behalf. For instructions, see Create
+//    the kmsuser Crypto User (http://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
+//    in the AWS Key Management Service Developer Guide.
+//
+// The AWS CloudHSM cluster that you specify must meet the following requirements.
+//
+//    * The cluster must be active and be in the same AWS account and Region
+//    as the custom key store.
+//
+//    * Each custom key store must be associated with a different AWS CloudHSM
+//    cluster. The cluster cannot be associated with another custom key store
+//    or have the same cluster certificate as a cluster that is associated with
+//    another custom key store. To view the cluster certificate, use the AWS
+//    CloudHSM DescribeClusters (http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
+//    operation. Clusters that share a backup history have the same cluster
+//    certificate.
+//
+//    * The cluster must be configured with subnets in at least two different
+//    Availability Zones in the Region. Because AWS CloudHSM is not supported
+//    in all Availability Zones, we recommend that the cluster have subnets
+//    in all Availability Zones in the Region.
+//
+//    * The cluster must contain at least two active HSMs, each in a different
+//    Availability Zone.
+//
+// New custom key stores are not automatically connected. After you create your
+// custom key store, use the ConnectCustomKeyStore operation to connect the
+// custom key store to its associated AWS CloudHSM cluster. Even if you are
+// not going to use your custom key store immediately, you might want to connect
+// it to verify that all settings are correct and then disconnect it until you
+// are ready to use it.
+//
+// If this operation succeeds, it returns the ID of the new custom key store.
+// For help with failures, see Troubleshoot a Custom Key Store (http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html)
+// in the AWS KMS Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation CreateCustomKeyStore for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeCloudHsmClusterInUseException "CloudHsmClusterInUseException"
+//   The request was rejected because the specified AWS CloudHSM cluster is already
+//   associated with a custom key store or it shares a backup history with a cluster
+//   that is associated with a custom key store. Each custom key store must be
+//   associated with a different AWS CloudHSM cluster.
+//
+//   Clusters that share a backup history have the same cluster certificate. To
+//   view the cluster certificate of a cluster, use the DescribeClusters (http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
+//   operation.
+//
+//   * ErrCodeCustomKeyStoreNameInUseException "CustomKeyStoreNameInUseException"
+//   The request was rejected because the specified custom key store name is already
+//   assigned to another custom key store in the account. Try again with a custom
+//   key store name that is unique in the account.
+//
+//   * ErrCodeCloudHsmClusterNotFoundException "CloudHsmClusterNotFoundException"
+//   The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster
+//   with the specified cluster ID. Retry the request with a different cluster
+//   ID.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeCloudHsmClusterNotActiveException "CloudHsmClusterNotActiveException"
+//   The request was rejected because the AWS CloudHSM cluster that is associated
+//   with the custom key store is not active. Initialize and activate the cluster
+//   and try the command again. For detailed instructions, see Getting Started
+//   (http://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
+//   in the AWS CloudHSM User Guide.
+//
+//   * ErrCodeIncorrectTrustAnchorException "IncorrectTrustAnchorException"
+//   The request was rejected because the trust anchor certificate in the request
+//   is not the trust anchor certificate for the specified AWS CloudHSM cluster.
+//
+//   When you initialize the cluster (http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr),
+//   you create the trust anchor certificate and save it in the customerCA.crt
+//   file.
+//
+//   * ErrCodeCloudHsmClusterInvalidConfigurationException "CloudHsmClusterInvalidConfigurationException"
+//   The request was rejected because the associated AWS CloudHSM cluster did
+//   not meet the configuration requirements for a custom key store. The cluster
+//   must be configured with private subnets in at least two different Availability
+//   Zones in the Region. Also, it must contain at least as many HSMs as the operation
+//   requires.
+//
+//   For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations,
+//   the AWS CloudHSM cluster must have at least two active HSMs, each in a different
+//   Availability Zone. For the ConnectCustomKeyStore operation, the AWS CloudHSM
+//   must contain at least one active HSM.
+//
+//   For information about creating a private subnet for a AWS CloudHSM cluster,
+//   see Create a Private Subnet (http://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html)
+//   in the AWS CloudHSM User Guide. To add HSMs, use the AWS CloudHSM CreateHsm
+//   (http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
+//   operation.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore
+func (c *KMS) CreateCustomKeyStore(input *CreateCustomKeyStoreInput) (*CreateCustomKeyStoreOutput, error) {
+	req, out := c.CreateCustomKeyStoreRequest(input)
+	return out, req.Send()
+}
+
+// CreateCustomKeyStoreWithContext is the same as CreateCustomKeyStore with the addition of
+// the ability to pass a context and additional request options.
+//
+// See CreateCustomKeyStore for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) CreateCustomKeyStoreWithContext(ctx aws.Context, input *CreateCustomKeyStoreInput, opts ...request.Option) (*CreateCustomKeyStoreOutput, error) {
+	req, out := c.CreateCustomKeyStoreRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opCreateGrant = "CreateGrant"
+
+// CreateGrantRequest generates a "aws/request.Request" representing the
+// client's request for the CreateGrant operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See CreateGrant for more information on using the CreateGrant
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the CreateGrantRequest method.
+//    req, resp := client.CreateGrantRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant
+func (c *KMS) CreateGrantRequest(input *CreateGrantInput) (req *request.Request, output *CreateGrantOutput) {
+	op := &request.Operation{
+		Name:       opCreateGrant,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &CreateGrantInput{}
+	}
+
+	output = &CreateGrantOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// CreateGrant API operation for AWS Key Management Service.
+//
+// Adds a grant to a customer master key (CMK). The grant specifies who can
+// use the CMK and under what conditions. When setting permissions, grants are
+// an alternative to key policies.
+//
+// To perform this operation on a CMK in a different AWS account, specify the
+// key ARN in the value of the KeyId parameter. For more information about grants,
+// see Grants (http://docs.aws.amazon.com/kms/latest/developerguide/grants.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation CreateGrant for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeDisabledException "DisabledException"
+//   The request was rejected because the specified CMK is not enabled.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException"
+//   The request was rejected because the specified grant token is not valid.
+//
+//   * ErrCodeLimitExceededException "LimitExceededException"
+//   The request was rejected because a limit was exceeded. For more information,
+//   see Limits (http://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant
+func (c *KMS) CreateGrant(input *CreateGrantInput) (*CreateGrantOutput, error) {
+	req, out := c.CreateGrantRequest(input)
+	return out, req.Send()
+}
+
+// CreateGrantWithContext is the same as CreateGrant with the addition of
+// the ability to pass a context and additional request options.
+//
+// See CreateGrant for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) CreateGrantWithContext(ctx aws.Context, input *CreateGrantInput, opts ...request.Option) (*CreateGrantOutput, error) {
+	req, out := c.CreateGrantRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opCreateKey = "CreateKey"
+
+// CreateKeyRequest generates a "aws/request.Request" representing the
+// client's request for the CreateKey operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See CreateKey for more information on using the CreateKey
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the CreateKeyRequest method.
+//    req, resp := client.CreateKeyRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey
+func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, output *CreateKeyOutput) {
+	op := &request.Operation{
+		Name:       opCreateKey,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &CreateKeyInput{}
+	}
+
+	output = &CreateKeyOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// CreateKey API operation for AWS Key Management Service.
+//
+// Creates a customer master key (CMK) in the caller's AWS account.
+//
+// You can use a CMK to encrypt small amounts of data (4 KiB or less) directly,
+// but CMKs are more commonly used to encrypt data keys, which are used to encrypt
+// raw data. For more information about data keys and the difference between
+// CMKs and data keys, see the following:
+//
+//    * The GenerateDataKey operation
+//
+//    * AWS Key Management Service Concepts (http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html)
+//    in the AWS Key Management Service Developer Guide
+//
+// If you plan to import key material (http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html),
+// use the Origin parameter with a value of EXTERNAL to create a CMK with no
+// key material.
+//
+// To create a CMK in a custom key store (http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html),
+// use CustomKeyStoreId parameter to specify the custom key store. You must
+// also use the Origin parameter with a value of AWS_CLOUDHSM. The AWS CloudHSM
+// cluster that is associated with the custom key store must have at least two
+// active HSMs, each in a different Availability Zone in the Region.
+//
+// You cannot use this operation to create a CMK in a different AWS account.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation CreateKey for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocumentException"
+//   The request was rejected because the specified policy is not syntactically
+//   or semantically correct.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeUnsupportedOperationException "UnsupportedOperationException"
+//   The request was rejected because a specified parameter is not supported or
+//   a specified resource is not valid for this operation.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeLimitExceededException "LimitExceededException"
+//   The request was rejected because a limit was exceeded. For more information,
+//   see Limits (http://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+//   * ErrCodeTagException "TagException"
+//   The request was rejected because one or more tags are not valid.
+//
+//   * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException"
+//   The request was rejected because AWS KMS cannot find a custom key store with
+//   the specified key store name or ID.
+//
+//   * ErrCodeCustomKeyStoreInvalidStateException "CustomKeyStoreInvalidStateException"
+//   The request was rejected because of the ConnectionState of the custom key
+//   store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores
+//   operation.
+//
+//   This exception is thrown under the following conditions:
+//
+//      * You requested the CreateKey or GenerateRandom operation in a custom
+//      key store that is not connected. These operations are valid only when
+//      the custom key store ConnectionState is CONNECTED.
+//
+//      * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
+//      on a custom key store that is not disconnected. This operation is valid
+//      only when the custom key store ConnectionState is DISCONNECTED.
+//
+//      * You requested the ConnectCustomKeyStore operation on a custom key store
+//      with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
+//      for all other ConnectionState values.
+//
+//   * ErrCodeCloudHsmClusterInvalidConfigurationException "CloudHsmClusterInvalidConfigurationException"
+//   The request was rejected because the associated AWS CloudHSM cluster did
+//   not meet the configuration requirements for a custom key store. The cluster
+//   must be configured with private subnets in at least two different Availability
+//   Zones in the Region. Also, it must contain at least as many HSMs as the operation
+//   requires.
+//
+//   For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations,
+//   the AWS CloudHSM cluster must have at least two active HSMs, each in a different
+//   Availability Zone. For the ConnectCustomKeyStore operation, the AWS CloudHSM
+//   must contain at least one active HSM.
+//
+//   For information about creating a private subnet for a AWS CloudHSM cluster,
+//   see Create a Private Subnet (http://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html)
+//   in the AWS CloudHSM User Guide. To add HSMs, use the AWS CloudHSM CreateHsm
+//   (http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
+//   operation.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey
+func (c *KMS) CreateKey(input *CreateKeyInput) (*CreateKeyOutput, error) {
+	req, out := c.CreateKeyRequest(input)
+	return out, req.Send()
+}
+
+// CreateKeyWithContext is the same as CreateKey with the addition of
+// the ability to pass a context and additional request options.
+//
+// See CreateKey for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) CreateKeyWithContext(ctx aws.Context, input *CreateKeyInput, opts ...request.Option) (*CreateKeyOutput, error) {
+	req, out := c.CreateKeyRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opDecrypt = "Decrypt"
+
+// DecryptRequest generates a "aws/request.Request" representing the
+// client's request for the Decrypt operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See Decrypt for more information on using the Decrypt
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the DecryptRequest method.
+//    req, resp := client.DecryptRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt
+func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output *DecryptOutput) {
+	op := &request.Operation{
+		Name:       opDecrypt,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &DecryptInput{}
+	}
+
+	output = &DecryptOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// Decrypt API operation for AWS Key Management Service.
+//
+// Decrypts ciphertext. Ciphertext is plaintext that has been previously encrypted
+// by using any of the following operations:
+//
+//    * GenerateDataKey
+//
+//    * GenerateDataKeyWithoutPlaintext
+//
+//    * Encrypt
+//
+// Note that if a caller has been granted access permissions to all keys (through,
+// for example, IAM user policies that grant Decrypt permission on all resources),
+// then ciphertext encrypted by using keys in other accounts where the key grants
+// access to the caller can be decrypted. To remedy this, we recommend that
+// you do not grant Decrypt access in an IAM user policy. Instead grant Decrypt
+// access only in key policies. If you must grant Decrypt access in an IAM user
+// policy, you should scope the resource to specific keys or to specific trusted
+// accounts.
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation Decrypt for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeDisabledException "DisabledException"
+//   The request was rejected because the specified CMK is not enabled.
+//
+//   * ErrCodeInvalidCiphertextException "InvalidCiphertextException"
+//   The request was rejected because the specified ciphertext, or additional
+//   authenticated data incorporated into the ciphertext, such as the encryption
+//   context, is corrupted, missing, or otherwise invalid.
+//
+//   * ErrCodeKeyUnavailableException "KeyUnavailableException"
+//   The request was rejected because the specified CMK was not available. The
+//   request can be retried.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException"
+//   The request was rejected because the specified grant token is not valid.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt
+func (c *KMS) Decrypt(input *DecryptInput) (*DecryptOutput, error) {
+	req, out := c.DecryptRequest(input)
+	return out, req.Send()
+}
+
+// DecryptWithContext is the same as Decrypt with the addition of
+// the ability to pass a context and additional request options.
+//
+// See Decrypt for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) DecryptWithContext(ctx aws.Context, input *DecryptInput, opts ...request.Option) (*DecryptOutput, error) {
+	req, out := c.DecryptRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opDeleteAlias = "DeleteAlias"
+
+// DeleteAliasRequest generates a "aws/request.Request" representing the
+// client's request for the DeleteAlias operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DeleteAlias for more information on using the DeleteAlias
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the DeleteAliasRequest method.
+//    req, resp := client.DeleteAliasRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAlias
+func (c *KMS) DeleteAliasRequest(input *DeleteAliasInput) (req *request.Request, output *DeleteAliasOutput) {
+	op := &request.Operation{
+		Name:       opDeleteAlias,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &DeleteAliasInput{}
+	}
+
+	output = &DeleteAliasOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// DeleteAlias API operation for AWS Key Management Service.
+//
+// Deletes the specified alias. You cannot perform this operation on an alias
+// in a different AWS account.
+//
+// Because an alias is not a property of a CMK, you can delete and change the
+// aliases of a CMK without affecting the CMK. Also, aliases do not appear in
+// the response from the DescribeKey operation. To get the aliases of all CMKs,
+// use the ListAliases operation.
+//
+// Each CMK can have multiple aliases. To change the alias of a CMK, use DeleteAlias
+// to delete the current alias and CreateAlias to create a new alias. To associate
+// an existing alias with a different customer master key (CMK), call UpdateAlias.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation DeleteAlias for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAlias
+func (c *KMS) DeleteAlias(input *DeleteAliasInput) (*DeleteAliasOutput, error) {
+	req, out := c.DeleteAliasRequest(input)
+	return out, req.Send()
+}
+
+// DeleteAliasWithContext is the same as DeleteAlias with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DeleteAlias for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) DeleteAliasWithContext(ctx aws.Context, input *DeleteAliasInput, opts ...request.Option) (*DeleteAliasOutput, error) {
+	req, out := c.DeleteAliasRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opDeleteCustomKeyStore = "DeleteCustomKeyStore"
+
+// DeleteCustomKeyStoreRequest generates a "aws/request.Request" representing the
+// client's request for the DeleteCustomKeyStore operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DeleteCustomKeyStore for more information on using the DeleteCustomKeyStore
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the DeleteCustomKeyStoreRequest method.
+//    req, resp := client.DeleteCustomKeyStoreRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStore
+func (c *KMS) DeleteCustomKeyStoreRequest(input *DeleteCustomKeyStoreInput) (req *request.Request, output *DeleteCustomKeyStoreOutput) {
+	op := &request.Operation{
+		Name:       opDeleteCustomKeyStore,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &DeleteCustomKeyStoreInput{}
+	}
+
+	output = &DeleteCustomKeyStoreOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// DeleteCustomKeyStore API operation for AWS Key Management Service.
+//
+// Deletes a custom key store (http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html).
+// This operation does not delete the AWS CloudHSM cluster that is associated
+// with the custom key store, or affect any users or keys in the cluster.
+//
+// The custom key store that you delete cannot contain any AWS KMS customer
+// master keys (CMKs) (http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys).
+// Before deleting the key store, verify that you will never need to use any
+// of the CMKs in the key store for any cryptographic operations. Then, use
+// ScheduleKeyDeletion to delete the AWS KMS customer master keys (CMKs) from
+// the key store. When the scheduled waiting period expires, the ScheduleKeyDeletion
+// operation deletes the CMKs. Then it makes a best effort to delete the key
+// material from the associated cluster. However, you might need to manually
+// delete the orphaned key material (http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key)
+// from the cluster and its backups.
+//
+// After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore to
+// disconnect the key store from AWS KMS. Then, you can delete the custom key
+// store.
+//
+// Instead of deleting the custom key store, consider using DisconnectCustomKeyStore
+// to disconnect it from AWS KMS. While the key store is disconnected, you cannot
+// create or use the CMKs in the key store. But, you do not need to delete CMKs
+// and you can reconnect a disconnected custom key store at any time.
+//
+// If the operation succeeds, it returns a JSON object with no properties.
+//
+// This operation is part of the Custom Key Store feature (http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
+// feature in AWS KMS, which combines the convenience and extensive integration
+// of AWS KMS with the isolation and control of a single-tenant key store.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation DeleteCustomKeyStore for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeCustomKeyStoreHasCMKsException "CustomKeyStoreHasCMKsException"
+//   The request was rejected because the custom key store contains AWS KMS customer
+//   master keys (CMKs). After verifying that you do not need to use the CMKs,
+//   use the ScheduleKeyDeletion operation to delete the CMKs. After they are
+//   deleted, you can delete the custom key store.
+//
+//   * ErrCodeCustomKeyStoreInvalidStateException "CustomKeyStoreInvalidStateException"
+//   The request was rejected because of the ConnectionState of the custom key
+//   store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores
+//   operation.
+//
+//   This exception is thrown under the following conditions:
+//
+//      * You requested the CreateKey or GenerateRandom operation in a custom
+//      key store that is not connected. These operations are valid only when
+//      the custom key store ConnectionState is CONNECTED.
+//
+//      * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
+//      on a custom key store that is not disconnected. This operation is valid
+//      only when the custom key store ConnectionState is DISCONNECTED.
+//
+//      * You requested the ConnectCustomKeyStore operation on a custom key store
+//      with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
+//      for all other ConnectionState values.
+//
+//   * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException"
+//   The request was rejected because AWS KMS cannot find a custom key store with
+//   the specified key store name or ID.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStore
+func (c *KMS) DeleteCustomKeyStore(input *DeleteCustomKeyStoreInput) (*DeleteCustomKeyStoreOutput, error) {
+	req, out := c.DeleteCustomKeyStoreRequest(input)
+	return out, req.Send()
+}
+
+// DeleteCustomKeyStoreWithContext is the same as DeleteCustomKeyStore with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DeleteCustomKeyStore for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) DeleteCustomKeyStoreWithContext(ctx aws.Context, input *DeleteCustomKeyStoreInput, opts ...request.Option) (*DeleteCustomKeyStoreOutput, error) {
+	req, out := c.DeleteCustomKeyStoreRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opDeleteImportedKeyMaterial = "DeleteImportedKeyMaterial"
+
+// DeleteImportedKeyMaterialRequest generates a "aws/request.Request" representing the
+// client's request for the DeleteImportedKeyMaterial operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DeleteImportedKeyMaterial for more information on using the DeleteImportedKeyMaterial
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the DeleteImportedKeyMaterialRequest method.
+//    req, resp := client.DeleteImportedKeyMaterialRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterial
+func (c *KMS) DeleteImportedKeyMaterialRequest(input *DeleteImportedKeyMaterialInput) (req *request.Request, output *DeleteImportedKeyMaterialOutput) {
+	op := &request.Operation{
+		Name:       opDeleteImportedKeyMaterial,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &DeleteImportedKeyMaterialInput{}
+	}
+
+	output = &DeleteImportedKeyMaterialOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// DeleteImportedKeyMaterial API operation for AWS Key Management Service.
+//
+// Deletes key material that you previously imported. This operation makes the
+// specified customer master key (CMK) unusable. For more information about
+// importing key material into AWS KMS, see Importing Key Material (http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)
+// in the AWS Key Management Service Developer Guide. You cannot perform this
+// operation on a CMK in a different AWS account.
+//
+// When the specified CMK is in the PendingDeletion state, this operation does
+// not change the CMK's state. Otherwise, it changes the CMK's state to PendingImport.
+//
+// After you delete key material, you can use ImportKeyMaterial to reimport
+// the same key material into the CMK.
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation DeleteImportedKeyMaterial for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeUnsupportedOperationException "UnsupportedOperationException"
+//   The request was rejected because a specified parameter is not supported or
+//   a specified resource is not valid for this operation.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterial
+func (c *KMS) DeleteImportedKeyMaterial(input *DeleteImportedKeyMaterialInput) (*DeleteImportedKeyMaterialOutput, error) {
+	req, out := c.DeleteImportedKeyMaterialRequest(input)
+	return out, req.Send()
+}
+
+// DeleteImportedKeyMaterialWithContext is the same as DeleteImportedKeyMaterial with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DeleteImportedKeyMaterial for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) DeleteImportedKeyMaterialWithContext(ctx aws.Context, input *DeleteImportedKeyMaterialInput, opts ...request.Option) (*DeleteImportedKeyMaterialOutput, error) {
+	req, out := c.DeleteImportedKeyMaterialRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opDescribeCustomKeyStores = "DescribeCustomKeyStores"
+
+// DescribeCustomKeyStoresRequest generates a "aws/request.Request" representing the
+// client's request for the DescribeCustomKeyStores operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DescribeCustomKeyStores for more information on using the DescribeCustomKeyStores
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the DescribeCustomKeyStoresRequest method.
+//    req, resp := client.DescribeCustomKeyStoresRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores
+func (c *KMS) DescribeCustomKeyStoresRequest(input *DescribeCustomKeyStoresInput) (req *request.Request, output *DescribeCustomKeyStoresOutput) {
+	op := &request.Operation{
+		Name:       opDescribeCustomKeyStores,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &DescribeCustomKeyStoresInput{}
+	}
+
+	output = &DescribeCustomKeyStoresOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// DescribeCustomKeyStores API operation for AWS Key Management Service.
+//
+// Gets information about custom key stores (http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html)
+// in the account and region.
+//
+// This operation is part of the Custom Key Store feature (http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
+// feature in AWS KMS, which combines the convenience and extensive integration
+// of AWS KMS with the isolation and control of a single-tenant key store.
+//
+// By default, this operation returns information about all custom key stores
+// in the account and region. To get only information about a particular custom
+// key store, use either the CustomKeyStoreName or CustomKeyStoreId parameter
+// (but not both).
+//
+// To determine whether the custom key store is connected to its AWS CloudHSM
+// cluster, use the ConnectionState element in the response. If an attempt to
+// connect the custom key store failed, the ConnectionState value is FAILED
+// and the ConnectionErrorCode element in the response indicates the cause of
+// the failure. For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry.
+//
+// Custom key stores have a DISCONNECTED connection state if the key store has
+// never been connected or you use the DisconnectCustomKeyStore operation to
+// disconnect it. If your custom key store state is CONNECTED but you are having
+// trouble using it, make sure that its associated AWS CloudHSM cluster is active
+// and contains the minimum number of HSMs required for the operation, if any.
+//
+// For help repairing your custom key store, see the Troubleshooting Custom
+// Key Stores (http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore-html)
+// topic in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation DescribeCustomKeyStores for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException"
+//   The request was rejected because AWS KMS cannot find a custom key store with
+//   the specified key store name or ID.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores
+func (c *KMS) DescribeCustomKeyStores(input *DescribeCustomKeyStoresInput) (*DescribeCustomKeyStoresOutput, error) {
+	req, out := c.DescribeCustomKeyStoresRequest(input)
+	return out, req.Send()
+}
+
+// DescribeCustomKeyStoresWithContext is the same as DescribeCustomKeyStores with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DescribeCustomKeyStores for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) DescribeCustomKeyStoresWithContext(ctx aws.Context, input *DescribeCustomKeyStoresInput, opts ...request.Option) (*DescribeCustomKeyStoresOutput, error) {
+	req, out := c.DescribeCustomKeyStoresRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opDescribeKey = "DescribeKey"
+
+// DescribeKeyRequest generates a "aws/request.Request" representing the
+// client's request for the DescribeKey operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DescribeKey for more information on using the DescribeKey
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the DescribeKeyRequest method.
+//    req, resp := client.DescribeKeyRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey
+func (c *KMS) DescribeKeyRequest(input *DescribeKeyInput) (req *request.Request, output *DescribeKeyOutput) {
+	op := &request.Operation{
+		Name:       opDescribeKey,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &DescribeKeyInput{}
+	}
+
+	output = &DescribeKeyOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// DescribeKey API operation for AWS Key Management Service.
+//
+// Provides detailed information about the specified customer master key (CMK).
+//
+// If you use DescribeKey on a predefined AWS alias, that is, an AWS alias with
+// no key ID, AWS KMS associates the alias with an AWS managed CMK (http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys)
+// and returns its KeyId and Arn in the response.
+//
+// To perform this operation on a CMK in a different AWS account, specify the
+// key ARN or alias ARN in the value of the KeyId parameter.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation DescribeKey for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey
+func (c *KMS) DescribeKey(input *DescribeKeyInput) (*DescribeKeyOutput, error) {
+	req, out := c.DescribeKeyRequest(input)
+	return out, req.Send()
+}
+
+// DescribeKeyWithContext is the same as DescribeKey with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DescribeKey for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) DescribeKeyWithContext(ctx aws.Context, input *DescribeKeyInput, opts ...request.Option) (*DescribeKeyOutput, error) {
+	req, out := c.DescribeKeyRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opDisableKey = "DisableKey"
+
+// DisableKeyRequest generates a "aws/request.Request" representing the
+// client's request for the DisableKey operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DisableKey for more information on using the DisableKey
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the DisableKeyRequest method.
+//    req, resp := client.DisableKeyRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKey
+func (c *KMS) DisableKeyRequest(input *DisableKeyInput) (req *request.Request, output *DisableKeyOutput) {
+	op := &request.Operation{
+		Name:       opDisableKey,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &DisableKeyInput{}
+	}
+
+	output = &DisableKeyOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// DisableKey API operation for AWS Key Management Service.
+//
+// Sets the state of a customer master key (CMK) to disabled, thereby preventing
+// its use for cryptographic operations. You cannot perform this operation on
+// a CMK in a different AWS account.
+//
+// For more information about how key state affects the use of a CMK, see How
+// Key State Affects the Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation DisableKey for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKey
+func (c *KMS) DisableKey(input *DisableKeyInput) (*DisableKeyOutput, error) {
+	req, out := c.DisableKeyRequest(input)
+	return out, req.Send()
+}
+
+// DisableKeyWithContext is the same as DisableKey with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DisableKey for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) DisableKeyWithContext(ctx aws.Context, input *DisableKeyInput, opts ...request.Option) (*DisableKeyOutput, error) {
+	req, out := c.DisableKeyRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opDisableKeyRotation = "DisableKeyRotation"
+
+// DisableKeyRotationRequest generates a "aws/request.Request" representing the
+// client's request for the DisableKeyRotation operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DisableKeyRotation for more information on using the DisableKeyRotation
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the DisableKeyRotationRequest method.
+//    req, resp := client.DisableKeyRotationRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotation
+func (c *KMS) DisableKeyRotationRequest(input *DisableKeyRotationInput) (req *request.Request, output *DisableKeyRotationOutput) {
+	op := &request.Operation{
+		Name:       opDisableKeyRotation,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &DisableKeyRotationInput{}
+	}
+
+	output = &DisableKeyRotationOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// DisableKeyRotation API operation for AWS Key Management Service.
+//
+// Disables automatic rotation of the key material (http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html)
+// for the specified customer master key (CMK). You cannot perform this operation
+// on a CMK in a different AWS account.
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation DisableKeyRotation for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeDisabledException "DisabledException"
+//   The request was rejected because the specified CMK is not enabled.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+//   * ErrCodeUnsupportedOperationException "UnsupportedOperationException"
+//   The request was rejected because a specified parameter is not supported or
+//   a specified resource is not valid for this operation.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotation
+func (c *KMS) DisableKeyRotation(input *DisableKeyRotationInput) (*DisableKeyRotationOutput, error) {
+	req, out := c.DisableKeyRotationRequest(input)
+	return out, req.Send()
+}
+
+// DisableKeyRotationWithContext is the same as DisableKeyRotation with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DisableKeyRotation for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) DisableKeyRotationWithContext(ctx aws.Context, input *DisableKeyRotationInput, opts ...request.Option) (*DisableKeyRotationOutput, error) {
+	req, out := c.DisableKeyRotationRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opDisconnectCustomKeyStore = "DisconnectCustomKeyStore"
+
+// DisconnectCustomKeyStoreRequest generates a "aws/request.Request" representing the
+// client's request for the DisconnectCustomKeyStore operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DisconnectCustomKeyStore for more information on using the DisconnectCustomKeyStore
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the DisconnectCustomKeyStoreRequest method.
+//    req, resp := client.DisconnectCustomKeyStoreRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStore
+func (c *KMS) DisconnectCustomKeyStoreRequest(input *DisconnectCustomKeyStoreInput) (req *request.Request, output *DisconnectCustomKeyStoreOutput) {
+	op := &request.Operation{
+		Name:       opDisconnectCustomKeyStore,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &DisconnectCustomKeyStoreInput{}
+	}
+
+	output = &DisconnectCustomKeyStoreOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// DisconnectCustomKeyStore API operation for AWS Key Management Service.
+//
+// Disconnects the custom key store (http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html)
+// from its associated AWS CloudHSM cluster. While a custom key store is disconnected,
+// you can manage the custom key store and its customer master keys (CMKs),
+// but you cannot create or use CMKs in the custom key store. You can reconnect
+// the custom key store at any time.
+//
+// While a custom key store is disconnected, all attempts to create customer
+// master keys (CMKs) in the custom key store or to use existing CMKs in cryptographic
+// operations will fail. This action can prevent users from storing and accessing
+// sensitive data.
+//
+// To find the connection state of a custom key store, use the DescribeCustomKeyStoresoperation. To reconnect a custom key store, use the ConnectCustomKeyStoreoperation.
+//
+// If the operation succeeds, it returns a JSON object with no properties.
+//
+// This operation is part of the Custom Key Store feature (http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation DisconnectCustomKeyStore for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeCustomKeyStoreInvalidStateException "CustomKeyStoreInvalidStateException"
+//   The request was rejected because of the ConnectionState of the custom key
+//   store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores
+//   operation.
+//
+//   This exception is thrown under the following conditions:
+//
+//      * You requested the CreateKey or GenerateRandom operation in a custom
+//      key store that is not connected. These operations are valid only when
+//      the custom key store ConnectionState is CONNECTED.
+//
+//      * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
+//      on a custom key store that is not disconnected. This operation is valid
+//      only when the custom key store ConnectionState is DISCONNECTED.
+//
+//      * You requested the ConnectCustomKeyStore operation on a custom key store
+//      with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
+//      for all other ConnectionState values.
+//
+//   * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException"
+//   The request was rejected because AWS KMS cannot find a custom key store with
+//   the specified key store name or ID.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStore
+func (c *KMS) DisconnectCustomKeyStore(input *DisconnectCustomKeyStoreInput) (*DisconnectCustomKeyStoreOutput, error) {
+	req, out := c.DisconnectCustomKeyStoreRequest(input)
+	return out, req.Send()
+}
+
+// DisconnectCustomKeyStoreWithContext is the same as DisconnectCustomKeyStore with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DisconnectCustomKeyStore for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) DisconnectCustomKeyStoreWithContext(ctx aws.Context, input *DisconnectCustomKeyStoreInput, opts ...request.Option) (*DisconnectCustomKeyStoreOutput, error) {
+	req, out := c.DisconnectCustomKeyStoreRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opEnableKey = "EnableKey"
+
+// EnableKeyRequest generates a "aws/request.Request" representing the
+// client's request for the EnableKey operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See EnableKey for more information on using the EnableKey
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the EnableKeyRequest method.
+//    req, resp := client.EnableKeyRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKey
+func (c *KMS) EnableKeyRequest(input *EnableKeyInput) (req *request.Request, output *EnableKeyOutput) {
+	op := &request.Operation{
+		Name:       opEnableKey,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &EnableKeyInput{}
+	}
+
+	output = &EnableKeyOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// EnableKey API operation for AWS Key Management Service.
+//
+// Sets the key state of a customer master key (CMK) to enabled. This allows
+// you to use the CMK for cryptographic operations. You cannot perform this
+// operation on a CMK in a different AWS account.
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation EnableKey for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeLimitExceededException "LimitExceededException"
+//   The request was rejected because a limit was exceeded. For more information,
+//   see Limits (http://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKey
+func (c *KMS) EnableKey(input *EnableKeyInput) (*EnableKeyOutput, error) {
+	req, out := c.EnableKeyRequest(input)
+	return out, req.Send()
+}
+
+// EnableKeyWithContext is the same as EnableKey with the addition of
+// the ability to pass a context and additional request options.
+//
+// See EnableKey for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) EnableKeyWithContext(ctx aws.Context, input *EnableKeyInput, opts ...request.Option) (*EnableKeyOutput, error) {
+	req, out := c.EnableKeyRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opEnableKeyRotation = "EnableKeyRotation"
+
+// EnableKeyRotationRequest generates a "aws/request.Request" representing the
+// client's request for the EnableKeyRotation operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See EnableKeyRotation for more information on using the EnableKeyRotation
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the EnableKeyRotationRequest method.
+//    req, resp := client.EnableKeyRotationRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation
+func (c *KMS) EnableKeyRotationRequest(input *EnableKeyRotationInput) (req *request.Request, output *EnableKeyRotationOutput) {
+	op := &request.Operation{
+		Name:       opEnableKeyRotation,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &EnableKeyRotationInput{}
+	}
+
+	output = &EnableKeyRotationOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// EnableKeyRotation API operation for AWS Key Management Service.
+//
+// Enables automatic rotation of the key material (http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html)
+// for the specified customer master key (CMK). You cannot perform this operation
+// on a CMK in a different AWS account.
+//
+// You cannot enable automatic rotation of CMKs with imported key material or
+// CMKs in a custom key store (http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html).
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation EnableKeyRotation for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeDisabledException "DisabledException"
+//   The request was rejected because the specified CMK is not enabled.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+//   * ErrCodeUnsupportedOperationException "UnsupportedOperationException"
+//   The request was rejected because a specified parameter is not supported or
+//   a specified resource is not valid for this operation.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation
+func (c *KMS) EnableKeyRotation(input *EnableKeyRotationInput) (*EnableKeyRotationOutput, error) {
+	req, out := c.EnableKeyRotationRequest(input)
+	return out, req.Send()
+}
+
+// EnableKeyRotationWithContext is the same as EnableKeyRotation with the addition of
+// the ability to pass a context and additional request options.
+//
+// See EnableKeyRotation for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) EnableKeyRotationWithContext(ctx aws.Context, input *EnableKeyRotationInput, opts ...request.Option) (*EnableKeyRotationOutput, error) {
+	req, out := c.EnableKeyRotationRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opEncrypt = "Encrypt"
+
+// EncryptRequest generates a "aws/request.Request" representing the
+// client's request for the Encrypt operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See Encrypt for more information on using the Encrypt
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the EncryptRequest method.
+//    req, resp := client.EncryptRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt
+func (c *KMS) EncryptRequest(input *EncryptInput) (req *request.Request, output *EncryptOutput) {
+	op := &request.Operation{
+		Name:       opEncrypt,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &EncryptInput{}
+	}
+
+	output = &EncryptOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// Encrypt API operation for AWS Key Management Service.
+//
+// Encrypts plaintext into ciphertext by using a customer master key (CMK).
+// The Encrypt operation has two primary use cases:
+//
+//    * You can encrypt up to 4 kilobytes (4096 bytes) of arbitrary data such
+//    as an RSA key, a database password, or other sensitive information.
+//
+//    * To move encrypted data from one AWS region to another, you can use this
+//    operation to encrypt in the new region the plaintext data key that was
+//    used to encrypt the data in the original region. This provides you with
+//    an encrypted copy of the data key that can be decrypted in the new region
+//    and used there to decrypt the encrypted data.
+//
+// To perform this operation on a CMK in a different AWS account, specify the
+// key ARN or alias ARN in the value of the KeyId parameter.
+//
+// Unless you are moving encrypted data from one region to another, you don't
+// use this operation to encrypt a generated data key within a region. To get
+// data keys that are already encrypted, call the GenerateDataKey or GenerateDataKeyWithoutPlaintext
+// operation. Data keys don't need to be encrypted again by calling Encrypt.
+//
+// To encrypt data locally in your application, use the GenerateDataKey operation
+// to return a plaintext data encryption key and a copy of the key encrypted
+// under the CMK of your choosing.
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation Encrypt for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeDisabledException "DisabledException"
+//   The request was rejected because the specified CMK is not enabled.
+//
+//   * ErrCodeKeyUnavailableException "KeyUnavailableException"
+//   The request was rejected because the specified CMK was not available. The
+//   request can be retried.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInvalidKeyUsageException "InvalidKeyUsageException"
+//   The request was rejected because the specified KeySpec value is not valid.
+//
+//   * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException"
+//   The request was rejected because the specified grant token is not valid.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt
+func (c *KMS) Encrypt(input *EncryptInput) (*EncryptOutput, error) {
+	req, out := c.EncryptRequest(input)
+	return out, req.Send()
+}
+
+// EncryptWithContext is the same as Encrypt with the addition of
+// the ability to pass a context and additional request options.
+//
+// See Encrypt for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) EncryptWithContext(ctx aws.Context, input *EncryptInput, opts ...request.Option) (*EncryptOutput, error) {
+	req, out := c.EncryptRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opGenerateDataKey = "GenerateDataKey"
+
+// GenerateDataKeyRequest generates a "aws/request.Request" representing the
+// client's request for the GenerateDataKey operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See GenerateDataKey for more information on using the GenerateDataKey
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the GenerateDataKeyRequest method.
+//    req, resp := client.GenerateDataKeyRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey
+func (c *KMS) GenerateDataKeyRequest(input *GenerateDataKeyInput) (req *request.Request, output *GenerateDataKeyOutput) {
+	op := &request.Operation{
+		Name:       opGenerateDataKey,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &GenerateDataKeyInput{}
+	}
+
+	output = &GenerateDataKeyOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// GenerateDataKey API operation for AWS Key Management Service.
+//
+// Returns a data encryption key that you can use in your application to encrypt
+// data locally.
+//
+// You must specify the customer master key (CMK) under which to generate the
+// data key. You must also specify the length of the data key using either the
+// KeySpec or NumberOfBytes field. You must specify one field or the other,
+// but not both. For common key lengths (128-bit and 256-bit symmetric keys),
+// we recommend that you use KeySpec. To perform this operation on a CMK in
+// a different AWS account, specify the key ARN or alias ARN in the value of
+// the KeyId parameter.
+//
+// This operation returns a plaintext copy of the data key in the Plaintext
+// field of the response, and an encrypted copy of the data key in the CiphertextBlob
+// field. The data key is encrypted under the CMK specified in the KeyId field
+// of the request.
+//
+// We recommend that you use the following pattern to encrypt data locally in
+// your application:
+//
+// Use this operation (GenerateDataKey) to get a data encryption key.
+//
+// Use the plaintext data encryption key (returned in the Plaintext field of
+// the response) to encrypt data locally, then erase the plaintext data key
+// from memory.
+//
+// Store the encrypted data key (returned in the CiphertextBlob field of the
+// response) alongside the locally encrypted data.
+//
+// To decrypt data locally:
+//
+// Use the Decrypt operation to decrypt the encrypted data key into a plaintext
+// copy of the data key.
+//
+// Use the plaintext data key to decrypt data locally, then erase the plaintext
+// data key from memory.
+//
+// To return only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext.
+// To return a random byte string that is cryptographically secure, use GenerateRandom.
+//
+// If you use the optional EncryptionContext field, you must store at least
+// enough information to be able to reconstruct the full encryption context
+// when you later send the ciphertext to the Decrypt operation. It is a good
+// practice to choose an encryption context that you can reconstruct on the
+// fly to better secure the ciphertext. For more information, see Encryption
+// Context (http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation GenerateDataKey for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeDisabledException "DisabledException"
+//   The request was rejected because the specified CMK is not enabled.
+//
+//   * ErrCodeKeyUnavailableException "KeyUnavailableException"
+//   The request was rejected because the specified CMK was not available. The
+//   request can be retried.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInvalidKeyUsageException "InvalidKeyUsageException"
+//   The request was rejected because the specified KeySpec value is not valid.
+//
+//   * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException"
+//   The request was rejected because the specified grant token is not valid.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey
+func (c *KMS) GenerateDataKey(input *GenerateDataKeyInput) (*GenerateDataKeyOutput, error) {
+	req, out := c.GenerateDataKeyRequest(input)
+	return out, req.Send()
+}
+
+// GenerateDataKeyWithContext is the same as GenerateDataKey with the addition of
+// the ability to pass a context and additional request options.
+//
+// See GenerateDataKey for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) GenerateDataKeyWithContext(ctx aws.Context, input *GenerateDataKeyInput, opts ...request.Option) (*GenerateDataKeyOutput, error) {
+	req, out := c.GenerateDataKeyRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opGenerateDataKeyWithoutPlaintext = "GenerateDataKeyWithoutPlaintext"
+
+// GenerateDataKeyWithoutPlaintextRequest generates a "aws/request.Request" representing the
+// client's request for the GenerateDataKeyWithoutPlaintext operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See GenerateDataKeyWithoutPlaintext for more information on using the GenerateDataKeyWithoutPlaintext
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the GenerateDataKeyWithoutPlaintextRequest method.
+//    req, resp := client.GenerateDataKeyWithoutPlaintextRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext
+func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWithoutPlaintextInput) (req *request.Request, output *GenerateDataKeyWithoutPlaintextOutput) {
+	op := &request.Operation{
+		Name:       opGenerateDataKeyWithoutPlaintext,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &GenerateDataKeyWithoutPlaintextInput{}
+	}
+
+	output = &GenerateDataKeyWithoutPlaintextOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// GenerateDataKeyWithoutPlaintext API operation for AWS Key Management Service.
+//
+// Returns a data encryption key encrypted under a customer master key (CMK).
+// This operation is identical to GenerateDataKey but returns only the encrypted
+// copy of the data key.
+//
+// To perform this operation on a CMK in a different AWS account, specify the
+// key ARN or alias ARN in the value of the KeyId parameter.
+//
+// This operation is useful in a system that has multiple components with different
+// degrees of trust. For example, consider a system that stores encrypted data
+// in containers. Each container stores the encrypted data and an encrypted
+// copy of the data key. One component of the system, called the control plane,
+// creates new containers. When it creates a new container, it uses this operation
+// (GenerateDataKeyWithoutPlaintext) to get an encrypted data key and then stores
+// it in the container. Later, a different component of the system, called the
+// data plane, puts encrypted data into the containers. To do this, it passes
+// the encrypted data key to the Decrypt operation, then uses the returned plaintext
+// data key to encrypt data, and finally stores the encrypted data in the container.
+// In this system, the control plane never sees the plaintext data key.
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation GenerateDataKeyWithoutPlaintext for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeDisabledException "DisabledException"
+//   The request was rejected because the specified CMK is not enabled.
+//
+//   * ErrCodeKeyUnavailableException "KeyUnavailableException"
+//   The request was rejected because the specified CMK was not available. The
+//   request can be retried.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInvalidKeyUsageException "InvalidKeyUsageException"
+//   The request was rejected because the specified KeySpec value is not valid.
+//
+//   * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException"
+//   The request was rejected because the specified grant token is not valid.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext
+func (c *KMS) GenerateDataKeyWithoutPlaintext(input *GenerateDataKeyWithoutPlaintextInput) (*GenerateDataKeyWithoutPlaintextOutput, error) {
+	req, out := c.GenerateDataKeyWithoutPlaintextRequest(input)
+	return out, req.Send()
+}
+
+// GenerateDataKeyWithoutPlaintextWithContext is the same as GenerateDataKeyWithoutPlaintext with the addition of
+// the ability to pass a context and additional request options.
+//
+// See GenerateDataKeyWithoutPlaintext for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) GenerateDataKeyWithoutPlaintextWithContext(ctx aws.Context, input *GenerateDataKeyWithoutPlaintextInput, opts ...request.Option) (*GenerateDataKeyWithoutPlaintextOutput, error) {
+	req, out := c.GenerateDataKeyWithoutPlaintextRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opGenerateRandom = "GenerateRandom"
+
+// GenerateRandomRequest generates a "aws/request.Request" representing the
+// client's request for the GenerateRandom operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See GenerateRandom for more information on using the GenerateRandom
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the GenerateRandomRequest method.
+//    req, resp := client.GenerateRandomRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom
+func (c *KMS) GenerateRandomRequest(input *GenerateRandomInput) (req *request.Request, output *GenerateRandomOutput) {
+	op := &request.Operation{
+		Name:       opGenerateRandom,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &GenerateRandomInput{}
+	}
+
+	output = &GenerateRandomOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// GenerateRandom API operation for AWS Key Management Service.
+//
+// Returns a random byte string that is cryptographically secure.
+//
+// By default, the random byte string is generated in AWS KMS. To generate the
+// byte string in the AWS CloudHSM cluster that is associated with a custom
+// key store (http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html),
+// specify the custom key store ID.
+//
+// For more information about entropy and random number generation, see the
+// AWS Key Management Service Cryptographic Details (https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf)
+// whitepaper.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation GenerateRandom for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException"
+//   The request was rejected because AWS KMS cannot find a custom key store with
+//   the specified key store name or ID.
+//
+//   * ErrCodeCustomKeyStoreInvalidStateException "CustomKeyStoreInvalidStateException"
+//   The request was rejected because of the ConnectionState of the custom key
+//   store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores
+//   operation.
+//
+//   This exception is thrown under the following conditions:
+//
+//      * You requested the CreateKey or GenerateRandom operation in a custom
+//      key store that is not connected. These operations are valid only when
+//      the custom key store ConnectionState is CONNECTED.
+//
+//      * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
+//      on a custom key store that is not disconnected. This operation is valid
+//      only when the custom key store ConnectionState is DISCONNECTED.
+//
+//      * You requested the ConnectCustomKeyStore operation on a custom key store
+//      with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
+//      for all other ConnectionState values.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom
+func (c *KMS) GenerateRandom(input *GenerateRandomInput) (*GenerateRandomOutput, error) {
+	req, out := c.GenerateRandomRequest(input)
+	return out, req.Send()
+}
+
+// GenerateRandomWithContext is the same as GenerateRandom with the addition of
+// the ability to pass a context and additional request options.
+//
+// See GenerateRandom for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) GenerateRandomWithContext(ctx aws.Context, input *GenerateRandomInput, opts ...request.Option) (*GenerateRandomOutput, error) {
+	req, out := c.GenerateRandomRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opGetKeyPolicy = "GetKeyPolicy"
+
+// GetKeyPolicyRequest generates a "aws/request.Request" representing the
+// client's request for the GetKeyPolicy operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See GetKeyPolicy for more information on using the GetKeyPolicy
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the GetKeyPolicyRequest method.
+//    req, resp := client.GetKeyPolicyRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy
+func (c *KMS) GetKeyPolicyRequest(input *GetKeyPolicyInput) (req *request.Request, output *GetKeyPolicyOutput) {
+	op := &request.Operation{
+		Name:       opGetKeyPolicy,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &GetKeyPolicyInput{}
+	}
+
+	output = &GetKeyPolicyOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// GetKeyPolicy API operation for AWS Key Management Service.
+//
+// Gets a key policy attached to the specified customer master key (CMK). You
+// cannot perform this operation on a CMK in a different AWS account.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation GetKeyPolicy for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy
+func (c *KMS) GetKeyPolicy(input *GetKeyPolicyInput) (*GetKeyPolicyOutput, error) {
+	req, out := c.GetKeyPolicyRequest(input)
+	return out, req.Send()
+}
+
+// GetKeyPolicyWithContext is the same as GetKeyPolicy with the addition of
+// the ability to pass a context and additional request options.
+//
+// See GetKeyPolicy for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) GetKeyPolicyWithContext(ctx aws.Context, input *GetKeyPolicyInput, opts ...request.Option) (*GetKeyPolicyOutput, error) {
+	req, out := c.GetKeyPolicyRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opGetKeyRotationStatus = "GetKeyRotationStatus"
+
+// GetKeyRotationStatusRequest generates a "aws/request.Request" representing the
+// client's request for the GetKeyRotationStatus operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See GetKeyRotationStatus for more information on using the GetKeyRotationStatus
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the GetKeyRotationStatusRequest method.
+//    req, resp := client.GetKeyRotationStatusRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus
+func (c *KMS) GetKeyRotationStatusRequest(input *GetKeyRotationStatusInput) (req *request.Request, output *GetKeyRotationStatusOutput) {
+	op := &request.Operation{
+		Name:       opGetKeyRotationStatus,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &GetKeyRotationStatusInput{}
+	}
+
+	output = &GetKeyRotationStatusOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// GetKeyRotationStatus API operation for AWS Key Management Service.
+//
+// Gets a Boolean value that indicates whether automatic rotation of the key
+// material (http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html)
+// is enabled for the specified customer master key (CMK).
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+//    * Disabled: The key rotation status does not change when you disable a
+//    CMK. However, while the CMK is disabled, AWS KMS does not rotate the backing
+//    key.
+//
+//    * Pending deletion: While a CMK is pending deletion, its key rotation
+//    status is false and AWS KMS does not rotate the backing key. If you cancel
+//    the deletion, the original key rotation status is restored.
+//
+// To perform this operation on a CMK in a different AWS account, specify the
+// key ARN in the value of the KeyId parameter.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation GetKeyRotationStatus for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+//   * ErrCodeUnsupportedOperationException "UnsupportedOperationException"
+//   The request was rejected because a specified parameter is not supported or
+//   a specified resource is not valid for this operation.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus
+func (c *KMS) GetKeyRotationStatus(input *GetKeyRotationStatusInput) (*GetKeyRotationStatusOutput, error) {
+	req, out := c.GetKeyRotationStatusRequest(input)
+	return out, req.Send()
+}
+
+// GetKeyRotationStatusWithContext is the same as GetKeyRotationStatus with the addition of
+// the ability to pass a context and additional request options.
+//
+// See GetKeyRotationStatus for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) GetKeyRotationStatusWithContext(ctx aws.Context, input *GetKeyRotationStatusInput, opts ...request.Option) (*GetKeyRotationStatusOutput, error) {
+	req, out := c.GetKeyRotationStatusRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opGetParametersForImport = "GetParametersForImport"
+
+// GetParametersForImportRequest generates a "aws/request.Request" representing the
+// client's request for the GetParametersForImport operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See GetParametersForImport for more information on using the GetParametersForImport
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the GetParametersForImportRequest method.
+//    req, resp := client.GetParametersForImportRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImport
+func (c *KMS) GetParametersForImportRequest(input *GetParametersForImportInput) (req *request.Request, output *GetParametersForImportOutput) {
+	op := &request.Operation{
+		Name:       opGetParametersForImport,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &GetParametersForImportInput{}
+	}
+
+	output = &GetParametersForImportOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// GetParametersForImport API operation for AWS Key Management Service.
+//
+// Returns the items you need in order to import key material into AWS KMS from
+// your existing key management infrastructure. For more information about importing
+// key material into AWS KMS, see Importing Key Material (http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// You must specify the key ID of the customer master key (CMK) into which you
+// will import key material. This CMK's Origin must be EXTERNAL. You must also
+// specify the wrapping algorithm and type of wrapping key (public key) that
+// you will use to encrypt the key material. You cannot perform this operation
+// on a CMK in a different AWS account.
+//
+// This operation returns a public key and an import token. Use the public key
+// to encrypt the key material. Store the import token to send with a subsequent
+// ImportKeyMaterial request. The public key and import token from the same
+// response must be used together. These items are valid for 24 hours. When
+// they expire, they cannot be used for a subsequent ImportKeyMaterial request.
+// To get new ones, send another GetParametersForImport request.
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation GetParametersForImport for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeUnsupportedOperationException "UnsupportedOperationException"
+//   The request was rejected because a specified parameter is not supported or
+//   a specified resource is not valid for this operation.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImport
+func (c *KMS) GetParametersForImport(input *GetParametersForImportInput) (*GetParametersForImportOutput, error) {
+	req, out := c.GetParametersForImportRequest(input)
+	return out, req.Send()
+}
+
+// GetParametersForImportWithContext is the same as GetParametersForImport with the addition of
+// the ability to pass a context and additional request options.
+//
+// See GetParametersForImport for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) GetParametersForImportWithContext(ctx aws.Context, input *GetParametersForImportInput, opts ...request.Option) (*GetParametersForImportOutput, error) {
+	req, out := c.GetParametersForImportRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opImportKeyMaterial = "ImportKeyMaterial"
+
+// ImportKeyMaterialRequest generates a "aws/request.Request" representing the
+// client's request for the ImportKeyMaterial operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See ImportKeyMaterial for more information on using the ImportKeyMaterial
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the ImportKeyMaterialRequest method.
+//    req, resp := client.ImportKeyMaterialRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterial
+func (c *KMS) ImportKeyMaterialRequest(input *ImportKeyMaterialInput) (req *request.Request, output *ImportKeyMaterialOutput) {
+	op := &request.Operation{
+		Name:       opImportKeyMaterial,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &ImportKeyMaterialInput{}
+	}
+
+	output = &ImportKeyMaterialOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// ImportKeyMaterial API operation for AWS Key Management Service.
+//
+// Imports key material into an existing AWS KMS customer master key (CMK) that
+// was created without key material. You cannot perform this operation on a
+// CMK in a different AWS account. For more information about creating CMKs
+// with no key material and then importing key material, see Importing Key Material
+// (http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Before using this operation, call GetParametersForImport. Its response includes
+// a public key and an import token. Use the public key to encrypt the key material.
+// Then, submit the import token from the same GetParametersForImport response.
+//
+// When calling this operation, you must specify the following values:
+//
+//    * The key ID or key ARN of a CMK with no key material. Its Origin must
+//    be EXTERNAL.
+//
+// To create a CMK with no key material, call CreateKey and set the value of
+//    its Origin parameter to EXTERNAL. To get the Origin of a CMK, call DescribeKey.)
+//
+//    * The encrypted key material. To get the public key to encrypt the key
+//    material, call GetParametersForImport.
+//
+//    * The import token that GetParametersForImport returned. This token and
+//    the public key used to encrypt the key material must have come from the
+//    same response.
+//
+//    * Whether the key material expires and if so, when. If you set an expiration
+//    date, you can change it only by reimporting the same key material and
+//    specifying a new expiration date. If the key material expires, AWS KMS
+//    deletes the key material and the CMK becomes unusable. To use the CMK
+//    again, you must reimport the same key material.
+//
+// When this operation is successful, the key state of the CMK changes from
+// PendingImport to Enabled, and you can use the CMK. After you successfully
+// import key material into a CMK, you can reimport the same key material into
+// that CMK, but you cannot import different key material.
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation ImportKeyMaterial for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeUnsupportedOperationException "UnsupportedOperationException"
+//   The request was rejected because a specified parameter is not supported or
+//   a specified resource is not valid for this operation.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+//   * ErrCodeInvalidCiphertextException "InvalidCiphertextException"
+//   The request was rejected because the specified ciphertext, or additional
+//   authenticated data incorporated into the ciphertext, such as the encryption
+//   context, is corrupted, missing, or otherwise invalid.
+//
+//   * ErrCodeIncorrectKeyMaterialException "IncorrectKeyMaterialException"
+//   The request was rejected because the provided key material is invalid or
+//   is not the same key material that was previously imported into this customer
+//   master key (CMK).
+//
+//   * ErrCodeExpiredImportTokenException "ExpiredImportTokenException"
+//   The request was rejected because the provided import token is expired. Use
+//   GetParametersForImport to get a new import token and public key, use the
+//   new public key to encrypt the key material, and then try the request again.
+//
+//   * ErrCodeInvalidImportTokenException "InvalidImportTokenException"
+//   The request was rejected because the provided import token is invalid or
+//   is associated with a different customer master key (CMK).
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterial
+func (c *KMS) ImportKeyMaterial(input *ImportKeyMaterialInput) (*ImportKeyMaterialOutput, error) {
+	req, out := c.ImportKeyMaterialRequest(input)
+	return out, req.Send()
+}
+
+// ImportKeyMaterialWithContext is the same as ImportKeyMaterial with the addition of
+// the ability to pass a context and additional request options.
+//
+// See ImportKeyMaterial for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) ImportKeyMaterialWithContext(ctx aws.Context, input *ImportKeyMaterialInput, opts ...request.Option) (*ImportKeyMaterialOutput, error) {
+	req, out := c.ImportKeyMaterialRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opListAliases = "ListAliases"
+
+// ListAliasesRequest generates a "aws/request.Request" representing the
+// client's request for the ListAliases operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See ListAliases for more information on using the ListAliases
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the ListAliasesRequest method.
+//    req, resp := client.ListAliasesRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases
+func (c *KMS) ListAliasesRequest(input *ListAliasesInput) (req *request.Request, output *ListAliasesOutput) {
+	op := &request.Operation{
+		Name:       opListAliases,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+		Paginator: &request.Paginator{
+			InputTokens:     []string{"Marker"},
+			OutputTokens:    []string{"NextMarker"},
+			LimitToken:      "Limit",
+			TruncationToken: "Truncated",
+		},
+	}
+
+	if input == nil {
+		input = &ListAliasesInput{}
+	}
+
+	output = &ListAliasesOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// ListAliases API operation for AWS Key Management Service.
+//
+// Gets a list of all aliases in the caller's AWS account and region. You cannot
+// list aliases in other accounts. For more information about aliases, see CreateAlias.
+//
+// By default, the ListAliases command returns all aliases in the account and
+// region. To get only the aliases that point to a particular customer master
+// key (CMK), use the KeyId parameter.
+//
+// The ListAliases response might include several aliases have no TargetKeyId
+// field. These are predefined aliases that AWS has created but has not yet
+// associated with a CMK. Aliases that AWS creates in your account, including
+// predefined aliases, do not count against your AWS KMS aliases limit (http://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit).
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation ListAliases for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInvalidMarkerException "InvalidMarkerException"
+//   The request was rejected because the marker that specifies where pagination
+//   should next begin is not valid.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases
+func (c *KMS) ListAliases(input *ListAliasesInput) (*ListAliasesOutput, error) {
+	req, out := c.ListAliasesRequest(input)
+	return out, req.Send()
+}
+
+// ListAliasesWithContext is the same as ListAliases with the addition of
+// the ability to pass a context and additional request options.
+//
+// See ListAliases for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) ListAliasesWithContext(ctx aws.Context, input *ListAliasesInput, opts ...request.Option) (*ListAliasesOutput, error) {
+	req, out := c.ListAliasesRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+// ListAliasesPages iterates over the pages of a ListAliases operation,
+// calling the "fn" function with the response data for each page. To stop
+// iterating, return false from the fn function.
+//
+// See ListAliases method for more information on how to use this operation.
+//
+// Note: This operation can generate multiple requests to a service.
+//
+//    // Example iterating over at most 3 pages of a ListAliases operation.
+//    pageNum := 0
+//    err := client.ListAliasesPages(params,
+//        func(page *ListAliasesOutput, lastPage bool) bool {
+//            pageNum++
+//            fmt.Println(page)
+//            return pageNum <= 3
+//        })
+//
+func (c *KMS) ListAliasesPages(input *ListAliasesInput, fn func(*ListAliasesOutput, bool) bool) error {
+	return c.ListAliasesPagesWithContext(aws.BackgroundContext(), input, fn)
+}
+
+// ListAliasesPagesWithContext same as ListAliasesPages except
+// it takes a Context and allows setting request options on the pages.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) ListAliasesPagesWithContext(ctx aws.Context, input *ListAliasesInput, fn func(*ListAliasesOutput, bool) bool, opts ...request.Option) error {
+	p := request.Pagination{
+		NewRequest: func() (*request.Request, error) {
+			var inCpy *ListAliasesInput
+			if input != nil {
+				tmp := *input
+				inCpy = &tmp
+			}
+			req, _ := c.ListAliasesRequest(inCpy)
+			req.SetContext(ctx)
+			req.ApplyOptions(opts...)
+			return req, nil
+		},
+	}
+
+	cont := true
+	for p.Next() && cont {
+		cont = fn(p.Page().(*ListAliasesOutput), !p.HasNextPage())
+	}
+	return p.Err()
+}
+
+const opListGrants = "ListGrants"
+
+// ListGrantsRequest generates a "aws/request.Request" representing the
+// client's request for the ListGrants operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See ListGrants for more information on using the ListGrants
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the ListGrantsRequest method.
+//    req, resp := client.ListGrantsRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants
+func (c *KMS) ListGrantsRequest(input *ListGrantsInput) (req *request.Request, output *ListGrantsResponse) {
+	op := &request.Operation{
+		Name:       opListGrants,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+		Paginator: &request.Paginator{
+			InputTokens:     []string{"Marker"},
+			OutputTokens:    []string{"NextMarker"},
+			LimitToken:      "Limit",
+			TruncationToken: "Truncated",
+		},
+	}
+
+	if input == nil {
+		input = &ListGrantsInput{}
+	}
+
+	output = &ListGrantsResponse{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// ListGrants API operation for AWS Key Management Service.
+//
+// Gets a list of all grants for the specified customer master key (CMK).
+//
+// To perform this operation on a CMK in a different AWS account, specify the
+// key ARN in the value of the KeyId parameter.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation ListGrants for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInvalidMarkerException "InvalidMarkerException"
+//   The request was rejected because the marker that specifies where pagination
+//   should next begin is not valid.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants
+func (c *KMS) ListGrants(input *ListGrantsInput) (*ListGrantsResponse, error) {
+	req, out := c.ListGrantsRequest(input)
+	return out, req.Send()
+}
+
+// ListGrantsWithContext is the same as ListGrants with the addition of
+// the ability to pass a context and additional request options.
+//
+// See ListGrants for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) ListGrantsWithContext(ctx aws.Context, input *ListGrantsInput, opts ...request.Option) (*ListGrantsResponse, error) {
+	req, out := c.ListGrantsRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+// ListGrantsPages iterates over the pages of a ListGrants operation,
+// calling the "fn" function with the response data for each page. To stop
+// iterating, return false from the fn function.
+//
+// See ListGrants method for more information on how to use this operation.
+//
+// Note: This operation can generate multiple requests to a service.
+//
+//    // Example iterating over at most 3 pages of a ListGrants operation.
+//    pageNum := 0
+//    err := client.ListGrantsPages(params,
+//        func(page *ListGrantsResponse, lastPage bool) bool {
+//            pageNum++
+//            fmt.Println(page)
+//            return pageNum <= 3
+//        })
+//
+func (c *KMS) ListGrantsPages(input *ListGrantsInput, fn func(*ListGrantsResponse, bool) bool) error {
+	return c.ListGrantsPagesWithContext(aws.BackgroundContext(), input, fn)
+}
+
+// ListGrantsPagesWithContext same as ListGrantsPages except
+// it takes a Context and allows setting request options on the pages.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) ListGrantsPagesWithContext(ctx aws.Context, input *ListGrantsInput, fn func(*ListGrantsResponse, bool) bool, opts ...request.Option) error {
+	p := request.Pagination{
+		NewRequest: func() (*request.Request, error) {
+			var inCpy *ListGrantsInput
+			if input != nil {
+				tmp := *input
+				inCpy = &tmp
+			}
+			req, _ := c.ListGrantsRequest(inCpy)
+			req.SetContext(ctx)
+			req.ApplyOptions(opts...)
+			return req, nil
+		},
+	}
+
+	cont := true
+	for p.Next() && cont {
+		cont = fn(p.Page().(*ListGrantsResponse), !p.HasNextPage())
+	}
+	return p.Err()
+}
+
+const opListKeyPolicies = "ListKeyPolicies"
+
+// ListKeyPoliciesRequest generates a "aws/request.Request" representing the
+// client's request for the ListKeyPolicies operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See ListKeyPolicies for more information on using the ListKeyPolicies
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the ListKeyPoliciesRequest method.
+//    req, resp := client.ListKeyPoliciesRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies
+func (c *KMS) ListKeyPoliciesRequest(input *ListKeyPoliciesInput) (req *request.Request, output *ListKeyPoliciesOutput) {
+	op := &request.Operation{
+		Name:       opListKeyPolicies,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+		Paginator: &request.Paginator{
+			InputTokens:     []string{"Marker"},
+			OutputTokens:    []string{"NextMarker"},
+			LimitToken:      "Limit",
+			TruncationToken: "Truncated",
+		},
+	}
+
+	if input == nil {
+		input = &ListKeyPoliciesInput{}
+	}
+
+	output = &ListKeyPoliciesOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// ListKeyPolicies API operation for AWS Key Management Service.
+//
+// Gets the names of the key policies that are attached to a customer master
+// key (CMK). This operation is designed to get policy names that you can use
+// in a GetKeyPolicy operation. However, the only valid policy name is default.
+// You cannot perform this operation on a CMK in a different AWS account.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation ListKeyPolicies for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies
+func (c *KMS) ListKeyPolicies(input *ListKeyPoliciesInput) (*ListKeyPoliciesOutput, error) {
+	req, out := c.ListKeyPoliciesRequest(input)
+	return out, req.Send()
+}
+
+// ListKeyPoliciesWithContext is the same as ListKeyPolicies with the addition of
+// the ability to pass a context and additional request options.
+//
+// See ListKeyPolicies for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) ListKeyPoliciesWithContext(ctx aws.Context, input *ListKeyPoliciesInput, opts ...request.Option) (*ListKeyPoliciesOutput, error) {
+	req, out := c.ListKeyPoliciesRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+// ListKeyPoliciesPages iterates over the pages of a ListKeyPolicies operation,
+// calling the "fn" function with the response data for each page. To stop
+// iterating, return false from the fn function.
+//
+// See ListKeyPolicies method for more information on how to use this operation.
+//
+// Note: This operation can generate multiple requests to a service.
+//
+//    // Example iterating over at most 3 pages of a ListKeyPolicies operation.
+//    pageNum := 0
+//    err := client.ListKeyPoliciesPages(params,
+//        func(page *ListKeyPoliciesOutput, lastPage bool) bool {
+//            pageNum++
+//            fmt.Println(page)
+//            return pageNum <= 3
+//        })
+//
+func (c *KMS) ListKeyPoliciesPages(input *ListKeyPoliciesInput, fn func(*ListKeyPoliciesOutput, bool) bool) error {
+	return c.ListKeyPoliciesPagesWithContext(aws.BackgroundContext(), input, fn)
+}
+
+// ListKeyPoliciesPagesWithContext same as ListKeyPoliciesPages except
+// it takes a Context and allows setting request options on the pages.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) ListKeyPoliciesPagesWithContext(ctx aws.Context, input *ListKeyPoliciesInput, fn func(*ListKeyPoliciesOutput, bool) bool, opts ...request.Option) error {
+	p := request.Pagination{
+		NewRequest: func() (*request.Request, error) {
+			var inCpy *ListKeyPoliciesInput
+			if input != nil {
+				tmp := *input
+				inCpy = &tmp
+			}
+			req, _ := c.ListKeyPoliciesRequest(inCpy)
+			req.SetContext(ctx)
+			req.ApplyOptions(opts...)
+			return req, nil
+		},
+	}
+
+	cont := true
+	for p.Next() && cont {
+		cont = fn(p.Page().(*ListKeyPoliciesOutput), !p.HasNextPage())
+	}
+	return p.Err()
+}
+
+const opListKeys = "ListKeys"
+
+// ListKeysRequest generates a "aws/request.Request" representing the
+// client's request for the ListKeys operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See ListKeys for more information on using the ListKeys
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the ListKeysRequest method.
+//    req, resp := client.ListKeysRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys
+func (c *KMS) ListKeysRequest(input *ListKeysInput) (req *request.Request, output *ListKeysOutput) {
+	op := &request.Operation{
+		Name:       opListKeys,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+		Paginator: &request.Paginator{
+			InputTokens:     []string{"Marker"},
+			OutputTokens:    []string{"NextMarker"},
+			LimitToken:      "Limit",
+			TruncationToken: "Truncated",
+		},
+	}
+
+	if input == nil {
+		input = &ListKeysInput{}
+	}
+
+	output = &ListKeysOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// ListKeys API operation for AWS Key Management Service.
+//
+// Gets a list of all customer master keys (CMKs) in the caller's AWS account
+// and region.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation ListKeys for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidMarkerException "InvalidMarkerException"
+//   The request was rejected because the marker that specifies where pagination
+//   should next begin is not valid.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys
+func (c *KMS) ListKeys(input *ListKeysInput) (*ListKeysOutput, error) {
+	req, out := c.ListKeysRequest(input)
+	return out, req.Send()
+}
+
+// ListKeysWithContext is the same as ListKeys with the addition of
+// the ability to pass a context and additional request options.
+//
+// See ListKeys for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) ListKeysWithContext(ctx aws.Context, input *ListKeysInput, opts ...request.Option) (*ListKeysOutput, error) {
+	req, out := c.ListKeysRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+// ListKeysPages iterates over the pages of a ListKeys operation,
+// calling the "fn" function with the response data for each page. To stop
+// iterating, return false from the fn function.
+//
+// See ListKeys method for more information on how to use this operation.
+//
+// Note: This operation can generate multiple requests to a service.
+//
+//    // Example iterating over at most 3 pages of a ListKeys operation.
+//    pageNum := 0
+//    err := client.ListKeysPages(params,
+//        func(page *ListKeysOutput, lastPage bool) bool {
+//            pageNum++
+//            fmt.Println(page)
+//            return pageNum <= 3
+//        })
+//
+func (c *KMS) ListKeysPages(input *ListKeysInput, fn func(*ListKeysOutput, bool) bool) error {
+	return c.ListKeysPagesWithContext(aws.BackgroundContext(), input, fn)
+}
+
+// ListKeysPagesWithContext same as ListKeysPages except
+// it takes a Context and allows setting request options on the pages.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) ListKeysPagesWithContext(ctx aws.Context, input *ListKeysInput, fn func(*ListKeysOutput, bool) bool, opts ...request.Option) error {
+	p := request.Pagination{
+		NewRequest: func() (*request.Request, error) {
+			var inCpy *ListKeysInput
+			if input != nil {
+				tmp := *input
+				inCpy = &tmp
+			}
+			req, _ := c.ListKeysRequest(inCpy)
+			req.SetContext(ctx)
+			req.ApplyOptions(opts...)
+			return req, nil
+		},
+	}
+
+	cont := true
+	for p.Next() && cont {
+		cont = fn(p.Page().(*ListKeysOutput), !p.HasNextPage())
+	}
+	return p.Err()
+}
+
+const opListResourceTags = "ListResourceTags"
+
+// ListResourceTagsRequest generates a "aws/request.Request" representing the
+// client's request for the ListResourceTags operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See ListResourceTags for more information on using the ListResourceTags
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the ListResourceTagsRequest method.
+//    req, resp := client.ListResourceTagsRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags
+func (c *KMS) ListResourceTagsRequest(input *ListResourceTagsInput) (req *request.Request, output *ListResourceTagsOutput) {
+	op := &request.Operation{
+		Name:       opListResourceTags,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &ListResourceTagsInput{}
+	}
+
+	output = &ListResourceTagsOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// ListResourceTags API operation for AWS Key Management Service.
+//
+// Returns a list of all tags for the specified customer master key (CMK).
+//
+// You cannot perform this operation on a CMK in a different AWS account.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation ListResourceTags for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeInvalidMarkerException "InvalidMarkerException"
+//   The request was rejected because the marker that specifies where pagination
+//   should next begin is not valid.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags
+func (c *KMS) ListResourceTags(input *ListResourceTagsInput) (*ListResourceTagsOutput, error) {
+	req, out := c.ListResourceTagsRequest(input)
+	return out, req.Send()
+}
+
+// ListResourceTagsWithContext is the same as ListResourceTags with the addition of
+// the ability to pass a context and additional request options.
+//
+// See ListResourceTags for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) ListResourceTagsWithContext(ctx aws.Context, input *ListResourceTagsInput, opts ...request.Option) (*ListResourceTagsOutput, error) {
+	req, out := c.ListResourceTagsRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opListRetirableGrants = "ListRetirableGrants"
+
+// ListRetirableGrantsRequest generates a "aws/request.Request" representing the
+// client's request for the ListRetirableGrants operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See ListRetirableGrants for more information on using the ListRetirableGrants
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the ListRetirableGrantsRequest method.
+//    req, resp := client.ListRetirableGrantsRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants
+func (c *KMS) ListRetirableGrantsRequest(input *ListRetirableGrantsInput) (req *request.Request, output *ListGrantsResponse) {
+	op := &request.Operation{
+		Name:       opListRetirableGrants,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &ListRetirableGrantsInput{}
+	}
+
+	output = &ListGrantsResponse{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// ListRetirableGrants API operation for AWS Key Management Service.
+//
+// Returns a list of all grants for which the grant's RetiringPrincipal matches
+// the one specified.
+//
+// A typical use is to list all grants that you are able to retire. To retire
+// a grant, use RetireGrant.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation ListRetirableGrants for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInvalidMarkerException "InvalidMarkerException"
+//   The request was rejected because the marker that specifies where pagination
+//   should next begin is not valid.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants
+func (c *KMS) ListRetirableGrants(input *ListRetirableGrantsInput) (*ListGrantsResponse, error) {
+	req, out := c.ListRetirableGrantsRequest(input)
+	return out, req.Send()
+}
+
+// ListRetirableGrantsWithContext is the same as ListRetirableGrants with the addition of
+// the ability to pass a context and additional request options.
+//
+// See ListRetirableGrants for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) ListRetirableGrantsWithContext(ctx aws.Context, input *ListRetirableGrantsInput, opts ...request.Option) (*ListGrantsResponse, error) {
+	req, out := c.ListRetirableGrantsRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opPutKeyPolicy = "PutKeyPolicy"
+
+// PutKeyPolicyRequest generates a "aws/request.Request" representing the
+// client's request for the PutKeyPolicy operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See PutKeyPolicy for more information on using the PutKeyPolicy
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the PutKeyPolicyRequest method.
+//    req, resp := client.PutKeyPolicyRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicy
+func (c *KMS) PutKeyPolicyRequest(input *PutKeyPolicyInput) (req *request.Request, output *PutKeyPolicyOutput) {
+	op := &request.Operation{
+		Name:       opPutKeyPolicy,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &PutKeyPolicyInput{}
+	}
+
+	output = &PutKeyPolicyOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// PutKeyPolicy API operation for AWS Key Management Service.
+//
+// Attaches a key policy to the specified customer master key (CMK). You cannot
+// perform this operation on a CMK in a different AWS account.
+//
+// For more information about key policies, see Key Policies (http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation PutKeyPolicy for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocumentException"
+//   The request was rejected because the specified policy is not syntactically
+//   or semantically correct.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeUnsupportedOperationException "UnsupportedOperationException"
+//   The request was rejected because a specified parameter is not supported or
+//   a specified resource is not valid for this operation.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeLimitExceededException "LimitExceededException"
+//   The request was rejected because a limit was exceeded. For more information,
+//   see Limits (http://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicy
+func (c *KMS) PutKeyPolicy(input *PutKeyPolicyInput) (*PutKeyPolicyOutput, error) {
+	req, out := c.PutKeyPolicyRequest(input)
+	return out, req.Send()
+}
+
+// PutKeyPolicyWithContext is the same as PutKeyPolicy with the addition of
+// the ability to pass a context and additional request options.
+//
+// See PutKeyPolicy for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) PutKeyPolicyWithContext(ctx aws.Context, input *PutKeyPolicyInput, opts ...request.Option) (*PutKeyPolicyOutput, error) {
+	req, out := c.PutKeyPolicyRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opReEncrypt = "ReEncrypt"
+
+// ReEncryptRequest generates a "aws/request.Request" representing the
+// client's request for the ReEncrypt operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See ReEncrypt for more information on using the ReEncrypt
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the ReEncryptRequest method.
+//    req, resp := client.ReEncryptRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt
+func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, output *ReEncryptOutput) {
+	op := &request.Operation{
+		Name:       opReEncrypt,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &ReEncryptInput{}
+	}
+
+	output = &ReEncryptOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// ReEncrypt API operation for AWS Key Management Service.
+//
+// Encrypts data on the server side with a new customer master key (CMK) without
+// exposing the plaintext of the data on the client side. The data is first
+// decrypted and then reencrypted. You can also use this operation to change
+// the encryption context of a ciphertext.
+//
+// You can reencrypt data using CMKs in different AWS accounts.
+//
+// Unlike other operations, ReEncrypt is authorized twice, once as ReEncryptFrom
+// on the source CMK and once as ReEncryptTo on the destination CMK. We recommend
+// that you include the "kms:ReEncrypt*" permission in your key policies (http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)
+// to permit reencryption from or to the CMK. This permission is automatically
+// included in the key policy when you create a CMK through the console, but
+// you must include it manually when you create a CMK programmatically or when
+// you set a key policy with the PutKeyPolicy operation.
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation ReEncrypt for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeDisabledException "DisabledException"
+//   The request was rejected because the specified CMK is not enabled.
+//
+//   * ErrCodeInvalidCiphertextException "InvalidCiphertextException"
+//   The request was rejected because the specified ciphertext, or additional
+//   authenticated data incorporated into the ciphertext, such as the encryption
+//   context, is corrupted, missing, or otherwise invalid.
+//
+//   * ErrCodeKeyUnavailableException "KeyUnavailableException"
+//   The request was rejected because the specified CMK was not available. The
+//   request can be retried.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInvalidKeyUsageException "InvalidKeyUsageException"
+//   The request was rejected because the specified KeySpec value is not valid.
+//
+//   * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException"
+//   The request was rejected because the specified grant token is not valid.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt
+func (c *KMS) ReEncrypt(input *ReEncryptInput) (*ReEncryptOutput, error) {
+	req, out := c.ReEncryptRequest(input)
+	return out, req.Send()
+}
+
+// ReEncryptWithContext is the same as ReEncrypt with the addition of
+// the ability to pass a context and additional request options.
+//
+// See ReEncrypt for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) ReEncryptWithContext(ctx aws.Context, input *ReEncryptInput, opts ...request.Option) (*ReEncryptOutput, error) {
+	req, out := c.ReEncryptRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opRetireGrant = "RetireGrant"
+
+// RetireGrantRequest generates a "aws/request.Request" representing the
+// client's request for the RetireGrant operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See RetireGrant for more information on using the RetireGrant
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the RetireGrantRequest method.
+//    req, resp := client.RetireGrantRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant
+func (c *KMS) RetireGrantRequest(input *RetireGrantInput) (req *request.Request, output *RetireGrantOutput) {
+	op := &request.Operation{
+		Name:       opRetireGrant,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &RetireGrantInput{}
+	}
+
+	output = &RetireGrantOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// RetireGrant API operation for AWS Key Management Service.
+//
+// Retires a grant. To clean up, you can retire a grant when you're done using
+// it. You should revoke a grant when you intend to actively deny operations
+// that depend on it. The following are permitted to call this API:
+//
+//    * The AWS account (root user) under which the grant was created
+//
+//    * The RetiringPrincipal, if present in the grant
+//
+//    * The GranteePrincipal, if RetireGrant is an operation specified in the
+//    grant
+//
+// You must identify the grant to retire by its grant token or by a combination
+// of the grant ID and the Amazon Resource Name (ARN) of the customer master
+// key (CMK). A grant token is a unique variable-length base64-encoded string.
+// A grant ID is a 64 character unique identifier of a grant. The CreateGrant
+// operation returns both.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation RetireGrant for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException"
+//   The request was rejected because the specified grant token is not valid.
+//
+//   * ErrCodeInvalidGrantIdException "InvalidGrantIdException"
+//   The request was rejected because the specified GrantId is not valid.
+//
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant
+func (c *KMS) RetireGrant(input *RetireGrantInput) (*RetireGrantOutput, error) {
+	req, out := c.RetireGrantRequest(input)
+	return out, req.Send()
+}
+
+// RetireGrantWithContext is the same as RetireGrant with the addition of
+// the ability to pass a context and additional request options.
+//
+// See RetireGrant for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) RetireGrantWithContext(ctx aws.Context, input *RetireGrantInput, opts ...request.Option) (*RetireGrantOutput, error) {
+	req, out := c.RetireGrantRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opRevokeGrant = "RevokeGrant"
+
+// RevokeGrantRequest generates a "aws/request.Request" representing the
+// client's request for the RevokeGrant operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See RevokeGrant for more information on using the RevokeGrant
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the RevokeGrantRequest method.
+//    req, resp := client.RevokeGrantRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant
+func (c *KMS) RevokeGrantRequest(input *RevokeGrantInput) (req *request.Request, output *RevokeGrantOutput) {
+	op := &request.Operation{
+		Name:       opRevokeGrant,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &RevokeGrantInput{}
+	}
+
+	output = &RevokeGrantOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// RevokeGrant API operation for AWS Key Management Service.
+//
+// Revokes the specified grant for the specified customer master key (CMK).
+// You can revoke a grant to actively deny operations that depend on it.
+//
+// To perform this operation on a CMK in a different AWS account, specify the
+// key ARN in the value of the KeyId parameter.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation RevokeGrant for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeInvalidGrantIdException "InvalidGrantIdException"
+//   The request was rejected because the specified GrantId is not valid.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant
+func (c *KMS) RevokeGrant(input *RevokeGrantInput) (*RevokeGrantOutput, error) {
+	req, out := c.RevokeGrantRequest(input)
+	return out, req.Send()
+}
+
+// RevokeGrantWithContext is the same as RevokeGrant with the addition of
+// the ability to pass a context and additional request options.
+//
+// See RevokeGrant for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) RevokeGrantWithContext(ctx aws.Context, input *RevokeGrantInput, opts ...request.Option) (*RevokeGrantOutput, error) {
+	req, out := c.RevokeGrantRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opScheduleKeyDeletion = "ScheduleKeyDeletion"
+
+// ScheduleKeyDeletionRequest generates a "aws/request.Request" representing the
+// client's request for the ScheduleKeyDeletion operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See ScheduleKeyDeletion for more information on using the ScheduleKeyDeletion
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the ScheduleKeyDeletionRequest method.
+//    req, resp := client.ScheduleKeyDeletionRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion
+func (c *KMS) ScheduleKeyDeletionRequest(input *ScheduleKeyDeletionInput) (req *request.Request, output *ScheduleKeyDeletionOutput) {
+	op := &request.Operation{
+		Name:       opScheduleKeyDeletion,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &ScheduleKeyDeletionInput{}
+	}
+
+	output = &ScheduleKeyDeletionOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// ScheduleKeyDeletion API operation for AWS Key Management Service.
+//
+// Schedules the deletion of a customer master key (CMK). You may provide a
+// waiting period, specified in days, before deletion occurs. If you do not
+// provide a waiting period, the default period of 30 days is used. When this
+// operation is successful, the key state of the CMK changes to PendingDeletion.
+// Before the waiting period ends, you can use CancelKeyDeletion to cancel the
+// deletion of the CMK. After the waiting period ends, AWS KMS deletes the CMK
+// and all AWS KMS data associated with it, including all aliases that refer
+// to it.
+//
+// Deleting a CMK is a destructive and potentially dangerous operation. When
+// a CMK is deleted, all data that was encrypted under the CMK is unrecoverable.
+// To prevent the use of a CMK without deleting it, use DisableKey.
+//
+// If you schedule deletion of a CMK from a custom key store (http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html),
+// when the waiting period expires, ScheduleKeyDeletion deletes the CMK from
+// AWS KMS. Then AWS KMS makes a best effort to delete the key material from
+// the associated AWS CloudHSM cluster. However, you might need to manually
+// delete the orphaned key material (http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key)
+// from the cluster and its backups.
+//
+// You cannot perform this operation on a CMK in a different AWS account.
+//
+// For more information about scheduling a CMK for deletion, see Deleting Customer
+// Master Keys (http://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation ScheduleKeyDeletion for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion
+func (c *KMS) ScheduleKeyDeletion(input *ScheduleKeyDeletionInput) (*ScheduleKeyDeletionOutput, error) {
+	req, out := c.ScheduleKeyDeletionRequest(input)
+	return out, req.Send()
+}
+
+// ScheduleKeyDeletionWithContext is the same as ScheduleKeyDeletion with the addition of
+// the ability to pass a context and additional request options.
+//
+// See ScheduleKeyDeletion for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) ScheduleKeyDeletionWithContext(ctx aws.Context, input *ScheduleKeyDeletionInput, opts ...request.Option) (*ScheduleKeyDeletionOutput, error) {
+	req, out := c.ScheduleKeyDeletionRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opTagResource = "TagResource"
+
+// TagResourceRequest generates a "aws/request.Request" representing the
+// client's request for the TagResource operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See TagResource for more information on using the TagResource
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the TagResourceRequest method.
+//    req, resp := client.TagResourceRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResource
+func (c *KMS) TagResourceRequest(input *TagResourceInput) (req *request.Request, output *TagResourceOutput) {
+	op := &request.Operation{
+		Name:       opTagResource,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &TagResourceInput{}
+	}
+
+	output = &TagResourceOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// TagResource API operation for AWS Key Management Service.
+//
+// Adds or edits tags for a customer master key (CMK). You cannot perform this
+// operation on a CMK in a different AWS account.
+//
+// Each tag consists of a tag key and a tag value. Tag keys and tag values are
+// both required, but tag values can be empty (null) strings.
+//
+// You can only use a tag key once for each CMK. If you use the tag key again,
+// AWS KMS replaces the current tag value with the specified value.
+//
+// For information about the rules that apply to tag keys and tag values, see
+// User-Defined Tag Restrictions (http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html)
+// in the AWS Billing and Cost Management User Guide.
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation TagResource for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+//   * ErrCodeLimitExceededException "LimitExceededException"
+//   The request was rejected because a limit was exceeded. For more information,
+//   see Limits (http://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+//   * ErrCodeTagException "TagException"
+//   The request was rejected because one or more tags are not valid.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResource
+func (c *KMS) TagResource(input *TagResourceInput) (*TagResourceOutput, error) {
+	req, out := c.TagResourceRequest(input)
+	return out, req.Send()
+}
+
+// TagResourceWithContext is the same as TagResource with the addition of
+// the ability to pass a context and additional request options.
+//
+// See TagResource for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) TagResourceWithContext(ctx aws.Context, input *TagResourceInput, opts ...request.Option) (*TagResourceOutput, error) {
+	req, out := c.TagResourceRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opUntagResource = "UntagResource"
+
+// UntagResourceRequest generates a "aws/request.Request" representing the
+// client's request for the UntagResource operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See UntagResource for more information on using the UntagResource
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the UntagResourceRequest method.
+//    req, resp := client.UntagResourceRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UntagResource
+func (c *KMS) UntagResourceRequest(input *UntagResourceInput) (req *request.Request, output *UntagResourceOutput) {
+	op := &request.Operation{
+		Name:       opUntagResource,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &UntagResourceInput{}
+	}
+
+	output = &UntagResourceOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// UntagResource API operation for AWS Key Management Service.
+//
+// Removes the specified tags from the specified customer master key (CMK).
+// You cannot perform this operation on a CMK in a different AWS account.
+//
+// To remove a tag, specify the tag key. To change the tag value of an existing
+// tag key, use TagResource.
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation UntagResource for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+//   * ErrCodeTagException "TagException"
+//   The request was rejected because one or more tags are not valid.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UntagResource
+func (c *KMS) UntagResource(input *UntagResourceInput) (*UntagResourceOutput, error) {
+	req, out := c.UntagResourceRequest(input)
+	return out, req.Send()
+}
+
+// UntagResourceWithContext is the same as UntagResource with the addition of
+// the ability to pass a context and additional request options.
+//
+// See UntagResource for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) UntagResourceWithContext(ctx aws.Context, input *UntagResourceInput, opts ...request.Option) (*UntagResourceOutput, error) {
+	req, out := c.UntagResourceRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opUpdateAlias = "UpdateAlias"
+
+// UpdateAliasRequest generates a "aws/request.Request" representing the
+// client's request for the UpdateAlias operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See UpdateAlias for more information on using the UpdateAlias
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the UpdateAliasRequest method.
+//    req, resp := client.UpdateAliasRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAlias
+func (c *KMS) UpdateAliasRequest(input *UpdateAliasInput) (req *request.Request, output *UpdateAliasOutput) {
+	op := &request.Operation{
+		Name:       opUpdateAlias,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &UpdateAliasInput{}
+	}
+
+	output = &UpdateAliasOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// UpdateAlias API operation for AWS Key Management Service.
+//
+// Associates an existing alias with a different customer master key (CMK).
+// Each CMK can have multiple aliases, but the aliases must be unique within
+// the account and region. You cannot perform this operation on an alias in
+// a different AWS account.
+//
+// This operation works only on existing aliases. To change the alias of a CMK
+// to a new value, use CreateAlias to create a new alias and DeleteAlias to
+// delete the old alias.
+//
+// Because an alias is not a property of a CMK, you can create, update, and
+// delete the aliases of a CMK without affecting the CMK. Also, aliases do not
+// appear in the response from the DescribeKey operation. To get the aliases
+// of all CMKs in the account, use the ListAliases operation.
+//
+// An alias name can contain only alphanumeric characters, forward slashes (/),
+// underscores (_), and dashes (-). An alias must start with the word alias
+// followed by a forward slash (alias/). The alias name can contain only alphanumeric
+// characters, forward slashes (/), underscores (_), and dashes (-). Alias names
+// cannot begin with aws; that alias name prefix is reserved by Amazon Web Services
+// (AWS).
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation UpdateAlias for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAlias
+func (c *KMS) UpdateAlias(input *UpdateAliasInput) (*UpdateAliasOutput, error) {
+	req, out := c.UpdateAliasRequest(input)
+	return out, req.Send()
+}
+
+// UpdateAliasWithContext is the same as UpdateAlias with the addition of
+// the ability to pass a context and additional request options.
+//
+// See UpdateAlias for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) UpdateAliasWithContext(ctx aws.Context, input *UpdateAliasInput, opts ...request.Option) (*UpdateAliasOutput, error) {
+	req, out := c.UpdateAliasRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opUpdateCustomKeyStore = "UpdateCustomKeyStore"
+
+// UpdateCustomKeyStoreRequest generates a "aws/request.Request" representing the
+// client's request for the UpdateCustomKeyStore operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See UpdateCustomKeyStore for more information on using the UpdateCustomKeyStore
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the UpdateCustomKeyStoreRequest method.
+//    req, resp := client.UpdateCustomKeyStoreRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore
+func (c *KMS) UpdateCustomKeyStoreRequest(input *UpdateCustomKeyStoreInput) (req *request.Request, output *UpdateCustomKeyStoreOutput) {
+	op := &request.Operation{
+		Name:       opUpdateCustomKeyStore,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &UpdateCustomKeyStoreInput{}
+	}
+
+	output = &UpdateCustomKeyStoreOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// UpdateCustomKeyStore API operation for AWS Key Management Service.
+//
+// Changes the properties of a custom key store. Use the CustomKeyStoreId parameter
+// to identify the custom key store you want to edit. Use the remaining parameters
+// to change the properties of the custom key store.
+//
+// You can only update a custom key store that is disconnected. To disconnect
+// the custom key store, use DisconnectCustomKeyStore. To reconnect the custom
+// key store after the update completes, use ConnectCustomKeyStore. To find
+// the connection state of a custom key store, use the DescribeCustomKeyStores
+// operation.
+//
+// Use the NewCustomKeyStoreName parameter to change the friendly name of the
+// custom key store to the value that you specify.
+//
+// Use the KeyStorePassword parameter tell AWS KMS the current password of the
+// kmsuser (http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser)
+// crypto user (CU) in the associated AWS CloudHSM cluster. You can use this
+// parameter to fix connection failures that occur when AWS KMS cannot log into
+// the associated cluster because the kmsuser password has changed. This value
+// does not change the password in the AWS CloudHSM cluster.
+//
+// Use the CloudHsmClusterId parameter to associate the custom key store with
+// a related AWS CloudHSM cluster, that is, a cluster that shares a backup history
+// with the original cluster. You can use this parameter to repair a custom
+// key store if its AWS CloudHSM cluster becomes corrupted or is deleted, or
+// when you need to create or restore a cluster from a backup.
+//
+// The cluster ID must identify a AWS CloudHSM cluster with the following requirements.
+//
+//    * The cluster must be active and be in the same AWS account and Region
+//    as the custom key store.
+//
+//    * The cluster must have the same cluster certificate as the original cluster.
+//    You cannot use this parameter to associate the custom key store with an
+//    unrelated cluster. To view the cluster certificate, use the AWS CloudHSM
+//    DescribeClusters (http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
+//    operation. Clusters that share a backup history have the same cluster
+//    certificate.
+//
+//    * The cluster must be configured with subnets in at least two different
+//    Availability Zones in the Region. Because AWS CloudHSM is not supported
+//    in all Availability Zones, we recommend that the cluster have subnets
+//    in all Availability Zones in the Region.
+//
+//    * The cluster must contain at least two active HSMs, each in a different
+//    Availability Zone.
+//
+// If the operation succeeds, it returns a JSON object with no properties.
+//
+// This operation is part of the Custom Key Store feature (http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
+// feature in AWS KMS, which combines the convenience and extensive integration
+// of AWS KMS with the isolation and control of a single-tenant key store.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation UpdateCustomKeyStore for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException"
+//   The request was rejected because AWS KMS cannot find a custom key store with
+//   the specified key store name or ID.
+//
+//   * ErrCodeCloudHsmClusterNotFoundException "CloudHsmClusterNotFoundException"
+//   The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster
+//   with the specified cluster ID. Retry the request with a different cluster
+//   ID.
+//
+//   * ErrCodeCloudHsmClusterNotRelatedException "CloudHsmClusterNotRelatedException"
+//   The request was rejected because the specified AWS CloudHSM cluster has a
+//   different cluster certificate than the original cluster. You cannot use the
+//   operation to specify an unrelated cluster.
+//
+//   Specify a cluster that shares a backup history with the original cluster.
+//   This includes clusters that were created from a backup of the current cluster,
+//   and clusters that were created from the same backup that produced the current
+//   cluster.
+//
+//   Clusters that share a backup history have the same cluster certificate. To
+//   view the cluster certificate of a cluster, use the DescribeClusters (http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
+//   operation.
+//
+//   * ErrCodeCustomKeyStoreInvalidStateException "CustomKeyStoreInvalidStateException"
+//   The request was rejected because of the ConnectionState of the custom key
+//   store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores
+//   operation.
+//
+//   This exception is thrown under the following conditions:
+//
+//      * You requested the CreateKey or GenerateRandom operation in a custom
+//      key store that is not connected. These operations are valid only when
+//      the custom key store ConnectionState is CONNECTED.
+//
+//      * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
+//      on a custom key store that is not disconnected. This operation is valid
+//      only when the custom key store ConnectionState is DISCONNECTED.
+//
+//      * You requested the ConnectCustomKeyStore operation on a custom key store
+//      with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
+//      for all other ConnectionState values.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeCloudHsmClusterNotActiveException "CloudHsmClusterNotActiveException"
+//   The request was rejected because the AWS CloudHSM cluster that is associated
+//   with the custom key store is not active. Initialize and activate the cluster
+//   and try the command again. For detailed instructions, see Getting Started
+//   (http://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
+//   in the AWS CloudHSM User Guide.
+//
+//   * ErrCodeCloudHsmClusterInvalidConfigurationException "CloudHsmClusterInvalidConfigurationException"
+//   The request was rejected because the associated AWS CloudHSM cluster did
+//   not meet the configuration requirements for a custom key store. The cluster
+//   must be configured with private subnets in at least two different Availability
+//   Zones in the Region. Also, it must contain at least as many HSMs as the operation
+//   requires.
+//
+//   For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations,
+//   the AWS CloudHSM cluster must have at least two active HSMs, each in a different
+//   Availability Zone. For the ConnectCustomKeyStore operation, the AWS CloudHSM
+//   must contain at least one active HSM.
+//
+//   For information about creating a private subnet for a AWS CloudHSM cluster,
+//   see Create a Private Subnet (http://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html)
+//   in the AWS CloudHSM User Guide. To add HSMs, use the AWS CloudHSM CreateHsm
+//   (http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
+//   operation.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore
+func (c *KMS) UpdateCustomKeyStore(input *UpdateCustomKeyStoreInput) (*UpdateCustomKeyStoreOutput, error) {
+	req, out := c.UpdateCustomKeyStoreRequest(input)
+	return out, req.Send()
+}
+
+// UpdateCustomKeyStoreWithContext is the same as UpdateCustomKeyStore with the addition of
+// the ability to pass a context and additional request options.
+//
+// See UpdateCustomKeyStore for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) UpdateCustomKeyStoreWithContext(ctx aws.Context, input *UpdateCustomKeyStoreInput, opts ...request.Option) (*UpdateCustomKeyStoreOutput, error) {
+	req, out := c.UpdateCustomKeyStoreRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+const opUpdateKeyDescription = "UpdateKeyDescription"
+
+// UpdateKeyDescriptionRequest generates a "aws/request.Request" representing the
+// client's request for the UpdateKeyDescription operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See UpdateKeyDescription for more information on using the UpdateKeyDescription
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the UpdateKeyDescriptionRequest method.
+//    req, resp := client.UpdateKeyDescriptionRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescription
+func (c *KMS) UpdateKeyDescriptionRequest(input *UpdateKeyDescriptionInput) (req *request.Request, output *UpdateKeyDescriptionOutput) {
+	op := &request.Operation{
+		Name:       opUpdateKeyDescription,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &UpdateKeyDescriptionInput{}
+	}
+
+	output = &UpdateKeyDescriptionOutput{}
+	req = c.newRequest(op, input, output)
+	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
+	return
+}
+
+// UpdateKeyDescription API operation for AWS Key Management Service.
+//
+// Updates the description of a customer master key (CMK). To see the decription
+// of a CMK, use DescribeKey.
+//
+// You cannot perform this operation on a CMK in a different AWS account.
+//
+// The result of this operation varies with the key state of the CMK. For details,
+// see How Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation UpdateKeyDescription for usage and error information.
+//
+// Returned Error Codes:
+//   * ErrCodeNotFoundException "NotFoundException"
+//   The request was rejected because the specified entity or resource could not
+//   be found.
+//
+//   * ErrCodeInvalidArnException "InvalidArnException"
+//   The request was rejected because a specified ARN was not valid.
+//
+//   * ErrCodeDependencyTimeoutException "DependencyTimeoutException"
+//   The system timed out while trying to fulfill the request. The request can
+//   be retried.
+//
+//   * ErrCodeInternalException "KMSInternalException"
+//   The request was rejected because an internal exception occurred. The request
+//   can be retried.
+//
+//   * ErrCodeInvalidStateException "KMSInvalidStateException"
+//   The request was rejected because the state of the specified resource is not
+//   valid for this request.
+//
+//   For more information about how key state affects the use of a CMK, see How
+//   Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//   in the AWS Key Management Service Developer Guide.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescription
+func (c *KMS) UpdateKeyDescription(input *UpdateKeyDescriptionInput) (*UpdateKeyDescriptionOutput, error) {
+	req, out := c.UpdateKeyDescriptionRequest(input)
+	return out, req.Send()
+}
+
+// UpdateKeyDescriptionWithContext is the same as UpdateKeyDescription with the addition of
+// the ability to pass a context and additional request options.
+//
+// See UpdateKeyDescription for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) UpdateKeyDescriptionWithContext(ctx aws.Context, input *UpdateKeyDescriptionInput, opts ...request.Option) (*UpdateKeyDescriptionOutput, error) {
+	req, out := c.UpdateKeyDescriptionRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
+// Contains information about an alias.
+type AliasListEntry struct {
+	_ struct{} `type:"structure"`
+
+	// String that contains the key ARN.
+	AliasArn *string `min:"20" type:"string"`
+
+	// String that contains the alias.
+	AliasName *string `min:"1" type:"string"`
+
+	// String that contains the key identifier referred to by the alias.
+	TargetKeyId *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s AliasListEntry) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s AliasListEntry) GoString() string {
+	return s.String()
+}
+
+// SetAliasArn sets the AliasArn field's value.
+func (s *AliasListEntry) SetAliasArn(v string) *AliasListEntry {
+	s.AliasArn = &v
+	return s
+}
+
+// SetAliasName sets the AliasName field's value.
+func (s *AliasListEntry) SetAliasName(v string) *AliasListEntry {
+	s.AliasName = &v
+	return s
+}
+
+// SetTargetKeyId sets the TargetKeyId field's value.
+func (s *AliasListEntry) SetTargetKeyId(v string) *AliasListEntry {
+	s.TargetKeyId = &v
+	return s
+}
+
+type CancelKeyDeletionInput struct {
+	_ struct{} `type:"structure"`
+
+	// The unique identifier for the customer master key (CMK) for which to cancel
+	// deletion.
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s CancelKeyDeletionInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CancelKeyDeletionInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *CancelKeyDeletionInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "CancelKeyDeletionInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *CancelKeyDeletionInput) SetKeyId(v string) *CancelKeyDeletionInput {
+	s.KeyId = &v
+	return s
+}
+
+type CancelKeyDeletionOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The unique identifier of the master key for which deletion is canceled.
+	KeyId *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s CancelKeyDeletionOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CancelKeyDeletionOutput) GoString() string {
+	return s.String()
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *CancelKeyDeletionOutput) SetKeyId(v string) *CancelKeyDeletionOutput {
+	s.KeyId = &v
+	return s
+}
+
+type ConnectCustomKeyStoreInput struct {
+	_ struct{} `type:"structure"`
+
+	// Enter the key store ID of the custom key store that you want to connect.
+	// To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
+	//
+	// CustomKeyStoreId is a required field
+	CustomKeyStoreId *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s ConnectCustomKeyStoreInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ConnectCustomKeyStoreInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ConnectCustomKeyStoreInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ConnectCustomKeyStoreInput"}
+	if s.CustomKeyStoreId == nil {
+		invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId"))
+	}
+	if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
+func (s *ConnectCustomKeyStoreInput) SetCustomKeyStoreId(v string) *ConnectCustomKeyStoreInput {
+	s.CustomKeyStoreId = &v
+	return s
+}
+
+type ConnectCustomKeyStoreOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s ConnectCustomKeyStoreOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ConnectCustomKeyStoreOutput) GoString() string {
+	return s.String()
+}
+
+type CreateAliasInput struct {
+	_ struct{} `type:"structure"`
+
+	// String that contains the display name. The name must start with the word
+	// "alias" followed by a forward slash (alias/). Aliases that begin with "alias/AWS"
+	// are reserved.
+	//
+	// AliasName is a required field
+	AliasName *string `min:"1" type:"string" required:"true"`
+
+	// Identifies the CMK for which you are creating the alias. This value cannot
+	// be an alias.
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// TargetKeyId is a required field
+	TargetKeyId *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s CreateAliasInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CreateAliasInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *CreateAliasInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "CreateAliasInput"}
+	if s.AliasName == nil {
+		invalidParams.Add(request.NewErrParamRequired("AliasName"))
+	}
+	if s.AliasName != nil && len(*s.AliasName) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("AliasName", 1))
+	}
+	if s.TargetKeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("TargetKeyId"))
+	}
+	if s.TargetKeyId != nil && len(*s.TargetKeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("TargetKeyId", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetAliasName sets the AliasName field's value.
+func (s *CreateAliasInput) SetAliasName(v string) *CreateAliasInput {
+	s.AliasName = &v
+	return s
+}
+
+// SetTargetKeyId sets the TargetKeyId field's value.
+func (s *CreateAliasInput) SetTargetKeyId(v string) *CreateAliasInput {
+	s.TargetKeyId = &v
+	return s
+}
+
+type CreateAliasOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s CreateAliasOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CreateAliasOutput) GoString() string {
+	return s.String()
+}
+
+type CreateCustomKeyStoreInput struct {
+	_ struct{} `type:"structure"`
+
+	// Identifies the AWS CloudHSM cluster for the custom key store. Enter the cluster
+	// ID of any active AWS CloudHSM cluster that is not already associated with
+	// a custom key store. To find the cluster ID, use the DescribeClusters (http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
+	// operation.
+	//
+	// CloudHsmClusterId is a required field
+	CloudHsmClusterId *string `min:"19" type:"string" required:"true"`
+
+	// Specifies a friendly name for the custom key store. The name must be unique
+	// in your AWS account.
+	//
+	// CustomKeyStoreName is a required field
+	CustomKeyStoreName *string `min:"1" type:"string" required:"true"`
+
+	// Enter the password of the kmsuser (http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser)
+	// crypto user (CU) account in the specified AWS CloudHSM cluster. AWS KMS logs
+	// into the cluster as this user to manage key material on your behalf.
+	//
+	// This parameter tells AWS KMS the kmsuser account password; it does not change
+	// the password in the AWS CloudHSM cluster.
+	//
+	// KeyStorePassword is a required field
+	KeyStorePassword *string `min:"1" type:"string" required:"true" sensitive:"true"`
+
+	// Enter the content of the trust anchor certificate for the cluster. This is
+	// the content of the customerCA.crt file that you created when you initialized
+	// the cluster (http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html).
+	//
+	// TrustAnchorCertificate is a required field
+	TrustAnchorCertificate *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s CreateCustomKeyStoreInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CreateCustomKeyStoreInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *CreateCustomKeyStoreInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "CreateCustomKeyStoreInput"}
+	if s.CloudHsmClusterId == nil {
+		invalidParams.Add(request.NewErrParamRequired("CloudHsmClusterId"))
+	}
+	if s.CloudHsmClusterId != nil && len(*s.CloudHsmClusterId) < 19 {
+		invalidParams.Add(request.NewErrParamMinLen("CloudHsmClusterId", 19))
+	}
+	if s.CustomKeyStoreName == nil {
+		invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreName"))
+	}
+	if s.CustomKeyStoreName != nil && len(*s.CustomKeyStoreName) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreName", 1))
+	}
+	if s.KeyStorePassword == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyStorePassword"))
+	}
+	if s.KeyStorePassword != nil && len(*s.KeyStorePassword) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyStorePassword", 1))
+	}
+	if s.TrustAnchorCertificate == nil {
+		invalidParams.Add(request.NewErrParamRequired("TrustAnchorCertificate"))
+	}
+	if s.TrustAnchorCertificate != nil && len(*s.TrustAnchorCertificate) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("TrustAnchorCertificate", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetCloudHsmClusterId sets the CloudHsmClusterId field's value.
+func (s *CreateCustomKeyStoreInput) SetCloudHsmClusterId(v string) *CreateCustomKeyStoreInput {
+	s.CloudHsmClusterId = &v
+	return s
+}
+
+// SetCustomKeyStoreName sets the CustomKeyStoreName field's value.
+func (s *CreateCustomKeyStoreInput) SetCustomKeyStoreName(v string) *CreateCustomKeyStoreInput {
+	s.CustomKeyStoreName = &v
+	return s
+}
+
+// SetKeyStorePassword sets the KeyStorePassword field's value.
+func (s *CreateCustomKeyStoreInput) SetKeyStorePassword(v string) *CreateCustomKeyStoreInput {
+	s.KeyStorePassword = &v
+	return s
+}
+
+// SetTrustAnchorCertificate sets the TrustAnchorCertificate field's value.
+func (s *CreateCustomKeyStoreInput) SetTrustAnchorCertificate(v string) *CreateCustomKeyStoreInput {
+	s.TrustAnchorCertificate = &v
+	return s
+}
+
+type CreateCustomKeyStoreOutput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique identifier for the new custom key store.
+	CustomKeyStoreId *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s CreateCustomKeyStoreOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CreateCustomKeyStoreOutput) GoString() string {
+	return s.String()
+}
+
+// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
+func (s *CreateCustomKeyStoreOutput) SetCustomKeyStoreId(v string) *CreateCustomKeyStoreOutput {
+	s.CustomKeyStoreId = &v
+	return s
+}
+
+type CreateGrantInput struct {
+	_ struct{} `type:"structure"`
+
+	// A structure that you can use to allow certain operations in the grant only
+	// when the desired encryption context is present. For more information about
+	// encryption context, see Encryption Context (http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html)
+	// in the AWS Key Management Service Developer Guide.
+	Constraints *GrantConstraints `type:"structure"`
+
+	// A list of grant tokens.
+	//
+	// For more information, see Grant Tokens (http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
+	// in the AWS Key Management Service Developer Guide.
+	GrantTokens []*string `type:"list"`
+
+	// The principal that is given permission to perform the operations that the
+	// grant permits.
+	//
+	// To specify the principal, use the Amazon Resource Name (ARN) (http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
+	// of an AWS principal. Valid AWS principals include AWS accounts (root), IAM
+	// users, IAM roles, federated users, and assumed role users. For examples of
+	// the ARN syntax to use for specifying a principal, see AWS Identity and Access
+	// Management (IAM) (http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam)
+	// in the Example ARNs section of the AWS General Reference.
+	//
+	// GranteePrincipal is a required field
+	GranteePrincipal *string `min:"1" type:"string" required:"true"`
+
+	// The unique identifier for the customer master key (CMK) that the grant applies
+	// to.
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify
+	// a CMK in a different AWS account, you must use the key ARN.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+
+	// A friendly name for identifying the grant. Use this value to prevent unintended
+	// creation of duplicate grants when retrying this request.
+	//
+	// When this value is absent, all CreateGrant requests result in a new grant
+	// with a unique GrantId even if all the supplied parameters are identical.
+	// This can result in unintended duplicates when you retry the CreateGrant request.
+	//
+	// When this value is present, you can retry a CreateGrant request with identical
+	// parameters; if the grant already exists, the original GrantId is returned
+	// without creating a new grant. Note that the returned grant token is unique
+	// with every CreateGrant request, even when a duplicate GrantId is returned.
+	// All grant tokens obtained in this way can be used interchangeably.
+	Name *string `min:"1" type:"string"`
+
+	// A list of operations that the grant permits.
+	//
+	// Operations is a required field
+	Operations []*string `type:"list" required:"true"`
+
+	// The principal that is given permission to retire the grant by using RetireGrant
+	// operation.
+	//
+	// To specify the principal, use the Amazon Resource Name (ARN) (http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
+	// of an AWS principal. Valid AWS principals include AWS accounts (root), IAM
+	// users, federated users, and assumed role users. For examples of the ARN syntax
+	// to use for specifying a principal, see AWS Identity and Access Management
+	// (IAM) (http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam)
+	// in the Example ARNs section of the AWS General Reference.
+	RetiringPrincipal *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s CreateGrantInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CreateGrantInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *CreateGrantInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "CreateGrantInput"}
+	if s.GranteePrincipal == nil {
+		invalidParams.Add(request.NewErrParamRequired("GranteePrincipal"))
+	}
+	if s.GranteePrincipal != nil && len(*s.GranteePrincipal) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("GranteePrincipal", 1))
+	}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+	if s.Name != nil && len(*s.Name) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("Name", 1))
+	}
+	if s.Operations == nil {
+		invalidParams.Add(request.NewErrParamRequired("Operations"))
+	}
+	if s.RetiringPrincipal != nil && len(*s.RetiringPrincipal) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("RetiringPrincipal", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetConstraints sets the Constraints field's value.
+func (s *CreateGrantInput) SetConstraints(v *GrantConstraints) *CreateGrantInput {
+	s.Constraints = v
+	return s
+}
+
+// SetGrantTokens sets the GrantTokens field's value.
+func (s *CreateGrantInput) SetGrantTokens(v []*string) *CreateGrantInput {
+	s.GrantTokens = v
+	return s
+}
+
+// SetGranteePrincipal sets the GranteePrincipal field's value.
+func (s *CreateGrantInput) SetGranteePrincipal(v string) *CreateGrantInput {
+	s.GranteePrincipal = &v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *CreateGrantInput) SetKeyId(v string) *CreateGrantInput {
+	s.KeyId = &v
+	return s
+}
+
+// SetName sets the Name field's value.
+func (s *CreateGrantInput) SetName(v string) *CreateGrantInput {
+	s.Name = &v
+	return s
+}
+
+// SetOperations sets the Operations field's value.
+func (s *CreateGrantInput) SetOperations(v []*string) *CreateGrantInput {
+	s.Operations = v
+	return s
+}
+
+// SetRetiringPrincipal sets the RetiringPrincipal field's value.
+func (s *CreateGrantInput) SetRetiringPrincipal(v string) *CreateGrantInput {
+	s.RetiringPrincipal = &v
+	return s
+}
+
+type CreateGrantOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The unique identifier for the grant.
+	//
+	// You can use the GrantId in a subsequent RetireGrant or RevokeGrant operation.
+	GrantId *string `min:"1" type:"string"`
+
+	// The grant token.
+	//
+	// For more information, see Grant Tokens (http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
+	// in the AWS Key Management Service Developer Guide.
+	GrantToken *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s CreateGrantOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CreateGrantOutput) GoString() string {
+	return s.String()
+}
+
+// SetGrantId sets the GrantId field's value.
+func (s *CreateGrantOutput) SetGrantId(v string) *CreateGrantOutput {
+	s.GrantId = &v
+	return s
+}
+
+// SetGrantToken sets the GrantToken field's value.
+func (s *CreateGrantOutput) SetGrantToken(v string) *CreateGrantOutput {
+	s.GrantToken = &v
+	return s
+}
+
+type CreateKeyInput struct {
+	_ struct{} `type:"structure"`
+
+	// A flag to indicate whether to bypass the key policy lockout safety check.
+	//
+	// Setting this value to true increases the risk that the CMK becomes unmanageable.
+	// Do not set this value to true indiscriminately.
+	//
+	// For more information, refer to the scenario in the Default Key Policy (http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam)
+	// section in the AWS Key Management Service Developer Guide.
+	//
+	// Use this parameter only when you include a policy in the request and you
+	// intend to prevent the principal that is making the request from making a
+	// subsequent PutKeyPolicy request on the CMK.
+	//
+	// The default value is false.
+	BypassPolicyLockoutSafetyCheck *bool `type:"boolean"`
+
+	// Creates the CMK in the specified custom key store (http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html)
+	// and the key material in its associated AWS CloudHSM cluster. To create a
+	// CMK in a custom key store, you must also specify the Origin parameter with
+	// a value of AWS_CLOUDHSM. The AWS CloudHSM cluster that is associated with
+	// the custom key store must have at least two active HSMs, each in a different
+	// Availability Zone in the Region.
+	//
+	// To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
+	//
+	// The response includes the custom key store ID and the ID of the AWS CloudHSM
+	// cluster.
+	//
+	// This operation is part of the Custom Key Store feature (http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
+	// feature in AWS KMS, which combines the convenience and extensive integration
+	// of AWS KMS with the isolation and control of a single-tenant key store.
+	CustomKeyStoreId *string `min:"1" type:"string"`
+
+	// A description of the CMK.
+	//
+	// Use a description that helps you decide whether the CMK is appropriate for
+	// a task.
+	Description *string `type:"string"`
+
+	// The intended use of the CMK.
+	//
+	// You can use CMKs only for symmetric encryption and decryption.
+	KeyUsage *string `type:"string" enum:"KeyUsageType"`
+
+	// The source of the CMK's key material. You cannot change the origin after
+	// you create the CMK.
+	//
+	// The default is AWS_KMS, which means AWS KMS creates the key material in its
+	// own key store.
+	//
+	// When the parameter value is EXTERNAL, AWS KMS creates a CMK without key material
+	// so that you can import key material from your existing key management infrastructure.
+	// For more information about importing key material into AWS KMS, see Importing
+	// Key Material (http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)
+	// in the AWS Key Management Service Developer Guide.
+	//
+	// When the parameter value is AWS_CLOUDHSM, AWS KMS creates the CMK in a AWS
+	// KMS custom key store (http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html)
+	// and creates its key material in the associated AWS CloudHSM cluster. You
+	// must also use the CustomKeyStoreId parameter to identify the custom key store.
+	Origin *string `type:"string" enum:"OriginType"`
+
+	// The key policy to attach to the CMK.
+	//
+	// If you provide a key policy, it must meet the following criteria:
+	//
+	//    * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy
+	//    must allow the principal that is making the CreateKey request to make
+	//    a subsequent PutKeyPolicy request on the CMK. This reduces the risk that
+	//    the CMK becomes unmanageable. For more information, refer to the scenario
+	//    in the Default Key Policy (http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam)
+	//    section of the AWS Key Management Service Developer Guide.
+	//
+	//    * Each statement in the key policy must contain one or more principals.
+	//    The principals in the key policy must exist and be visible to AWS KMS.
+	//    When you create a new AWS principal (for example, an IAM user or role),
+	//    you might need to enforce a delay before including the new principal in
+	//    a key policy because the new principal might not be immediately visible
+	//    to AWS KMS. For more information, see Changes that I make are not always
+	//    immediately visible (http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency)
+	//    in the AWS Identity and Access Management User Guide.
+	//
+	// If you do not provide a key policy, AWS KMS attaches a default key policy
+	// to the CMK. For more information, see Default Key Policy (http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default)
+	// in the AWS Key Management Service Developer Guide.
+	//
+	// The key policy size limit is 32 kilobytes (32768 bytes).
+	Policy *string `min:"1" type:"string"`
+
+	// One or more tags. Each tag consists of a tag key and a tag value. Tag keys
+	// and tag values are both required, but tag values can be empty (null) strings.
+	//
+	// Use this parameter to tag the CMK when it is created. Alternately, you can
+	// omit this parameter and instead tag the CMK after it is created using TagResource.
+	Tags []*Tag `type:"list"`
+}
+
+// String returns the string representation
+func (s CreateKeyInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CreateKeyInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *CreateKeyInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "CreateKeyInput"}
+	if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1))
+	}
+	if s.Policy != nil && len(*s.Policy) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
+	}
+	if s.Tags != nil {
+		for i, v := range s.Tags {
+			if v == nil {
+				continue
+			}
+			if err := v.Validate(); err != nil {
+				invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams))
+			}
+		}
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetBypassPolicyLockoutSafetyCheck sets the BypassPolicyLockoutSafetyCheck field's value.
+func (s *CreateKeyInput) SetBypassPolicyLockoutSafetyCheck(v bool) *CreateKeyInput {
+	s.BypassPolicyLockoutSafetyCheck = &v
+	return s
+}
+
+// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
+func (s *CreateKeyInput) SetCustomKeyStoreId(v string) *CreateKeyInput {
+	s.CustomKeyStoreId = &v
+	return s
+}
+
+// SetDescription sets the Description field's value.
+func (s *CreateKeyInput) SetDescription(v string) *CreateKeyInput {
+	s.Description = &v
+	return s
+}
+
+// SetKeyUsage sets the KeyUsage field's value.
+func (s *CreateKeyInput) SetKeyUsage(v string) *CreateKeyInput {
+	s.KeyUsage = &v
+	return s
+}
+
+// SetOrigin sets the Origin field's value.
+func (s *CreateKeyInput) SetOrigin(v string) *CreateKeyInput {
+	s.Origin = &v
+	return s
+}
+
+// SetPolicy sets the Policy field's value.
+func (s *CreateKeyInput) SetPolicy(v string) *CreateKeyInput {
+	s.Policy = &v
+	return s
+}
+
+// SetTags sets the Tags field's value.
+func (s *CreateKeyInput) SetTags(v []*Tag) *CreateKeyInput {
+	s.Tags = v
+	return s
+}
+
+type CreateKeyOutput struct {
+	_ struct{} `type:"structure"`
+
+	// Metadata associated with the CMK.
+	KeyMetadata *KeyMetadata `type:"structure"`
+}
+
+// String returns the string representation
+func (s CreateKeyOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CreateKeyOutput) GoString() string {
+	return s.String()
+}
+
+// SetKeyMetadata sets the KeyMetadata field's value.
+func (s *CreateKeyOutput) SetKeyMetadata(v *KeyMetadata) *CreateKeyOutput {
+	s.KeyMetadata = v
+	return s
+}
+
+// Contains information about each custom key store in the custom key store
+// list.
+type CustomKeyStoresListEntry struct {
+	_ struct{} `type:"structure"`
+
+	// A unique identifier for the AWS CloudHSM cluster that is associated with
+	// the custom key store.
+	CloudHsmClusterId *string `min:"19" type:"string"`
+
+	// Describes the connection error. Valid values are:
+	//
+	//    * CLUSTER_NOT_FOUND - AWS KMS cannot find the AWS CloudHSM cluster with
+	//    the specified cluster ID.
+	//
+	//    * INSUFFICIENT_CLOUDHSM_HSMS - The associated AWS CloudHSM cluster does
+	//    not contain any active HSMs. To connect a custom key store to its AWS
+	//    CloudHSM cluster, the cluster must contain at least one active HSM.
+	//
+	//    * INVALID_CREDENTIALS - AWS KMS does not have the correct password for
+	//    the kmsuser crypto user in the AWS CloudHSM cluster.
+	//
+	//    * NETWORK_ERRORS - Network errors are preventing AWS KMS from connecting
+	//    to the custom key store.
+	//
+	//    * USER_LOCKED_OUT - The kmsuser CU account is locked out of the associated
+	//    AWS CloudHSM cluster due to too many failed password attempts. Before
+	//    you can connect your custom key store to its AWS CloudHSM cluster, you
+	//    must change the kmsuser account password and update the password value
+	//    for the custom key store.
+	//
+	// For help with connection failures, see Troubleshooting Custom Key Stores
+	// (http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html)
+	// in the AWS Key Management Service Developer Guide.
+	ConnectionErrorCode *string `type:"string" enum:"ConnectionErrorCodeType"`
+
+	// Indicates whether the custom key store is connected to its AWS CloudHSM cluster.
+	//
+	// You can create and use CMKs in your custom key stores only when its connection
+	// state is CONNECTED.
+	//
+	// The value is DISCONNECTED if the key store has never been connected or you
+	// use the DisconnectCustomKeyStore operation to disconnect it. If the value
+	// is CONNECTED but you are having trouble using the custom key store, make
+	// sure that its associated AWS CloudHSM cluster is active and contains at least
+	// one active HSM.
+	//
+	// A value of FAILED indicates that an attempt to connect was unsuccessful.
+	// For help resolving a connection failure, see Troubleshooting a Custom Key
+	// Store (http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html)
+	// in the AWS Key Management Service Developer Guide.
+	ConnectionState *string `type:"string" enum:"ConnectionStateType"`
+
+	// The date and time when the custom key store was created.
+	CreationDate *time.Time `type:"timestamp"`
+
+	// A unique identifier for the custom key store.
+	CustomKeyStoreId *string `min:"1" type:"string"`
+
+	// The user-specified friendly name for the custom key store.
+	CustomKeyStoreName *string `min:"1" type:"string"`
+
+	// The trust anchor certificate of the associated AWS CloudHSM cluster. When
+	// you initialize the cluster (http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr),
+	// you create this certificate and save it in the customerCA.crt file.
+	TrustAnchorCertificate *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s CustomKeyStoresListEntry) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s CustomKeyStoresListEntry) GoString() string {
+	return s.String()
+}
+
+// SetCloudHsmClusterId sets the CloudHsmClusterId field's value.
+func (s *CustomKeyStoresListEntry) SetCloudHsmClusterId(v string) *CustomKeyStoresListEntry {
+	s.CloudHsmClusterId = &v
+	return s
+}
+
+// SetConnectionErrorCode sets the ConnectionErrorCode field's value.
+func (s *CustomKeyStoresListEntry) SetConnectionErrorCode(v string) *CustomKeyStoresListEntry {
+	s.ConnectionErrorCode = &v
+	return s
+}
+
+// SetConnectionState sets the ConnectionState field's value.
+func (s *CustomKeyStoresListEntry) SetConnectionState(v string) *CustomKeyStoresListEntry {
+	s.ConnectionState = &v
+	return s
+}
+
+// SetCreationDate sets the CreationDate field's value.
+func (s *CustomKeyStoresListEntry) SetCreationDate(v time.Time) *CustomKeyStoresListEntry {
+	s.CreationDate = &v
+	return s
+}
+
+// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
+func (s *CustomKeyStoresListEntry) SetCustomKeyStoreId(v string) *CustomKeyStoresListEntry {
+	s.CustomKeyStoreId = &v
+	return s
+}
+
+// SetCustomKeyStoreName sets the CustomKeyStoreName field's value.
+func (s *CustomKeyStoresListEntry) SetCustomKeyStoreName(v string) *CustomKeyStoresListEntry {
+	s.CustomKeyStoreName = &v
+	return s
+}
+
+// SetTrustAnchorCertificate sets the TrustAnchorCertificate field's value.
+func (s *CustomKeyStoresListEntry) SetTrustAnchorCertificate(v string) *CustomKeyStoresListEntry {
+	s.TrustAnchorCertificate = &v
+	return s
+}
+
+type DecryptInput struct {
+	_ struct{} `type:"structure"`
+
+	// Ciphertext to be decrypted. The blob includes metadata.
+	//
+	// CiphertextBlob is automatically base64 encoded/decoded by the SDK.
+	//
+	// CiphertextBlob is a required field
+	CiphertextBlob []byte `min:"1" type:"blob" required:"true"`
+
+	// The encryption context. If this was specified in the Encrypt function, it
+	// must be specified here or the decryption operation will fail. For more information,
+	// see Encryption Context (http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html).
+	EncryptionContext map[string]*string `type:"map"`
+
+	// A list of grant tokens.
+	//
+	// For more information, see Grant Tokens (http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
+	// in the AWS Key Management Service Developer Guide.
+	GrantTokens []*string `type:"list"`
+}
+
+// String returns the string representation
+func (s DecryptInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DecryptInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DecryptInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DecryptInput"}
+	if s.CiphertextBlob == nil {
+		invalidParams.Add(request.NewErrParamRequired("CiphertextBlob"))
+	}
+	if s.CiphertextBlob != nil && len(s.CiphertextBlob) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("CiphertextBlob", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetCiphertextBlob sets the CiphertextBlob field's value.
+func (s *DecryptInput) SetCiphertextBlob(v []byte) *DecryptInput {
+	s.CiphertextBlob = v
+	return s
+}
+
+// SetEncryptionContext sets the EncryptionContext field's value.
+func (s *DecryptInput) SetEncryptionContext(v map[string]*string) *DecryptInput {
+	s.EncryptionContext = v
+	return s
+}
+
+// SetGrantTokens sets the GrantTokens field's value.
+func (s *DecryptInput) SetGrantTokens(v []*string) *DecryptInput {
+	s.GrantTokens = v
+	return s
+}
+
+type DecryptOutput struct {
+	_ struct{} `type:"structure"`
+
+	// ARN of the key used to perform the decryption. This value is returned if
+	// no errors are encountered during the operation.
+	KeyId *string `min:"1" type:"string"`
+
+	// Decrypted plaintext data. When you use the HTTP API or the AWS CLI, the value
+	// is Base64-encdoded. Otherwise, it is not encoded.
+	//
+	// Plaintext is automatically base64 encoded/decoded by the SDK.
+	Plaintext []byte `min:"1" type:"blob" sensitive:"true"`
+}
+
+// String returns the string representation
+func (s DecryptOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DecryptOutput) GoString() string {
+	return s.String()
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *DecryptOutput) SetKeyId(v string) *DecryptOutput {
+	s.KeyId = &v
+	return s
+}
+
+// SetPlaintext sets the Plaintext field's value.
+func (s *DecryptOutput) SetPlaintext(v []byte) *DecryptOutput {
+	s.Plaintext = v
+	return s
+}
+
+type DeleteAliasInput struct {
+	_ struct{} `type:"structure"`
+
+	// The alias to be deleted. The name must start with the word "alias" followed
+	// by a forward slash (alias/). Aliases that begin with "alias/aws" are reserved.
+	//
+	// AliasName is a required field
+	AliasName *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s DeleteAliasInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DeleteAliasInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DeleteAliasInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DeleteAliasInput"}
+	if s.AliasName == nil {
+		invalidParams.Add(request.NewErrParamRequired("AliasName"))
+	}
+	if s.AliasName != nil && len(*s.AliasName) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("AliasName", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetAliasName sets the AliasName field's value.
+func (s *DeleteAliasInput) SetAliasName(v string) *DeleteAliasInput {
+	s.AliasName = &v
+	return s
+}
+
+type DeleteAliasOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s DeleteAliasOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DeleteAliasOutput) GoString() string {
+	return s.String()
+}
+
+type DeleteCustomKeyStoreInput struct {
+	_ struct{} `type:"structure"`
+
+	// Enter the ID of the custom key store you want to delete. To find the ID of
+	// a custom key store, use the DescribeCustomKeyStores operation.
+	//
+	// CustomKeyStoreId is a required field
+	CustomKeyStoreId *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s DeleteCustomKeyStoreInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DeleteCustomKeyStoreInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DeleteCustomKeyStoreInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DeleteCustomKeyStoreInput"}
+	if s.CustomKeyStoreId == nil {
+		invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId"))
+	}
+	if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
+func (s *DeleteCustomKeyStoreInput) SetCustomKeyStoreId(v string) *DeleteCustomKeyStoreInput {
+	s.CustomKeyStoreId = &v
+	return s
+}
+
+type DeleteCustomKeyStoreOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s DeleteCustomKeyStoreOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DeleteCustomKeyStoreOutput) GoString() string {
+	return s.String()
+}
+
+type DeleteImportedKeyMaterialInput struct {
+	_ struct{} `type:"structure"`
+
+	// The identifier of the CMK whose key material to delete. The CMK's Origin
+	// must be EXTERNAL.
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s DeleteImportedKeyMaterialInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DeleteImportedKeyMaterialInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DeleteImportedKeyMaterialInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DeleteImportedKeyMaterialInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *DeleteImportedKeyMaterialInput) SetKeyId(v string) *DeleteImportedKeyMaterialInput {
+	s.KeyId = &v
+	return s
+}
+
+type DeleteImportedKeyMaterialOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s DeleteImportedKeyMaterialOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DeleteImportedKeyMaterialOutput) GoString() string {
+	return s.String()
+}
+
+type DescribeCustomKeyStoresInput struct {
+	_ struct{} `type:"structure"`
+
+	// Gets only information about the specified custom key store. Enter the key
+	// store ID.
+	//
+	// By default, this operation gets information about all custom key stores in
+	// the account and region. To limit the output to a particular custom key store,
+	// you can use either the CustomKeyStoreId or CustomKeyStoreName parameter,
+	// but not both.
+	CustomKeyStoreId *string `min:"1" type:"string"`
+
+	// Gets only information about the specified custom key store. Enter the friendly
+	// name of the custom key store.
+	//
+	// By default, this operation gets information about all custom key stores in
+	// the account and region. To limit the output to a particular custom key store,
+	// you can use either the CustomKeyStoreId or CustomKeyStoreName parameter,
+	// but not both.
+	CustomKeyStoreName *string `min:"1" type:"string"`
+
+	// Use this parameter to specify the maximum number of items to return. When
+	// this value is present, AWS KMS does not return more than the specified number
+	// of items, but it might return fewer.
+	Limit *int64 `min:"1" type:"integer"`
+
+	// Use this parameter in a subsequent request after you receive a response with
+	// truncated results. Set it to the value of NextMarker from the truncated response
+	// you just received.
+	Marker *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s DescribeCustomKeyStoresInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DescribeCustomKeyStoresInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DescribeCustomKeyStoresInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DescribeCustomKeyStoresInput"}
+	if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1))
+	}
+	if s.CustomKeyStoreName != nil && len(*s.CustomKeyStoreName) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreName", 1))
+	}
+	if s.Limit != nil && *s.Limit < 1 {
+		invalidParams.Add(request.NewErrParamMinValue("Limit", 1))
+	}
+	if s.Marker != nil && len(*s.Marker) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("Marker", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
+func (s *DescribeCustomKeyStoresInput) SetCustomKeyStoreId(v string) *DescribeCustomKeyStoresInput {
+	s.CustomKeyStoreId = &v
+	return s
+}
+
+// SetCustomKeyStoreName sets the CustomKeyStoreName field's value.
+func (s *DescribeCustomKeyStoresInput) SetCustomKeyStoreName(v string) *DescribeCustomKeyStoresInput {
+	s.CustomKeyStoreName = &v
+	return s
+}
+
+// SetLimit sets the Limit field's value.
+func (s *DescribeCustomKeyStoresInput) SetLimit(v int64) *DescribeCustomKeyStoresInput {
+	s.Limit = &v
+	return s
+}
+
+// SetMarker sets the Marker field's value.
+func (s *DescribeCustomKeyStoresInput) SetMarker(v string) *DescribeCustomKeyStoresInput {
+	s.Marker = &v
+	return s
+}
+
+type DescribeCustomKeyStoresOutput struct {
+	_ struct{} `type:"structure"`
+
+	// Contains metadata about each custom key store.
+	CustomKeyStores []*CustomKeyStoresListEntry `type:"list"`
+
+	// When Truncated is true, this element is present and contains the value to
+	// use for the Marker parameter in a subsequent request.
+	NextMarker *string `min:"1" type:"string"`
+
+	// A flag that indicates whether there are more items in the list. When this
+	// value is true, the list in this response is truncated. To get more items,
+	// pass the value of the NextMarker element in this response to the Marker parameter
+	// in a subsequent request.
+	Truncated *bool `type:"boolean"`
+}
+
+// String returns the string representation
+func (s DescribeCustomKeyStoresOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DescribeCustomKeyStoresOutput) GoString() string {
+	return s.String()
+}
+
+// SetCustomKeyStores sets the CustomKeyStores field's value.
+func (s *DescribeCustomKeyStoresOutput) SetCustomKeyStores(v []*CustomKeyStoresListEntry) *DescribeCustomKeyStoresOutput {
+	s.CustomKeyStores = v
+	return s
+}
+
+// SetNextMarker sets the NextMarker field's value.
+func (s *DescribeCustomKeyStoresOutput) SetNextMarker(v string) *DescribeCustomKeyStoresOutput {
+	s.NextMarker = &v
+	return s
+}
+
+// SetTruncated sets the Truncated field's value.
+func (s *DescribeCustomKeyStoresOutput) SetTruncated(v bool) *DescribeCustomKeyStoresOutput {
+	s.Truncated = &v
+	return s
+}
+
+type DescribeKeyInput struct {
+	_ struct{} `type:"structure"`
+
+	// A list of grant tokens.
+	//
+	// For more information, see Grant Tokens (http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
+	// in the AWS Key Management Service Developer Guide.
+	GrantTokens []*string `type:"list"`
+
+	// Describes the specified customer master key (CMK).
+	//
+	// If you specify a predefined AWS alias (an AWS alias with no key ID), KMS
+	// associates the alias with an AWS managed CMK (http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys)
+	// and returns its KeyId and Arn in the response.
+	//
+	// To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name,
+	// or alias ARN. When using an alias name, prefix it with "alias/". To specify
+	// a CMK in a different AWS account, you must use the key ARN or alias ARN.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Alias name: alias/ExampleAlias
+	//
+	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To
+	// get the alias name and alias ARN, use ListAliases.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s DescribeKeyInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DescribeKeyInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DescribeKeyInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DescribeKeyInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetGrantTokens sets the GrantTokens field's value.
+func (s *DescribeKeyInput) SetGrantTokens(v []*string) *DescribeKeyInput {
+	s.GrantTokens = v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *DescribeKeyInput) SetKeyId(v string) *DescribeKeyInput {
+	s.KeyId = &v
+	return s
+}
+
+type DescribeKeyOutput struct {
+	_ struct{} `type:"structure"`
+
+	// Metadata associated with the key.
+	KeyMetadata *KeyMetadata `type:"structure"`
+}
+
+// String returns the string representation
+func (s DescribeKeyOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DescribeKeyOutput) GoString() string {
+	return s.String()
+}
+
+// SetKeyMetadata sets the KeyMetadata field's value.
+func (s *DescribeKeyOutput) SetKeyMetadata(v *KeyMetadata) *DescribeKeyOutput {
+	s.KeyMetadata = v
+	return s
+}
+
+type DisableKeyInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique identifier for the customer master key (CMK).
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s DisableKeyInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DisableKeyInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DisableKeyInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DisableKeyInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *DisableKeyInput) SetKeyId(v string) *DisableKeyInput {
+	s.KeyId = &v
+	return s
+}
+
+type DisableKeyOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s DisableKeyOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DisableKeyOutput) GoString() string {
+	return s.String()
+}
+
+type DisableKeyRotationInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique identifier for the customer master key (CMK).
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s DisableKeyRotationInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DisableKeyRotationInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DisableKeyRotationInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DisableKeyRotationInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *DisableKeyRotationInput) SetKeyId(v string) *DisableKeyRotationInput {
+	s.KeyId = &v
+	return s
+}
+
+type DisableKeyRotationOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s DisableKeyRotationOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DisableKeyRotationOutput) GoString() string {
+	return s.String()
+}
+
+type DisconnectCustomKeyStoreInput struct {
+	_ struct{} `type:"structure"`
+
+	// Enter the ID of the custom key store you want to disconnect. To find the
+	// ID of a custom key store, use the DescribeCustomKeyStores operation.
+	//
+	// CustomKeyStoreId is a required field
+	CustomKeyStoreId *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s DisconnectCustomKeyStoreInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DisconnectCustomKeyStoreInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DisconnectCustomKeyStoreInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DisconnectCustomKeyStoreInput"}
+	if s.CustomKeyStoreId == nil {
+		invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId"))
+	}
+	if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
+func (s *DisconnectCustomKeyStoreInput) SetCustomKeyStoreId(v string) *DisconnectCustomKeyStoreInput {
+	s.CustomKeyStoreId = &v
+	return s
+}
+
+type DisconnectCustomKeyStoreOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s DisconnectCustomKeyStoreOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s DisconnectCustomKeyStoreOutput) GoString() string {
+	return s.String()
+}
+
+type EnableKeyInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique identifier for the customer master key (CMK).
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s EnableKeyInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s EnableKeyInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *EnableKeyInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "EnableKeyInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *EnableKeyInput) SetKeyId(v string) *EnableKeyInput {
+	s.KeyId = &v
+	return s
+}
+
+type EnableKeyOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s EnableKeyOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s EnableKeyOutput) GoString() string {
+	return s.String()
+}
+
+type EnableKeyRotationInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique identifier for the customer master key (CMK).
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s EnableKeyRotationInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s EnableKeyRotationInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *EnableKeyRotationInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "EnableKeyRotationInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *EnableKeyRotationInput) SetKeyId(v string) *EnableKeyRotationInput {
+	s.KeyId = &v
+	return s
+}
+
+type EnableKeyRotationOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s EnableKeyRotationOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s EnableKeyRotationOutput) GoString() string {
+	return s.String()
+}
+
+type EncryptInput struct {
+	_ struct{} `type:"structure"`
+
+	// Name-value pair that specifies the encryption context to be used for authenticated
+	// encryption. If used here, the same value must be supplied to the Decrypt
+	// API or decryption will fail. For more information, see Encryption Context
+	// (http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html).
+	EncryptionContext map[string]*string `type:"map"`
+
+	// A list of grant tokens.
+	//
+	// For more information, see Grant Tokens (http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
+	// in the AWS Key Management Service Developer Guide.
+	GrantTokens []*string `type:"list"`
+
+	// A unique identifier for the customer master key (CMK).
+	//
+	// To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name,
+	// or alias ARN. When using an alias name, prefix it with "alias/". To specify
+	// a CMK in a different AWS account, you must use the key ARN or alias ARN.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Alias name: alias/ExampleAlias
+	//
+	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To
+	// get the alias name and alias ARN, use ListAliases.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+
+	// Data to be encrypted.
+	//
+	// Plaintext is automatically base64 encoded/decoded by the SDK.
+	//
+	// Plaintext is a required field
+	Plaintext []byte `min:"1" type:"blob" required:"true" sensitive:"true"`
+}
+
+// String returns the string representation
+func (s EncryptInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s EncryptInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *EncryptInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "EncryptInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+	if s.Plaintext == nil {
+		invalidParams.Add(request.NewErrParamRequired("Plaintext"))
+	}
+	if s.Plaintext != nil && len(s.Plaintext) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("Plaintext", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetEncryptionContext sets the EncryptionContext field's value.
+func (s *EncryptInput) SetEncryptionContext(v map[string]*string) *EncryptInput {
+	s.EncryptionContext = v
+	return s
+}
+
+// SetGrantTokens sets the GrantTokens field's value.
+func (s *EncryptInput) SetGrantTokens(v []*string) *EncryptInput {
+	s.GrantTokens = v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *EncryptInput) SetKeyId(v string) *EncryptInput {
+	s.KeyId = &v
+	return s
+}
+
+// SetPlaintext sets the Plaintext field's value.
+func (s *EncryptInput) SetPlaintext(v []byte) *EncryptInput {
+	s.Plaintext = v
+	return s
+}
+
+type EncryptOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The encrypted plaintext. When you use the HTTP API or the AWS CLI, the value
+	// is Base64-encdoded. Otherwise, it is not encoded.
+	//
+	// CiphertextBlob is automatically base64 encoded/decoded by the SDK.
+	CiphertextBlob []byte `min:"1" type:"blob"`
+
+	// The ID of the key used during encryption.
+	KeyId *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s EncryptOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s EncryptOutput) GoString() string {
+	return s.String()
+}
+
+// SetCiphertextBlob sets the CiphertextBlob field's value.
+func (s *EncryptOutput) SetCiphertextBlob(v []byte) *EncryptOutput {
+	s.CiphertextBlob = v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *EncryptOutput) SetKeyId(v string) *EncryptOutput {
+	s.KeyId = &v
+	return s
+}
+
+type GenerateDataKeyInput struct {
+	_ struct{} `type:"structure"`
+
+	// A set of key-value pairs that represents additional authenticated data.
+	//
+	// For more information, see Encryption Context (http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html)
+	// in the AWS Key Management Service Developer Guide.
+	EncryptionContext map[string]*string `type:"map"`
+
+	// A list of grant tokens.
+	//
+	// For more information, see Grant Tokens (http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
+	// in the AWS Key Management Service Developer Guide.
+	GrantTokens []*string `type:"list"`
+
+	// The identifier of the CMK under which to generate and encrypt the data encryption
+	// key.
+	//
+	// To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name,
+	// or alias ARN. When using an alias name, prefix it with "alias/". To specify
+	// a CMK in a different AWS account, you must use the key ARN or alias ARN.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Alias name: alias/ExampleAlias
+	//
+	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To
+	// get the alias name and alias ARN, use ListAliases.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+
+	// The length of the data encryption key. Use AES_128 to generate a 128-bit
+	// symmetric key, or AES_256 to generate a 256-bit symmetric key.
+	KeySpec *string `type:"string" enum:"DataKeySpec"`
+
+	// The length of the data encryption key in bytes. For example, use the value
+	// 64 to generate a 512-bit data key (64 bytes is 512 bits). For common key
+	// lengths (128-bit and 256-bit symmetric keys), we recommend that you use the
+	// KeySpec field instead of this one.
+	NumberOfBytes *int64 `min:"1" type:"integer"`
+}
+
+// String returns the string representation
+func (s GenerateDataKeyInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GenerateDataKeyInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *GenerateDataKeyInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+	if s.NumberOfBytes != nil && *s.NumberOfBytes < 1 {
+		invalidParams.Add(request.NewErrParamMinValue("NumberOfBytes", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetEncryptionContext sets the EncryptionContext field's value.
+func (s *GenerateDataKeyInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyInput {
+	s.EncryptionContext = v
+	return s
+}
+
+// SetGrantTokens sets the GrantTokens field's value.
+func (s *GenerateDataKeyInput) SetGrantTokens(v []*string) *GenerateDataKeyInput {
+	s.GrantTokens = v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *GenerateDataKeyInput) SetKeyId(v string) *GenerateDataKeyInput {
+	s.KeyId = &v
+	return s
+}
+
+// SetKeySpec sets the KeySpec field's value.
+func (s *GenerateDataKeyInput) SetKeySpec(v string) *GenerateDataKeyInput {
+	s.KeySpec = &v
+	return s
+}
+
+// SetNumberOfBytes sets the NumberOfBytes field's value.
+func (s *GenerateDataKeyInput) SetNumberOfBytes(v int64) *GenerateDataKeyInput {
+	s.NumberOfBytes = &v
+	return s
+}
+
+type GenerateDataKeyOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The encrypted data encryption key. When you use the HTTP API or the AWS CLI,
+	// the value is Base64-encdoded. Otherwise, it is not encoded.
+	//
+	// CiphertextBlob is automatically base64 encoded/decoded by the SDK.
+	CiphertextBlob []byte `min:"1" type:"blob"`
+
+	// The identifier of the CMK under which the data encryption key was generated
+	// and encrypted.
+	KeyId *string `min:"1" type:"string"`
+
+	// The data encryption key. When you use the HTTP API or the AWS CLI, the value
+	// is Base64-encdoded. Otherwise, it is not encoded. Use this data key for local
+	// encryption and decryption, then remove it from memory as soon as possible.
+	//
+	// Plaintext is automatically base64 encoded/decoded by the SDK.
+	Plaintext []byte `min:"1" type:"blob" sensitive:"true"`
+}
+
+// String returns the string representation
+func (s GenerateDataKeyOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GenerateDataKeyOutput) GoString() string {
+	return s.String()
+}
+
+// SetCiphertextBlob sets the CiphertextBlob field's value.
+func (s *GenerateDataKeyOutput) SetCiphertextBlob(v []byte) *GenerateDataKeyOutput {
+	s.CiphertextBlob = v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *GenerateDataKeyOutput) SetKeyId(v string) *GenerateDataKeyOutput {
+	s.KeyId = &v
+	return s
+}
+
+// SetPlaintext sets the Plaintext field's value.
+func (s *GenerateDataKeyOutput) SetPlaintext(v []byte) *GenerateDataKeyOutput {
+	s.Plaintext = v
+	return s
+}
+
+type GenerateDataKeyWithoutPlaintextInput struct {
+	_ struct{} `type:"structure"`
+
+	// A set of key-value pairs that represents additional authenticated data.
+	//
+	// For more information, see Encryption Context (http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html)
+	// in the AWS Key Management Service Developer Guide.
+	EncryptionContext map[string]*string `type:"map"`
+
+	// A list of grant tokens.
+	//
+	// For more information, see Grant Tokens (http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
+	// in the AWS Key Management Service Developer Guide.
+	GrantTokens []*string `type:"list"`
+
+	// The identifier of the customer master key (CMK) under which to generate and
+	// encrypt the data encryption key.
+	//
+	// To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name,
+	// or alias ARN. When using an alias name, prefix it with "alias/". To specify
+	// a CMK in a different AWS account, you must use the key ARN or alias ARN.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Alias name: alias/ExampleAlias
+	//
+	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To
+	// get the alias name and alias ARN, use ListAliases.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+
+	// The length of the data encryption key. Use AES_128 to generate a 128-bit
+	// symmetric key, or AES_256 to generate a 256-bit symmetric key.
+	KeySpec *string `type:"string" enum:"DataKeySpec"`
+
+	// The length of the data encryption key in bytes. For example, use the value
+	// 64 to generate a 512-bit data key (64 bytes is 512 bits). For common key
+	// lengths (128-bit and 256-bit symmetric keys), we recommend that you use the
+	// KeySpec field instead of this one.
+	NumberOfBytes *int64 `min:"1" type:"integer"`
+}
+
+// String returns the string representation
+func (s GenerateDataKeyWithoutPlaintextInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GenerateDataKeyWithoutPlaintextInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *GenerateDataKeyWithoutPlaintextInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyWithoutPlaintextInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+	if s.NumberOfBytes != nil && *s.NumberOfBytes < 1 {
+		invalidParams.Add(request.NewErrParamMinValue("NumberOfBytes", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetEncryptionContext sets the EncryptionContext field's value.
+func (s *GenerateDataKeyWithoutPlaintextInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyWithoutPlaintextInput {
+	s.EncryptionContext = v
+	return s
+}
+
+// SetGrantTokens sets the GrantTokens field's value.
+func (s *GenerateDataKeyWithoutPlaintextInput) SetGrantTokens(v []*string) *GenerateDataKeyWithoutPlaintextInput {
+	s.GrantTokens = v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *GenerateDataKeyWithoutPlaintextInput) SetKeyId(v string) *GenerateDataKeyWithoutPlaintextInput {
+	s.KeyId = &v
+	return s
+}
+
+// SetKeySpec sets the KeySpec field's value.
+func (s *GenerateDataKeyWithoutPlaintextInput) SetKeySpec(v string) *GenerateDataKeyWithoutPlaintextInput {
+	s.KeySpec = &v
+	return s
+}
+
+// SetNumberOfBytes sets the NumberOfBytes field's value.
+func (s *GenerateDataKeyWithoutPlaintextInput) SetNumberOfBytes(v int64) *GenerateDataKeyWithoutPlaintextInput {
+	s.NumberOfBytes = &v
+	return s
+}
+
+type GenerateDataKeyWithoutPlaintextOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The encrypted data encryption key. When you use the HTTP API or the AWS CLI,
+	// the value is Base64-encdoded. Otherwise, it is not encoded.
+	//
+	// CiphertextBlob is automatically base64 encoded/decoded by the SDK.
+	CiphertextBlob []byte `min:"1" type:"blob"`
+
+	// The identifier of the CMK under which the data encryption key was generated
+	// and encrypted.
+	KeyId *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s GenerateDataKeyWithoutPlaintextOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GenerateDataKeyWithoutPlaintextOutput) GoString() string {
+	return s.String()
+}
+
+// SetCiphertextBlob sets the CiphertextBlob field's value.
+func (s *GenerateDataKeyWithoutPlaintextOutput) SetCiphertextBlob(v []byte) *GenerateDataKeyWithoutPlaintextOutput {
+	s.CiphertextBlob = v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *GenerateDataKeyWithoutPlaintextOutput) SetKeyId(v string) *GenerateDataKeyWithoutPlaintextOutput {
+	s.KeyId = &v
+	return s
+}
+
+type GenerateRandomInput struct {
+	_ struct{} `type:"structure"`
+
+	// Generates the random byte string in the AWS CloudHSM cluster that is associated
+	// with the specified custom key store (http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html).
+	// To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
+	CustomKeyStoreId *string `min:"1" type:"string"`
+
+	// The length of the byte string.
+	NumberOfBytes *int64 `min:"1" type:"integer"`
+}
+
+// String returns the string representation
+func (s GenerateRandomInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GenerateRandomInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *GenerateRandomInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "GenerateRandomInput"}
+	if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1))
+	}
+	if s.NumberOfBytes != nil && *s.NumberOfBytes < 1 {
+		invalidParams.Add(request.NewErrParamMinValue("NumberOfBytes", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
+func (s *GenerateRandomInput) SetCustomKeyStoreId(v string) *GenerateRandomInput {
+	s.CustomKeyStoreId = &v
+	return s
+}
+
+// SetNumberOfBytes sets the NumberOfBytes field's value.
+func (s *GenerateRandomInput) SetNumberOfBytes(v int64) *GenerateRandomInput {
+	s.NumberOfBytes = &v
+	return s
+}
+
+type GenerateRandomOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The random byte string. When you use the HTTP API or the AWS CLI, the value
+	// is Base64-encdoded. Otherwise, it is not encoded.
+	//
+	// Plaintext is automatically base64 encoded/decoded by the SDK.
+	Plaintext []byte `min:"1" type:"blob" sensitive:"true"`
+}
+
+// String returns the string representation
+func (s GenerateRandomOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GenerateRandomOutput) GoString() string {
+	return s.String()
+}
+
+// SetPlaintext sets the Plaintext field's value.
+func (s *GenerateRandomOutput) SetPlaintext(v []byte) *GenerateRandomOutput {
+	s.Plaintext = v
+	return s
+}
+
+type GetKeyPolicyInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique identifier for the customer master key (CMK).
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+
+	// Specifies the name of the key policy. The only valid name is default. To
+	// get the names of key policies, use ListKeyPolicies.
+	//
+	// PolicyName is a required field
+	PolicyName *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s GetKeyPolicyInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetKeyPolicyInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *GetKeyPolicyInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "GetKeyPolicyInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+	if s.PolicyName == nil {
+		invalidParams.Add(request.NewErrParamRequired("PolicyName"))
+	}
+	if s.PolicyName != nil && len(*s.PolicyName) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("PolicyName", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *GetKeyPolicyInput) SetKeyId(v string) *GetKeyPolicyInput {
+	s.KeyId = &v
+	return s
+}
+
+// SetPolicyName sets the PolicyName field's value.
+func (s *GetKeyPolicyInput) SetPolicyName(v string) *GetKeyPolicyInput {
+	s.PolicyName = &v
+	return s
+}
+
+type GetKeyPolicyOutput struct {
+	_ struct{} `type:"structure"`
+
+	// A key policy document in JSON format.
+	Policy *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s GetKeyPolicyOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetKeyPolicyOutput) GoString() string {
+	return s.String()
+}
+
+// SetPolicy sets the Policy field's value.
+func (s *GetKeyPolicyOutput) SetPolicy(v string) *GetKeyPolicyOutput {
+	s.Policy = &v
+	return s
+}
+
+type GetKeyRotationStatusInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique identifier for the customer master key (CMK).
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify
+	// a CMK in a different AWS account, you must use the key ARN.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s GetKeyRotationStatusInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetKeyRotationStatusInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *GetKeyRotationStatusInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "GetKeyRotationStatusInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *GetKeyRotationStatusInput) SetKeyId(v string) *GetKeyRotationStatusInput {
+	s.KeyId = &v
+	return s
+}
+
+type GetKeyRotationStatusOutput struct {
+	_ struct{} `type:"structure"`
+
+	// A Boolean value that specifies whether key rotation is enabled.
+	KeyRotationEnabled *bool `type:"boolean"`
+}
+
+// String returns the string representation
+func (s GetKeyRotationStatusOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetKeyRotationStatusOutput) GoString() string {
+	return s.String()
+}
+
+// SetKeyRotationEnabled sets the KeyRotationEnabled field's value.
+func (s *GetKeyRotationStatusOutput) SetKeyRotationEnabled(v bool) *GetKeyRotationStatusOutput {
+	s.KeyRotationEnabled = &v
+	return s
+}
+
+type GetParametersForImportInput struct {
+	_ struct{} `type:"structure"`
+
+	// The identifier of the CMK into which you will import key material. The CMK's
+	// Origin must be EXTERNAL.
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+
+	// The algorithm you will use to encrypt the key material before importing it
+	// with ImportKeyMaterial. For more information, see Encrypt the Key Material
+	// (http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html)
+	// in the AWS Key Management Service Developer Guide.
+	//
+	// WrappingAlgorithm is a required field
+	WrappingAlgorithm *string `type:"string" required:"true" enum:"AlgorithmSpec"`
+
+	// The type of wrapping key (public key) to return in the response. Only 2048-bit
+	// RSA public keys are supported.
+	//
+	// WrappingKeySpec is a required field
+	WrappingKeySpec *string `type:"string" required:"true" enum:"WrappingKeySpec"`
+}
+
+// String returns the string representation
+func (s GetParametersForImportInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetParametersForImportInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *GetParametersForImportInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "GetParametersForImportInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+	if s.WrappingAlgorithm == nil {
+		invalidParams.Add(request.NewErrParamRequired("WrappingAlgorithm"))
+	}
+	if s.WrappingKeySpec == nil {
+		invalidParams.Add(request.NewErrParamRequired("WrappingKeySpec"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *GetParametersForImportInput) SetKeyId(v string) *GetParametersForImportInput {
+	s.KeyId = &v
+	return s
+}
+
+// SetWrappingAlgorithm sets the WrappingAlgorithm field's value.
+func (s *GetParametersForImportInput) SetWrappingAlgorithm(v string) *GetParametersForImportInput {
+	s.WrappingAlgorithm = &v
+	return s
+}
+
+// SetWrappingKeySpec sets the WrappingKeySpec field's value.
+func (s *GetParametersForImportInput) SetWrappingKeySpec(v string) *GetParametersForImportInput {
+	s.WrappingKeySpec = &v
+	return s
+}
+
+type GetParametersForImportOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The import token to send in a subsequent ImportKeyMaterial request.
+	//
+	// ImportToken is automatically base64 encoded/decoded by the SDK.
+	ImportToken []byte `min:"1" type:"blob"`
+
+	// The identifier of the CMK to use in a subsequent ImportKeyMaterial request.
+	// This is the same CMK specified in the GetParametersForImport request.
+	KeyId *string `min:"1" type:"string"`
+
+	// The time at which the import token and public key are no longer valid. After
+	// this time, you cannot use them to make an ImportKeyMaterial request and you
+	// must send another GetParametersForImport request to get new ones.
+	ParametersValidTo *time.Time `type:"timestamp"`
+
+	// The public key to use to encrypt the key material before importing it with
+	// ImportKeyMaterial.
+	//
+	// PublicKey is automatically base64 encoded/decoded by the SDK.
+	PublicKey []byte `min:"1" type:"blob" sensitive:"true"`
+}
+
+// String returns the string representation
+func (s GetParametersForImportOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetParametersForImportOutput) GoString() string {
+	return s.String()
+}
+
+// SetImportToken sets the ImportToken field's value.
+func (s *GetParametersForImportOutput) SetImportToken(v []byte) *GetParametersForImportOutput {
+	s.ImportToken = v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *GetParametersForImportOutput) SetKeyId(v string) *GetParametersForImportOutput {
+	s.KeyId = &v
+	return s
+}
+
+// SetParametersValidTo sets the ParametersValidTo field's value.
+func (s *GetParametersForImportOutput) SetParametersValidTo(v time.Time) *GetParametersForImportOutput {
+	s.ParametersValidTo = &v
+	return s
+}
+
+// SetPublicKey sets the PublicKey field's value.
+func (s *GetParametersForImportOutput) SetPublicKey(v []byte) *GetParametersForImportOutput {
+	s.PublicKey = v
+	return s
+}
+
+// A structure that you can use to allow certain operations in the grant only
+// when the desired encryption context is present. For more information about
+// encryption context, see Encryption Context (http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html)
+// in the AWS Key Management Service Developer Guide.
+//
+// Grant constraints apply only to operations that accept encryption context
+// as input. For example, the DescribeKey operation does not accept encryption
+// context as input. A grant that allows the DescribeKey operation does so regardless
+// of the grant constraints. In constrast, the Encrypt operation accepts encryption
+// context as input. A grant that allows the Encrypt operation does so only
+// when the encryption context of the Encrypt operation satisfies the grant
+// constraints.
+type GrantConstraints struct {
+	_ struct{} `type:"structure"`
+
+	// A list of key-value pairs that must be present in the encryption context
+	// of certain subsequent operations that the grant allows. When certain subsequent
+	// operations allowed by the grant include encryption context that matches this
+	// list, the grant allows the operation. Otherwise, the grant does not allow
+	// the operation.
+	EncryptionContextEquals map[string]*string `type:"map"`
+
+	// A list of key-value pairs, all of which must be present in the encryption
+	// context of certain subsequent operations that the grant allows. When certain
+	// subsequent operations allowed by the grant include encryption context that
+	// matches this list or is a superset of this list, the grant allows the operation.
+	// Otherwise, the grant does not allow the operation.
+	EncryptionContextSubset map[string]*string `type:"map"`
+}
+
+// String returns the string representation
+func (s GrantConstraints) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GrantConstraints) GoString() string {
+	return s.String()
+}
+
+// SetEncryptionContextEquals sets the EncryptionContextEquals field's value.
+func (s *GrantConstraints) SetEncryptionContextEquals(v map[string]*string) *GrantConstraints {
+	s.EncryptionContextEquals = v
+	return s
+}
+
+// SetEncryptionContextSubset sets the EncryptionContextSubset field's value.
+func (s *GrantConstraints) SetEncryptionContextSubset(v map[string]*string) *GrantConstraints {
+	s.EncryptionContextSubset = v
+	return s
+}
+
+// Contains information about an entry in a list of grants.
+type GrantListEntry struct {
+	_ struct{} `type:"structure"`
+
+	// A list of key-value pairs that must be present in the encryption context
+	// of certain subsequent operations that the grant allows.
+	Constraints *GrantConstraints `type:"structure"`
+
+	// The date and time when the grant was created.
+	CreationDate *time.Time `type:"timestamp"`
+
+	// The unique identifier for the grant.
+	GrantId *string `min:"1" type:"string"`
+
+	// The principal that receives the grant's permissions.
+	GranteePrincipal *string `min:"1" type:"string"`
+
+	// The AWS account under which the grant was issued.
+	IssuingAccount *string `min:"1" type:"string"`
+
+	// The unique identifier for the customer master key (CMK) to which the grant
+	// applies.
+	KeyId *string `min:"1" type:"string"`
+
+	// The friendly name that identifies the grant. If a name was provided in the
+	// CreateGrant request, that name is returned. Otherwise this value is null.
+	Name *string `min:"1" type:"string"`
+
+	// The list of operations permitted by the grant.
+	Operations []*string `type:"list"`
+
+	// The principal that can retire the grant.
+	RetiringPrincipal *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s GrantListEntry) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GrantListEntry) GoString() string {
+	return s.String()
+}
+
+// SetConstraints sets the Constraints field's value.
+func (s *GrantListEntry) SetConstraints(v *GrantConstraints) *GrantListEntry {
+	s.Constraints = v
+	return s
+}
+
+// SetCreationDate sets the CreationDate field's value.
+func (s *GrantListEntry) SetCreationDate(v time.Time) *GrantListEntry {
+	s.CreationDate = &v
+	return s
+}
+
+// SetGrantId sets the GrantId field's value.
+func (s *GrantListEntry) SetGrantId(v string) *GrantListEntry {
+	s.GrantId = &v
+	return s
+}
+
+// SetGranteePrincipal sets the GranteePrincipal field's value.
+func (s *GrantListEntry) SetGranteePrincipal(v string) *GrantListEntry {
+	s.GranteePrincipal = &v
+	return s
+}
+
+// SetIssuingAccount sets the IssuingAccount field's value.
+func (s *GrantListEntry) SetIssuingAccount(v string) *GrantListEntry {
+	s.IssuingAccount = &v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *GrantListEntry) SetKeyId(v string) *GrantListEntry {
+	s.KeyId = &v
+	return s
+}
+
+// SetName sets the Name field's value.
+func (s *GrantListEntry) SetName(v string) *GrantListEntry {
+	s.Name = &v
+	return s
+}
+
+// SetOperations sets the Operations field's value.
+func (s *GrantListEntry) SetOperations(v []*string) *GrantListEntry {
+	s.Operations = v
+	return s
+}
+
+// SetRetiringPrincipal sets the RetiringPrincipal field's value.
+func (s *GrantListEntry) SetRetiringPrincipal(v string) *GrantListEntry {
+	s.RetiringPrincipal = &v
+	return s
+}
+
+type ImportKeyMaterialInput struct {
+	_ struct{} `type:"structure"`
+
+	// The encrypted key material to import. It must be encrypted with the public
+	// key that you received in the response to a previous GetParametersForImport
+	// request, using the wrapping algorithm that you specified in that request.
+	//
+	// EncryptedKeyMaterial is automatically base64 encoded/decoded by the SDK.
+	//
+	// EncryptedKeyMaterial is a required field
+	EncryptedKeyMaterial []byte `min:"1" type:"blob" required:"true"`
+
+	// Specifies whether the key material expires. The default is KEY_MATERIAL_EXPIRES,
+	// in which case you must include the ValidTo parameter. When this parameter
+	// is set to KEY_MATERIAL_DOES_NOT_EXPIRE, you must omit the ValidTo parameter.
+	ExpirationModel *string `type:"string" enum:"ExpirationModelType"`
+
+	// The import token that you received in the response to a previous GetParametersForImport
+	// request. It must be from the same response that contained the public key
+	// that you used to encrypt the key material.
+	//
+	// ImportToken is automatically base64 encoded/decoded by the SDK.
+	//
+	// ImportToken is a required field
+	ImportToken []byte `min:"1" type:"blob" required:"true"`
+
+	// The identifier of the CMK to import the key material into. The CMK's Origin
+	// must be EXTERNAL.
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+
+	// The time at which the imported key material expires. When the key material
+	// expires, AWS KMS deletes the key material and the CMK becomes unusable. You
+	// must omit this parameter when the ExpirationModel parameter is set to KEY_MATERIAL_DOES_NOT_EXPIRE.
+	// Otherwise it is required.
+	ValidTo *time.Time `type:"timestamp"`
+}
+
+// String returns the string representation
+func (s ImportKeyMaterialInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ImportKeyMaterialInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ImportKeyMaterialInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ImportKeyMaterialInput"}
+	if s.EncryptedKeyMaterial == nil {
+		invalidParams.Add(request.NewErrParamRequired("EncryptedKeyMaterial"))
+	}
+	if s.EncryptedKeyMaterial != nil && len(s.EncryptedKeyMaterial) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("EncryptedKeyMaterial", 1))
+	}
+	if s.ImportToken == nil {
+		invalidParams.Add(request.NewErrParamRequired("ImportToken"))
+	}
+	if s.ImportToken != nil && len(s.ImportToken) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("ImportToken", 1))
+	}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetEncryptedKeyMaterial sets the EncryptedKeyMaterial field's value.
+func (s *ImportKeyMaterialInput) SetEncryptedKeyMaterial(v []byte) *ImportKeyMaterialInput {
+	s.EncryptedKeyMaterial = v
+	return s
+}
+
+// SetExpirationModel sets the ExpirationModel field's value.
+func (s *ImportKeyMaterialInput) SetExpirationModel(v string) *ImportKeyMaterialInput {
+	s.ExpirationModel = &v
+	return s
+}
+
+// SetImportToken sets the ImportToken field's value.
+func (s *ImportKeyMaterialInput) SetImportToken(v []byte) *ImportKeyMaterialInput {
+	s.ImportToken = v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *ImportKeyMaterialInput) SetKeyId(v string) *ImportKeyMaterialInput {
+	s.KeyId = &v
+	return s
+}
+
+// SetValidTo sets the ValidTo field's value.
+func (s *ImportKeyMaterialInput) SetValidTo(v time.Time) *ImportKeyMaterialInput {
+	s.ValidTo = &v
+	return s
+}
+
+type ImportKeyMaterialOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s ImportKeyMaterialOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ImportKeyMaterialOutput) GoString() string {
+	return s.String()
+}
+
+// Contains information about each entry in the key list.
+type KeyListEntry struct {
+	_ struct{} `type:"structure"`
+
+	// ARN of the key.
+	KeyArn *string `min:"20" type:"string"`
+
+	// Unique identifier of the key.
+	KeyId *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s KeyListEntry) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s KeyListEntry) GoString() string {
+	return s.String()
+}
+
+// SetKeyArn sets the KeyArn field's value.
+func (s *KeyListEntry) SetKeyArn(v string) *KeyListEntry {
+	s.KeyArn = &v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *KeyListEntry) SetKeyId(v string) *KeyListEntry {
+	s.KeyId = &v
+	return s
+}
+
+// Contains metadata about a customer master key (CMK).
+//
+// This data type is used as a response element for the CreateKey and DescribeKey
+// operations.
+type KeyMetadata struct {
+	_ struct{} `type:"structure"`
+
+	// The twelve-digit account ID of the AWS account that owns the CMK.
+	AWSAccountId *string `type:"string"`
+
+	// The Amazon Resource Name (ARN) of the CMK. For examples, see AWS Key Management
+	// Service (AWS KMS) (http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms)
+	// in the Example ARNs section of the AWS General Reference.
+	Arn *string `min:"20" type:"string"`
+
+	// The cluster ID of the AWS CloudHSM cluster that contains the key material
+	// for the CMK. When you create a CMK in a custom key store (http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html),
+	// AWS KMS creates the key material for the CMK in the associated AWS CloudHSM
+	// cluster. This value is present only when the CMK is created in a custom key
+	// store.
+	CloudHsmClusterId *string `min:"19" type:"string"`
+
+	// The date and time when the CMK was created.
+	CreationDate *time.Time `type:"timestamp"`
+
+	// A unique identifier for the custom key store (http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html)
+	// that contains the CMK. This value is present only when the CMK is created
+	// in a custom key store.
+	CustomKeyStoreId *string `min:"1" type:"string"`
+
+	// The date and time after which AWS KMS deletes the CMK. This value is present
+	// only when KeyState is PendingDeletion.
+	DeletionDate *time.Time `type:"timestamp"`
+
+	// The description of the CMK.
+	Description *string `type:"string"`
+
+	// Specifies whether the CMK is enabled. When KeyState is Enabled this value
+	// is true, otherwise it is false.
+	Enabled *bool `type:"boolean"`
+
+	// Specifies whether the CMK's key material expires. This value is present only
+	// when Origin is EXTERNAL, otherwise this value is omitted.
+	ExpirationModel *string `type:"string" enum:"ExpirationModelType"`
+
+	// The globally unique identifier for the CMK.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+
+	// The CMK's manager. CMKs are either customer-managed or AWS-managed. For more
+	// information about the difference, see Customer Master Keys (http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys)
+	// in the AWS Key Management Service Developer Guide.
+	KeyManager *string `type:"string" enum:"KeyManagerType"`
+
+	// The state of the CMK.
+	//
+	// For more information about how key state affects the use of a CMK, see How
+	// Key State Affects the Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+	// in the AWS Key Management Service Developer Guide.
+	KeyState *string `type:"string" enum:"KeyState"`
+
+	// The cryptographic operations for which you can use the CMK. Currently the
+	// only allowed value is ENCRYPT_DECRYPT, which means you can use the CMK for
+	// the Encrypt and Decrypt operations.
+	KeyUsage *string `type:"string" enum:"KeyUsageType"`
+
+	// The source of the CMK's key material. When this value is AWS_KMS, AWS KMS
+	// created the key material. When this value is EXTERNAL, the key material was
+	// imported from your existing key management infrastructure or the CMK lacks
+	// key material. When this value is AWS_CLOUDHSM, the key material was created
+	// in the AWS CloudHSM cluster associated with a custom key store.
+	Origin *string `type:"string" enum:"OriginType"`
+
+	// The time at which the imported key material expires. When the key material
+	// expires, AWS KMS deletes the key material and the CMK becomes unusable. This
+	// value is present only for CMKs whose Origin is EXTERNAL and whose ExpirationModel
+	// is KEY_MATERIAL_EXPIRES, otherwise this value is omitted.
+	ValidTo *time.Time `type:"timestamp"`
+}
+
+// String returns the string representation
+func (s KeyMetadata) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s KeyMetadata) GoString() string {
+	return s.String()
+}
+
+// SetAWSAccountId sets the AWSAccountId field's value.
+func (s *KeyMetadata) SetAWSAccountId(v string) *KeyMetadata {
+	s.AWSAccountId = &v
+	return s
+}
+
+// SetArn sets the Arn field's value.
+func (s *KeyMetadata) SetArn(v string) *KeyMetadata {
+	s.Arn = &v
+	return s
+}
+
+// SetCloudHsmClusterId sets the CloudHsmClusterId field's value.
+func (s *KeyMetadata) SetCloudHsmClusterId(v string) *KeyMetadata {
+	s.CloudHsmClusterId = &v
+	return s
+}
+
+// SetCreationDate sets the CreationDate field's value.
+func (s *KeyMetadata) SetCreationDate(v time.Time) *KeyMetadata {
+	s.CreationDate = &v
+	return s
+}
+
+// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
+func (s *KeyMetadata) SetCustomKeyStoreId(v string) *KeyMetadata {
+	s.CustomKeyStoreId = &v
+	return s
+}
+
+// SetDeletionDate sets the DeletionDate field's value.
+func (s *KeyMetadata) SetDeletionDate(v time.Time) *KeyMetadata {
+	s.DeletionDate = &v
+	return s
+}
+
+// SetDescription sets the Description field's value.
+func (s *KeyMetadata) SetDescription(v string) *KeyMetadata {
+	s.Description = &v
+	return s
+}
+
+// SetEnabled sets the Enabled field's value.
+func (s *KeyMetadata) SetEnabled(v bool) *KeyMetadata {
+	s.Enabled = &v
+	return s
+}
+
+// SetExpirationModel sets the ExpirationModel field's value.
+func (s *KeyMetadata) SetExpirationModel(v string) *KeyMetadata {
+	s.ExpirationModel = &v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *KeyMetadata) SetKeyId(v string) *KeyMetadata {
+	s.KeyId = &v
+	return s
+}
+
+// SetKeyManager sets the KeyManager field's value.
+func (s *KeyMetadata) SetKeyManager(v string) *KeyMetadata {
+	s.KeyManager = &v
+	return s
+}
+
+// SetKeyState sets the KeyState field's value.
+func (s *KeyMetadata) SetKeyState(v string) *KeyMetadata {
+	s.KeyState = &v
+	return s
+}
+
+// SetKeyUsage sets the KeyUsage field's value.
+func (s *KeyMetadata) SetKeyUsage(v string) *KeyMetadata {
+	s.KeyUsage = &v
+	return s
+}
+
+// SetOrigin sets the Origin field's value.
+func (s *KeyMetadata) SetOrigin(v string) *KeyMetadata {
+	s.Origin = &v
+	return s
+}
+
+// SetValidTo sets the ValidTo field's value.
+func (s *KeyMetadata) SetValidTo(v time.Time) *KeyMetadata {
+	s.ValidTo = &v
+	return s
+}
+
+type ListAliasesInput struct {
+	_ struct{} `type:"structure"`
+
+	// Lists only aliases that refer to the specified CMK. The value of this parameter
+	// can be the ID or Amazon Resource Name (ARN) of a CMK in the caller's account
+	// and region. You cannot use an alias name or alias ARN in this value.
+	//
+	// This parameter is optional. If you omit it, ListAliases returns all aliases
+	// in the account and region.
+	KeyId *string `min:"1" type:"string"`
+
+	// Use this parameter to specify the maximum number of items to return. When
+	// this value is present, AWS KMS does not return more than the specified number
+	// of items, but it might return fewer.
+	//
+	// This value is optional. If you include a value, it must be between 1 and
+	// 100, inclusive. If you do not include a value, it defaults to 50.
+	Limit *int64 `min:"1" type:"integer"`
+
+	// Use this parameter in a subsequent request after you receive a response with
+	// truncated results. Set it to the value of NextMarker from the truncated response
+	// you just received.
+	Marker *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s ListAliasesInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListAliasesInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ListAliasesInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ListAliasesInput"}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+	if s.Limit != nil && *s.Limit < 1 {
+		invalidParams.Add(request.NewErrParamMinValue("Limit", 1))
+	}
+	if s.Marker != nil && len(*s.Marker) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("Marker", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *ListAliasesInput) SetKeyId(v string) *ListAliasesInput {
+	s.KeyId = &v
+	return s
+}
+
+// SetLimit sets the Limit field's value.
+func (s *ListAliasesInput) SetLimit(v int64) *ListAliasesInput {
+	s.Limit = &v
+	return s
+}
+
+// SetMarker sets the Marker field's value.
+func (s *ListAliasesInput) SetMarker(v string) *ListAliasesInput {
+	s.Marker = &v
+	return s
+}
+
+type ListAliasesOutput struct {
+	_ struct{} `type:"structure"`
+
+	// A list of aliases.
+	Aliases []*AliasListEntry `type:"list"`
+
+	// When Truncated is true, this element is present and contains the value to
+	// use for the Marker parameter in a subsequent request.
+	NextMarker *string `min:"1" type:"string"`
+
+	// A flag that indicates whether there are more items in the list. When this
+	// value is true, the list in this response is truncated. To get more items,
+	// pass the value of the NextMarker element in this response to the Marker parameter
+	// in a subsequent request.
+	Truncated *bool `type:"boolean"`
+}
+
+// String returns the string representation
+func (s ListAliasesOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListAliasesOutput) GoString() string {
+	return s.String()
+}
+
+// SetAliases sets the Aliases field's value.
+func (s *ListAliasesOutput) SetAliases(v []*AliasListEntry) *ListAliasesOutput {
+	s.Aliases = v
+	return s
+}
+
+// SetNextMarker sets the NextMarker field's value.
+func (s *ListAliasesOutput) SetNextMarker(v string) *ListAliasesOutput {
+	s.NextMarker = &v
+	return s
+}
+
+// SetTruncated sets the Truncated field's value.
+func (s *ListAliasesOutput) SetTruncated(v bool) *ListAliasesOutput {
+	s.Truncated = &v
+	return s
+}
+
+type ListGrantsInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique identifier for the customer master key (CMK).
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify
+	// a CMK in a different AWS account, you must use the key ARN.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+
+	// Use this parameter to specify the maximum number of items to return. When
+	// this value is present, AWS KMS does not return more than the specified number
+	// of items, but it might return fewer.
+	//
+	// This value is optional. If you include a value, it must be between 1 and
+	// 100, inclusive. If you do not include a value, it defaults to 50.
+	Limit *int64 `min:"1" type:"integer"`
+
+	// Use this parameter in a subsequent request after you receive a response with
+	// truncated results. Set it to the value of NextMarker from the truncated response
+	// you just received.
+	Marker *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s ListGrantsInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListGrantsInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ListGrantsInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ListGrantsInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+	if s.Limit != nil && *s.Limit < 1 {
+		invalidParams.Add(request.NewErrParamMinValue("Limit", 1))
+	}
+	if s.Marker != nil && len(*s.Marker) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("Marker", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *ListGrantsInput) SetKeyId(v string) *ListGrantsInput {
+	s.KeyId = &v
+	return s
+}
+
+// SetLimit sets the Limit field's value.
+func (s *ListGrantsInput) SetLimit(v int64) *ListGrantsInput {
+	s.Limit = &v
+	return s
+}
+
+// SetMarker sets the Marker field's value.
+func (s *ListGrantsInput) SetMarker(v string) *ListGrantsInput {
+	s.Marker = &v
+	return s
+}
+
+type ListGrantsResponse struct {
+	_ struct{} `type:"structure"`
+
+	// A list of grants.
+	Grants []*GrantListEntry `type:"list"`
+
+	// When Truncated is true, this element is present and contains the value to
+	// use for the Marker parameter in a subsequent request.
+	NextMarker *string `min:"1" type:"string"`
+
+	// A flag that indicates whether there are more items in the list. When this
+	// value is true, the list in this response is truncated. To get more items,
+	// pass the value of the NextMarker element in this response to the Marker parameter
+	// in a subsequent request.
+	Truncated *bool `type:"boolean"`
+}
+
+// String returns the string representation
+func (s ListGrantsResponse) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListGrantsResponse) GoString() string {
+	return s.String()
+}
+
+// SetGrants sets the Grants field's value.
+func (s *ListGrantsResponse) SetGrants(v []*GrantListEntry) *ListGrantsResponse {
+	s.Grants = v
+	return s
+}
+
+// SetNextMarker sets the NextMarker field's value.
+func (s *ListGrantsResponse) SetNextMarker(v string) *ListGrantsResponse {
+	s.NextMarker = &v
+	return s
+}
+
+// SetTruncated sets the Truncated field's value.
+func (s *ListGrantsResponse) SetTruncated(v bool) *ListGrantsResponse {
+	s.Truncated = &v
+	return s
+}
+
+type ListKeyPoliciesInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique identifier for the customer master key (CMK).
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+
+	// Use this parameter to specify the maximum number of items to return. When
+	// this value is present, AWS KMS does not return more than the specified number
+	// of items, but it might return fewer.
+	//
+	// This value is optional. If you include a value, it must be between 1 and
+	// 1000, inclusive. If you do not include a value, it defaults to 100.
+	//
+	// Currently only 1 policy can be attached to a key.
+	Limit *int64 `min:"1" type:"integer"`
+
+	// Use this parameter in a subsequent request after you receive a response with
+	// truncated results. Set it to the value of NextMarker from the truncated response
+	// you just received.
+	Marker *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s ListKeyPoliciesInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListKeyPoliciesInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ListKeyPoliciesInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ListKeyPoliciesInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+	if s.Limit != nil && *s.Limit < 1 {
+		invalidParams.Add(request.NewErrParamMinValue("Limit", 1))
+	}
+	if s.Marker != nil && len(*s.Marker) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("Marker", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *ListKeyPoliciesInput) SetKeyId(v string) *ListKeyPoliciesInput {
+	s.KeyId = &v
+	return s
+}
+
+// SetLimit sets the Limit field's value.
+func (s *ListKeyPoliciesInput) SetLimit(v int64) *ListKeyPoliciesInput {
+	s.Limit = &v
+	return s
+}
+
+// SetMarker sets the Marker field's value.
+func (s *ListKeyPoliciesInput) SetMarker(v string) *ListKeyPoliciesInput {
+	s.Marker = &v
+	return s
+}
+
+type ListKeyPoliciesOutput struct {
+	_ struct{} `type:"structure"`
+
+	// When Truncated is true, this element is present and contains the value to
+	// use for the Marker parameter in a subsequent request.
+	NextMarker *string `min:"1" type:"string"`
+
+	// A list of key policy names. Currently, there is only one key policy per CMK
+	// and it is always named default.
+	PolicyNames []*string `type:"list"`
+
+	// A flag that indicates whether there are more items in the list. When this
+	// value is true, the list in this response is truncated. To get more items,
+	// pass the value of the NextMarker element in this response to the Marker parameter
+	// in a subsequent request.
+	Truncated *bool `type:"boolean"`
+}
+
+// String returns the string representation
+func (s ListKeyPoliciesOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListKeyPoliciesOutput) GoString() string {
+	return s.String()
+}
+
+// SetNextMarker sets the NextMarker field's value.
+func (s *ListKeyPoliciesOutput) SetNextMarker(v string) *ListKeyPoliciesOutput {
+	s.NextMarker = &v
+	return s
+}
+
+// SetPolicyNames sets the PolicyNames field's value.
+func (s *ListKeyPoliciesOutput) SetPolicyNames(v []*string) *ListKeyPoliciesOutput {
+	s.PolicyNames = v
+	return s
+}
+
+// SetTruncated sets the Truncated field's value.
+func (s *ListKeyPoliciesOutput) SetTruncated(v bool) *ListKeyPoliciesOutput {
+	s.Truncated = &v
+	return s
+}
+
+type ListKeysInput struct {
+	_ struct{} `type:"structure"`
+
+	// Use this parameter to specify the maximum number of items to return. When
+	// this value is present, AWS KMS does not return more than the specified number
+	// of items, but it might return fewer.
+	//
+	// This value is optional. If you include a value, it must be between 1 and
+	// 1000, inclusive. If you do not include a value, it defaults to 100.
+	Limit *int64 `min:"1" type:"integer"`
+
+	// Use this parameter in a subsequent request after you receive a response with
+	// truncated results. Set it to the value of NextMarker from the truncated response
+	// you just received.
+	Marker *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s ListKeysInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListKeysInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ListKeysInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ListKeysInput"}
+	if s.Limit != nil && *s.Limit < 1 {
+		invalidParams.Add(request.NewErrParamMinValue("Limit", 1))
+	}
+	if s.Marker != nil && len(*s.Marker) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("Marker", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetLimit sets the Limit field's value.
+func (s *ListKeysInput) SetLimit(v int64) *ListKeysInput {
+	s.Limit = &v
+	return s
+}
+
+// SetMarker sets the Marker field's value.
+func (s *ListKeysInput) SetMarker(v string) *ListKeysInput {
+	s.Marker = &v
+	return s
+}
+
+type ListKeysOutput struct {
+	_ struct{} `type:"structure"`
+
+	// A list of customer master keys (CMKs).
+	Keys []*KeyListEntry `type:"list"`
+
+	// When Truncated is true, this element is present and contains the value to
+	// use for the Marker parameter in a subsequent request.
+	NextMarker *string `min:"1" type:"string"`
+
+	// A flag that indicates whether there are more items in the list. When this
+	// value is true, the list in this response is truncated. To get more items,
+	// pass the value of the NextMarker element in this response to the Marker parameter
+	// in a subsequent request.
+	Truncated *bool `type:"boolean"`
+}
+
+// String returns the string representation
+func (s ListKeysOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListKeysOutput) GoString() string {
+	return s.String()
+}
+
+// SetKeys sets the Keys field's value.
+func (s *ListKeysOutput) SetKeys(v []*KeyListEntry) *ListKeysOutput {
+	s.Keys = v
+	return s
+}
+
+// SetNextMarker sets the NextMarker field's value.
+func (s *ListKeysOutput) SetNextMarker(v string) *ListKeysOutput {
+	s.NextMarker = &v
+	return s
+}
+
+// SetTruncated sets the Truncated field's value.
+func (s *ListKeysOutput) SetTruncated(v bool) *ListKeysOutput {
+	s.Truncated = &v
+	return s
+}
+
+type ListResourceTagsInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique identifier for the customer master key (CMK).
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+
+	// Use this parameter to specify the maximum number of items to return. When
+	// this value is present, AWS KMS does not return more than the specified number
+	// of items, but it might return fewer.
+	//
+	// This value is optional. If you include a value, it must be between 1 and
+	// 50, inclusive. If you do not include a value, it defaults to 50.
+	Limit *int64 `min:"1" type:"integer"`
+
+	// Use this parameter in a subsequent request after you receive a response with
+	// truncated results. Set it to the value of NextMarker from the truncated response
+	// you just received.
+	//
+	// Do not attempt to construct this value. Use only the value of NextMarker
+	// from the truncated response you just received.
+	Marker *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s ListResourceTagsInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListResourceTagsInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ListResourceTagsInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ListResourceTagsInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+	if s.Limit != nil && *s.Limit < 1 {
+		invalidParams.Add(request.NewErrParamMinValue("Limit", 1))
+	}
+	if s.Marker != nil && len(*s.Marker) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("Marker", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *ListResourceTagsInput) SetKeyId(v string) *ListResourceTagsInput {
+	s.KeyId = &v
+	return s
+}
+
+// SetLimit sets the Limit field's value.
+func (s *ListResourceTagsInput) SetLimit(v int64) *ListResourceTagsInput {
+	s.Limit = &v
+	return s
+}
+
+// SetMarker sets the Marker field's value.
+func (s *ListResourceTagsInput) SetMarker(v string) *ListResourceTagsInput {
+	s.Marker = &v
+	return s
+}
+
+type ListResourceTagsOutput struct {
+	_ struct{} `type:"structure"`
+
+	// When Truncated is true, this element is present and contains the value to
+	// use for the Marker parameter in a subsequent request.
+	//
+	// Do not assume or infer any information from this value.
+	NextMarker *string `min:"1" type:"string"`
+
+	// A list of tags. Each tag consists of a tag key and a tag value.
+	Tags []*Tag `type:"list"`
+
+	// A flag that indicates whether there are more items in the list. When this
+	// value is true, the list in this response is truncated. To get more items,
+	// pass the value of the NextMarker element in this response to the Marker parameter
+	// in a subsequent request.
+	Truncated *bool `type:"boolean"`
+}
+
+// String returns the string representation
+func (s ListResourceTagsOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListResourceTagsOutput) GoString() string {
+	return s.String()
+}
+
+// SetNextMarker sets the NextMarker field's value.
+func (s *ListResourceTagsOutput) SetNextMarker(v string) *ListResourceTagsOutput {
+	s.NextMarker = &v
+	return s
+}
+
+// SetTags sets the Tags field's value.
+func (s *ListResourceTagsOutput) SetTags(v []*Tag) *ListResourceTagsOutput {
+	s.Tags = v
+	return s
+}
+
+// SetTruncated sets the Truncated field's value.
+func (s *ListResourceTagsOutput) SetTruncated(v bool) *ListResourceTagsOutput {
+	s.Truncated = &v
+	return s
+}
+
+type ListRetirableGrantsInput struct {
+	_ struct{} `type:"structure"`
+
+	// Use this parameter to specify the maximum number of items to return. When
+	// this value is present, AWS KMS does not return more than the specified number
+	// of items, but it might return fewer.
+	//
+	// This value is optional. If you include a value, it must be between 1 and
+	// 100, inclusive. If you do not include a value, it defaults to 50.
+	Limit *int64 `min:"1" type:"integer"`
+
+	// Use this parameter in a subsequent request after you receive a response with
+	// truncated results. Set it to the value of NextMarker from the truncated response
+	// you just received.
+	Marker *string `min:"1" type:"string"`
+
+	// The retiring principal for which to list grants.
+	//
+	// To specify the retiring principal, use the Amazon Resource Name (ARN) (http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
+	// of an AWS principal. Valid AWS principals include AWS accounts (root), IAM
+	// users, federated users, and assumed role users. For examples of the ARN syntax
+	// for specifying a principal, see AWS Identity and Access Management (IAM)
+	// (http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam)
+	// in the Example ARNs section of the Amazon Web Services General Reference.
+	//
+	// RetiringPrincipal is a required field
+	RetiringPrincipal *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s ListRetirableGrantsInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ListRetirableGrantsInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ListRetirableGrantsInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ListRetirableGrantsInput"}
+	if s.Limit != nil && *s.Limit < 1 {
+		invalidParams.Add(request.NewErrParamMinValue("Limit", 1))
+	}
+	if s.Marker != nil && len(*s.Marker) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("Marker", 1))
+	}
+	if s.RetiringPrincipal == nil {
+		invalidParams.Add(request.NewErrParamRequired("RetiringPrincipal"))
+	}
+	if s.RetiringPrincipal != nil && len(*s.RetiringPrincipal) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("RetiringPrincipal", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetLimit sets the Limit field's value.
+func (s *ListRetirableGrantsInput) SetLimit(v int64) *ListRetirableGrantsInput {
+	s.Limit = &v
+	return s
+}
+
+// SetMarker sets the Marker field's value.
+func (s *ListRetirableGrantsInput) SetMarker(v string) *ListRetirableGrantsInput {
+	s.Marker = &v
+	return s
+}
+
+// SetRetiringPrincipal sets the RetiringPrincipal field's value.
+func (s *ListRetirableGrantsInput) SetRetiringPrincipal(v string) *ListRetirableGrantsInput {
+	s.RetiringPrincipal = &v
+	return s
+}
+
+type PutKeyPolicyInput struct {
+	_ struct{} `type:"structure"`
+
+	// A flag to indicate whether to bypass the key policy lockout safety check.
+	//
+	// Setting this value to true increases the risk that the CMK becomes unmanageable.
+	// Do not set this value to true indiscriminately.
+	//
+	// For more information, refer to the scenario in the Default Key Policy (http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam)
+	// section in the AWS Key Management Service Developer Guide.
+	//
+	// Use this parameter only when you intend to prevent the principal that is
+	// making the request from making a subsequent PutKeyPolicy request on the CMK.
+	//
+	// The default value is false.
+	BypassPolicyLockoutSafetyCheck *bool `type:"boolean"`
+
+	// A unique identifier for the customer master key (CMK).
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+
+	// The key policy to attach to the CMK.
+	//
+	// The key policy must meet the following criteria:
+	//
+	//    * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy
+	//    must allow the principal that is making the PutKeyPolicy request to make
+	//    a subsequent PutKeyPolicy request on the CMK. This reduces the risk that
+	//    the CMK becomes unmanageable. For more information, refer to the scenario
+	//    in the Default Key Policy (http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam)
+	//    section of the AWS Key Management Service Developer Guide.
+	//
+	//    * Each statement in the key policy must contain one or more principals.
+	//    The principals in the key policy must exist and be visible to AWS KMS.
+	//    When you create a new AWS principal (for example, an IAM user or role),
+	//    you might need to enforce a delay before including the new principal in
+	//    a key policy because the new principal might not be immediately visible
+	//    to AWS KMS. For more information, see Changes that I make are not always
+	//    immediately visible (http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency)
+	//    in the AWS Identity and Access Management User Guide.
+	//
+	// The key policy size limit is 32 kilobytes (32768 bytes).
+	//
+	// Policy is a required field
+	Policy *string `min:"1" type:"string" required:"true"`
+
+	// The name of the key policy. The only valid value is default.
+	//
+	// PolicyName is a required field
+	PolicyName *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s PutKeyPolicyInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s PutKeyPolicyInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *PutKeyPolicyInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "PutKeyPolicyInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+	if s.Policy == nil {
+		invalidParams.Add(request.NewErrParamRequired("Policy"))
+	}
+	if s.Policy != nil && len(*s.Policy) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
+	}
+	if s.PolicyName == nil {
+		invalidParams.Add(request.NewErrParamRequired("PolicyName"))
+	}
+	if s.PolicyName != nil && len(*s.PolicyName) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("PolicyName", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetBypassPolicyLockoutSafetyCheck sets the BypassPolicyLockoutSafetyCheck field's value.
+func (s *PutKeyPolicyInput) SetBypassPolicyLockoutSafetyCheck(v bool) *PutKeyPolicyInput {
+	s.BypassPolicyLockoutSafetyCheck = &v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *PutKeyPolicyInput) SetKeyId(v string) *PutKeyPolicyInput {
+	s.KeyId = &v
+	return s
+}
+
+// SetPolicy sets the Policy field's value.
+func (s *PutKeyPolicyInput) SetPolicy(v string) *PutKeyPolicyInput {
+	s.Policy = &v
+	return s
+}
+
+// SetPolicyName sets the PolicyName field's value.
+func (s *PutKeyPolicyInput) SetPolicyName(v string) *PutKeyPolicyInput {
+	s.PolicyName = &v
+	return s
+}
+
+type PutKeyPolicyOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s PutKeyPolicyOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s PutKeyPolicyOutput) GoString() string {
+	return s.String()
+}
+
+type ReEncryptInput struct {
+	_ struct{} `type:"structure"`
+
+	// Ciphertext of the data to reencrypt.
+	//
+	// CiphertextBlob is automatically base64 encoded/decoded by the SDK.
+	//
+	// CiphertextBlob is a required field
+	CiphertextBlob []byte `min:"1" type:"blob" required:"true"`
+
+	// Encryption context to use when the data is reencrypted.
+	DestinationEncryptionContext map[string]*string `type:"map"`
+
+	// A unique identifier for the CMK that is used to reencrypt the data.
+	//
+	// To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name,
+	// or alias ARN. When using an alias name, prefix it with "alias/". To specify
+	// a CMK in a different AWS account, you must use the key ARN or alias ARN.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Alias name: alias/ExampleAlias
+	//
+	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To
+	// get the alias name and alias ARN, use ListAliases.
+	//
+	// DestinationKeyId is a required field
+	DestinationKeyId *string `min:"1" type:"string" required:"true"`
+
+	// A list of grant tokens.
+	//
+	// For more information, see Grant Tokens (http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
+	// in the AWS Key Management Service Developer Guide.
+	GrantTokens []*string `type:"list"`
+
+	// Encryption context used to encrypt and decrypt the data specified in the
+	// CiphertextBlob parameter.
+	SourceEncryptionContext map[string]*string `type:"map"`
+}
+
+// String returns the string representation
+func (s ReEncryptInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ReEncryptInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ReEncryptInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ReEncryptInput"}
+	if s.CiphertextBlob == nil {
+		invalidParams.Add(request.NewErrParamRequired("CiphertextBlob"))
+	}
+	if s.CiphertextBlob != nil && len(s.CiphertextBlob) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("CiphertextBlob", 1))
+	}
+	if s.DestinationKeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("DestinationKeyId"))
+	}
+	if s.DestinationKeyId != nil && len(*s.DestinationKeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("DestinationKeyId", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetCiphertextBlob sets the CiphertextBlob field's value.
+func (s *ReEncryptInput) SetCiphertextBlob(v []byte) *ReEncryptInput {
+	s.CiphertextBlob = v
+	return s
+}
+
+// SetDestinationEncryptionContext sets the DestinationEncryptionContext field's value.
+func (s *ReEncryptInput) SetDestinationEncryptionContext(v map[string]*string) *ReEncryptInput {
+	s.DestinationEncryptionContext = v
+	return s
+}
+
+// SetDestinationKeyId sets the DestinationKeyId field's value.
+func (s *ReEncryptInput) SetDestinationKeyId(v string) *ReEncryptInput {
+	s.DestinationKeyId = &v
+	return s
+}
+
+// SetGrantTokens sets the GrantTokens field's value.
+func (s *ReEncryptInput) SetGrantTokens(v []*string) *ReEncryptInput {
+	s.GrantTokens = v
+	return s
+}
+
+// SetSourceEncryptionContext sets the SourceEncryptionContext field's value.
+func (s *ReEncryptInput) SetSourceEncryptionContext(v map[string]*string) *ReEncryptInput {
+	s.SourceEncryptionContext = v
+	return s
+}
+
+type ReEncryptOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The reencrypted data. When you use the HTTP API or the AWS CLI, the value
+	// is Base64-encdoded. Otherwise, it is not encoded.
+	//
+	// CiphertextBlob is automatically base64 encoded/decoded by the SDK.
+	CiphertextBlob []byte `min:"1" type:"blob"`
+
+	// Unique identifier of the CMK used to reencrypt the data.
+	KeyId *string `min:"1" type:"string"`
+
+	// Unique identifier of the CMK used to originally encrypt the data.
+	SourceKeyId *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s ReEncryptOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ReEncryptOutput) GoString() string {
+	return s.String()
+}
+
+// SetCiphertextBlob sets the CiphertextBlob field's value.
+func (s *ReEncryptOutput) SetCiphertextBlob(v []byte) *ReEncryptOutput {
+	s.CiphertextBlob = v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *ReEncryptOutput) SetKeyId(v string) *ReEncryptOutput {
+	s.KeyId = &v
+	return s
+}
+
+// SetSourceKeyId sets the SourceKeyId field's value.
+func (s *ReEncryptOutput) SetSourceKeyId(v string) *ReEncryptOutput {
+	s.SourceKeyId = &v
+	return s
+}
+
+type RetireGrantInput struct {
+	_ struct{} `type:"structure"`
+
+	// Unique identifier of the grant to retire. The grant ID is returned in the
+	// response to a CreateGrant operation.
+	//
+	//    * Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123
+	GrantId *string `min:"1" type:"string"`
+
+	// Token that identifies the grant to be retired.
+	GrantToken *string `min:"1" type:"string"`
+
+	// The Amazon Resource Name (ARN) of the CMK associated with the grant.
+	//
+	// For example: arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	KeyId *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s RetireGrantInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s RetireGrantInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *RetireGrantInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "RetireGrantInput"}
+	if s.GrantId != nil && len(*s.GrantId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("GrantId", 1))
+	}
+	if s.GrantToken != nil && len(*s.GrantToken) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("GrantToken", 1))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetGrantId sets the GrantId field's value.
+func (s *RetireGrantInput) SetGrantId(v string) *RetireGrantInput {
+	s.GrantId = &v
+	return s
+}
+
+// SetGrantToken sets the GrantToken field's value.
+func (s *RetireGrantInput) SetGrantToken(v string) *RetireGrantInput {
+	s.GrantToken = &v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *RetireGrantInput) SetKeyId(v string) *RetireGrantInput {
+	s.KeyId = &v
+	return s
+}
+
+type RetireGrantOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s RetireGrantOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s RetireGrantOutput) GoString() string {
+	return s.String()
+}
+
+type RevokeGrantInput struct {
+	_ struct{} `type:"structure"`
+
+	// Identifier of the grant to be revoked.
+	//
+	// GrantId is a required field
+	GrantId *string `min:"1" type:"string" required:"true"`
+
+	// A unique identifier for the customer master key associated with the grant.
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify
+	// a CMK in a different AWS account, you must use the key ARN.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s RevokeGrantInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s RevokeGrantInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *RevokeGrantInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "RevokeGrantInput"}
+	if s.GrantId == nil {
+		invalidParams.Add(request.NewErrParamRequired("GrantId"))
+	}
+	if s.GrantId != nil && len(*s.GrantId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("GrantId", 1))
+	}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetGrantId sets the GrantId field's value.
+func (s *RevokeGrantInput) SetGrantId(v string) *RevokeGrantInput {
+	s.GrantId = &v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *RevokeGrantInput) SetKeyId(v string) *RevokeGrantInput {
+	s.KeyId = &v
+	return s
+}
+
+type RevokeGrantOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s RevokeGrantOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s RevokeGrantOutput) GoString() string {
+	return s.String()
+}
+
+type ScheduleKeyDeletionInput struct {
+	_ struct{} `type:"structure"`
+
+	// The unique identifier of the customer master key (CMK) to delete.
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+
+	// The waiting period, specified in number of days. After the waiting period
+	// ends, AWS KMS deletes the customer master key (CMK).
+	//
+	// This value is optional. If you include a value, it must be between 7 and
+	// 30, inclusive. If you do not include a value, it defaults to 30.
+	PendingWindowInDays *int64 `min:"1" type:"integer"`
+}
+
+// String returns the string representation
+func (s ScheduleKeyDeletionInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ScheduleKeyDeletionInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ScheduleKeyDeletionInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ScheduleKeyDeletionInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+	if s.PendingWindowInDays != nil && *s.PendingWindowInDays < 1 {
+		invalidParams.Add(request.NewErrParamMinValue("PendingWindowInDays", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *ScheduleKeyDeletionInput) SetKeyId(v string) *ScheduleKeyDeletionInput {
+	s.KeyId = &v
+	return s
+}
+
+// SetPendingWindowInDays sets the PendingWindowInDays field's value.
+func (s *ScheduleKeyDeletionInput) SetPendingWindowInDays(v int64) *ScheduleKeyDeletionInput {
+	s.PendingWindowInDays = &v
+	return s
+}
+
+type ScheduleKeyDeletionOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The date and time after which AWS KMS deletes the customer master key (CMK).
+	DeletionDate *time.Time `type:"timestamp"`
+
+	// The unique identifier of the customer master key (CMK) for which deletion
+	// is scheduled.
+	KeyId *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s ScheduleKeyDeletionOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ScheduleKeyDeletionOutput) GoString() string {
+	return s.String()
+}
+
+// SetDeletionDate sets the DeletionDate field's value.
+func (s *ScheduleKeyDeletionOutput) SetDeletionDate(v time.Time) *ScheduleKeyDeletionOutput {
+	s.DeletionDate = &v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *ScheduleKeyDeletionOutput) SetKeyId(v string) *ScheduleKeyDeletionOutput {
+	s.KeyId = &v
+	return s
+}
+
+// A key-value pair. A tag consists of a tag key and a tag value. Tag keys and
+// tag values are both required, but tag values can be empty (null) strings.
+//
+// For information about the rules that apply to tag keys and tag values, see
+// User-Defined Tag Restrictions (http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html)
+// in the AWS Billing and Cost Management User Guide.
+type Tag struct {
+	_ struct{} `type:"structure"`
+
+	// The key of the tag.
+	//
+	// TagKey is a required field
+	TagKey *string `min:"1" type:"string" required:"true"`
+
+	// The value of the tag.
+	//
+	// TagValue is a required field
+	TagValue *string `type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s Tag) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s Tag) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *Tag) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "Tag"}
+	if s.TagKey == nil {
+		invalidParams.Add(request.NewErrParamRequired("TagKey"))
+	}
+	if s.TagKey != nil && len(*s.TagKey) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("TagKey", 1))
+	}
+	if s.TagValue == nil {
+		invalidParams.Add(request.NewErrParamRequired("TagValue"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetTagKey sets the TagKey field's value.
+func (s *Tag) SetTagKey(v string) *Tag {
+	s.TagKey = &v
+	return s
+}
+
+// SetTagValue sets the TagValue field's value.
+func (s *Tag) SetTagValue(v string) *Tag {
+	s.TagValue = &v
+	return s
+}
+
+type TagResourceInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique identifier for the CMK you are tagging.
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+
+	// One or more tags. Each tag consists of a tag key and a tag value.
+	//
+	// Tags is a required field
+	Tags []*Tag `type:"list" required:"true"`
+}
+
+// String returns the string representation
+func (s TagResourceInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s TagResourceInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *TagResourceInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "TagResourceInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+	if s.Tags == nil {
+		invalidParams.Add(request.NewErrParamRequired("Tags"))
+	}
+	if s.Tags != nil {
+		for i, v := range s.Tags {
+			if v == nil {
+				continue
+			}
+			if err := v.Validate(); err != nil {
+				invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams))
+			}
+		}
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *TagResourceInput) SetKeyId(v string) *TagResourceInput {
+	s.KeyId = &v
+	return s
+}
+
+// SetTags sets the Tags field's value.
+func (s *TagResourceInput) SetTags(v []*Tag) *TagResourceInput {
+	s.Tags = v
+	return s
+}
+
+type TagResourceOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s TagResourceOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s TagResourceOutput) GoString() string {
+	return s.String()
+}
+
+type UntagResourceInput struct {
+	_ struct{} `type:"structure"`
+
+	// A unique identifier for the CMK from which you are removing tags.
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+
+	// One or more tag keys. Specify only the tag keys, not the tag values.
+	//
+	// TagKeys is a required field
+	TagKeys []*string `type:"list" required:"true"`
+}
+
+// String returns the string representation
+func (s UntagResourceInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s UntagResourceInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *UntagResourceInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "UntagResourceInput"}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+	if s.TagKeys == nil {
+		invalidParams.Add(request.NewErrParamRequired("TagKeys"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *UntagResourceInput) SetKeyId(v string) *UntagResourceInput {
+	s.KeyId = &v
+	return s
+}
+
+// SetTagKeys sets the TagKeys field's value.
+func (s *UntagResourceInput) SetTagKeys(v []*string) *UntagResourceInput {
+	s.TagKeys = v
+	return s
+}
+
+type UntagResourceOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s UntagResourceOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s UntagResourceOutput) GoString() string {
+	return s.String()
+}
+
+type UpdateAliasInput struct {
+	_ struct{} `type:"structure"`
+
+	// String that contains the name of the alias to be modified. The name must
+	// start with the word "alias" followed by a forward slash (alias/). Aliases
+	// that begin with "alias/aws" are reserved.
+	//
+	// AliasName is a required field
+	AliasName *string `min:"1" type:"string" required:"true"`
+
+	// Unique identifier of the customer master key to be mapped to the alias.
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// To verify that the alias is mapped to the correct CMK, use ListAliases.
+	//
+	// TargetKeyId is a required field
+	TargetKeyId *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s UpdateAliasInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s UpdateAliasInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *UpdateAliasInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "UpdateAliasInput"}
+	if s.AliasName == nil {
+		invalidParams.Add(request.NewErrParamRequired("AliasName"))
+	}
+	if s.AliasName != nil && len(*s.AliasName) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("AliasName", 1))
+	}
+	if s.TargetKeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("TargetKeyId"))
+	}
+	if s.TargetKeyId != nil && len(*s.TargetKeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("TargetKeyId", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetAliasName sets the AliasName field's value.
+func (s *UpdateAliasInput) SetAliasName(v string) *UpdateAliasInput {
+	s.AliasName = &v
+	return s
+}
+
+// SetTargetKeyId sets the TargetKeyId field's value.
+func (s *UpdateAliasInput) SetTargetKeyId(v string) *UpdateAliasInput {
+	s.TargetKeyId = &v
+	return s
+}
+
+type UpdateAliasOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s UpdateAliasOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s UpdateAliasOutput) GoString() string {
+	return s.String()
+}
+
+type UpdateCustomKeyStoreInput struct {
+	_ struct{} `type:"structure"`
+
+	// Associates the custom key store with a related AWS CloudHSM cluster.
+	//
+	// Enter the cluster ID of the cluster that you used to create the custom key
+	// store or a cluster that shares a backup history with the original cluster.
+	// You cannot use this parameter to associate a custom key store with a different
+	// cluster.
+	//
+	// Clusters that share a backup history have the same cluster certificate. To
+	// view the cluster certificate of a cluster, use the DescribeClusters (http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
+	// operation.
+	CloudHsmClusterId *string `min:"19" type:"string"`
+
+	// Identifies the custom key store that you want to update. Enter the ID of
+	// the custom key store. To find the ID of a custom key store, use the DescribeCustomKeyStores
+	// operation.
+	//
+	// CustomKeyStoreId is a required field
+	CustomKeyStoreId *string `min:"1" type:"string" required:"true"`
+
+	// Enter the current password of the kmsuser crypto user (CU) in the AWS CloudHSM
+	// cluster that is associated with the custom key store.
+	//
+	// This parameter tells AWS KMS the current password of the kmsuser crypto user
+	// (CU). It does not set or change the password of any users in the AWS CloudHSM
+	// cluster.
+	KeyStorePassword *string `min:"1" type:"string" sensitive:"true"`
+
+	// Changes the friendly name of the custom key store to the value that you specify.
+	// The custom key store name must be unique in the AWS account.
+	NewCustomKeyStoreName *string `min:"1" type:"string"`
+}
+
+// String returns the string representation
+func (s UpdateCustomKeyStoreInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s UpdateCustomKeyStoreInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *UpdateCustomKeyStoreInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "UpdateCustomKeyStoreInput"}
+	if s.CloudHsmClusterId != nil && len(*s.CloudHsmClusterId) < 19 {
+		invalidParams.Add(request.NewErrParamMinLen("CloudHsmClusterId", 19))
+	}
+	if s.CustomKeyStoreId == nil {
+		invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId"))
+	}
+	if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1))
+	}
+	if s.KeyStorePassword != nil && len(*s.KeyStorePassword) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyStorePassword", 1))
+	}
+	if s.NewCustomKeyStoreName != nil && len(*s.NewCustomKeyStoreName) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("NewCustomKeyStoreName", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetCloudHsmClusterId sets the CloudHsmClusterId field's value.
+func (s *UpdateCustomKeyStoreInput) SetCloudHsmClusterId(v string) *UpdateCustomKeyStoreInput {
+	s.CloudHsmClusterId = &v
+	return s
+}
+
+// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
+func (s *UpdateCustomKeyStoreInput) SetCustomKeyStoreId(v string) *UpdateCustomKeyStoreInput {
+	s.CustomKeyStoreId = &v
+	return s
+}
+
+// SetKeyStorePassword sets the KeyStorePassword field's value.
+func (s *UpdateCustomKeyStoreInput) SetKeyStorePassword(v string) *UpdateCustomKeyStoreInput {
+	s.KeyStorePassword = &v
+	return s
+}
+
+// SetNewCustomKeyStoreName sets the NewCustomKeyStoreName field's value.
+func (s *UpdateCustomKeyStoreInput) SetNewCustomKeyStoreName(v string) *UpdateCustomKeyStoreInput {
+	s.NewCustomKeyStoreName = &v
+	return s
+}
+
+type UpdateCustomKeyStoreOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s UpdateCustomKeyStoreOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s UpdateCustomKeyStoreOutput) GoString() string {
+	return s.String()
+}
+
+type UpdateKeyDescriptionInput struct {
+	_ struct{} `type:"structure"`
+
+	// New description for the CMK.
+	//
+	// Description is a required field
+	Description *string `type:"string" required:"true"`
+
+	// A unique identifier for the customer master key (CMK).
+	//
+	// Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s UpdateKeyDescriptionInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s UpdateKeyDescriptionInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *UpdateKeyDescriptionInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "UpdateKeyDescriptionInput"}
+	if s.Description == nil {
+		invalidParams.Add(request.NewErrParamRequired("Description"))
+	}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetDescription sets the Description field's value.
+func (s *UpdateKeyDescriptionInput) SetDescription(v string) *UpdateKeyDescriptionInput {
+	s.Description = &v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *UpdateKeyDescriptionInput) SetKeyId(v string) *UpdateKeyDescriptionInput {
+	s.KeyId = &v
+	return s
+}
+
+type UpdateKeyDescriptionOutput struct {
+	_ struct{} `type:"structure"`
+}
+
+// String returns the string representation
+func (s UpdateKeyDescriptionOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s UpdateKeyDescriptionOutput) GoString() string {
+	return s.String()
+}
+
+const (
+	// AlgorithmSpecRsaesPkcs1V15 is a AlgorithmSpec enum value
+	AlgorithmSpecRsaesPkcs1V15 = "RSAES_PKCS1_V1_5"
+
+	// AlgorithmSpecRsaesOaepSha1 is a AlgorithmSpec enum value
+	AlgorithmSpecRsaesOaepSha1 = "RSAES_OAEP_SHA_1"
+
+	// AlgorithmSpecRsaesOaepSha256 is a AlgorithmSpec enum value
+	AlgorithmSpecRsaesOaepSha256 = "RSAES_OAEP_SHA_256"
+)
+
+const (
+	// ConnectionErrorCodeTypeInvalidCredentials is a ConnectionErrorCodeType enum value
+	ConnectionErrorCodeTypeInvalidCredentials = "INVALID_CREDENTIALS"
+
+	// ConnectionErrorCodeTypeClusterNotFound is a ConnectionErrorCodeType enum value
+	ConnectionErrorCodeTypeClusterNotFound = "CLUSTER_NOT_FOUND"
+
+	// ConnectionErrorCodeTypeNetworkErrors is a ConnectionErrorCodeType enum value
+	ConnectionErrorCodeTypeNetworkErrors = "NETWORK_ERRORS"
+
+	// ConnectionErrorCodeTypeInsufficientCloudhsmHsms is a ConnectionErrorCodeType enum value
+	ConnectionErrorCodeTypeInsufficientCloudhsmHsms = "INSUFFICIENT_CLOUDHSM_HSMS"
+
+	// ConnectionErrorCodeTypeUserLockedOut is a ConnectionErrorCodeType enum value
+	ConnectionErrorCodeTypeUserLockedOut = "USER_LOCKED_OUT"
+)
+
+const (
+	// ConnectionStateTypeConnected is a ConnectionStateType enum value
+	ConnectionStateTypeConnected = "CONNECTED"
+
+	// ConnectionStateTypeConnecting is a ConnectionStateType enum value
+	ConnectionStateTypeConnecting = "CONNECTING"
+
+	// ConnectionStateTypeFailed is a ConnectionStateType enum value
+	ConnectionStateTypeFailed = "FAILED"
+
+	// ConnectionStateTypeDisconnected is a ConnectionStateType enum value
+	ConnectionStateTypeDisconnected = "DISCONNECTED"
+
+	// ConnectionStateTypeDisconnecting is a ConnectionStateType enum value
+	ConnectionStateTypeDisconnecting = "DISCONNECTING"
+)
+
+const (
+	// DataKeySpecAes256 is a DataKeySpec enum value
+	DataKeySpecAes256 = "AES_256"
+
+	// DataKeySpecAes128 is a DataKeySpec enum value
+	DataKeySpecAes128 = "AES_128"
+)
+
+const (
+	// ExpirationModelTypeKeyMaterialExpires is a ExpirationModelType enum value
+	ExpirationModelTypeKeyMaterialExpires = "KEY_MATERIAL_EXPIRES"
+
+	// ExpirationModelTypeKeyMaterialDoesNotExpire is a ExpirationModelType enum value
+	ExpirationModelTypeKeyMaterialDoesNotExpire = "KEY_MATERIAL_DOES_NOT_EXPIRE"
+)
+
+const (
+	// GrantOperationDecrypt is a GrantOperation enum value
+	GrantOperationDecrypt = "Decrypt"
+
+	// GrantOperationEncrypt is a GrantOperation enum value
+	GrantOperationEncrypt = "Encrypt"
+
+	// GrantOperationGenerateDataKey is a GrantOperation enum value
+	GrantOperationGenerateDataKey = "GenerateDataKey"
+
+	// GrantOperationGenerateDataKeyWithoutPlaintext is a GrantOperation enum value
+	GrantOperationGenerateDataKeyWithoutPlaintext = "GenerateDataKeyWithoutPlaintext"
+
+	// GrantOperationReEncryptFrom is a GrantOperation enum value
+	GrantOperationReEncryptFrom = "ReEncryptFrom"
+
+	// GrantOperationReEncryptTo is a GrantOperation enum value
+	GrantOperationReEncryptTo = "ReEncryptTo"
+
+	// GrantOperationCreateGrant is a GrantOperation enum value
+	GrantOperationCreateGrant = "CreateGrant"
+
+	// GrantOperationRetireGrant is a GrantOperation enum value
+	GrantOperationRetireGrant = "RetireGrant"
+
+	// GrantOperationDescribeKey is a GrantOperation enum value
+	GrantOperationDescribeKey = "DescribeKey"
+)
+
+const (
+	// KeyManagerTypeAws is a KeyManagerType enum value
+	KeyManagerTypeAws = "AWS"
+
+	// KeyManagerTypeCustomer is a KeyManagerType enum value
+	KeyManagerTypeCustomer = "CUSTOMER"
+)
+
+const (
+	// KeyStateEnabled is a KeyState enum value
+	KeyStateEnabled = "Enabled"
+
+	// KeyStateDisabled is a KeyState enum value
+	KeyStateDisabled = "Disabled"
+
+	// KeyStatePendingDeletion is a KeyState enum value
+	KeyStatePendingDeletion = "PendingDeletion"
+
+	// KeyStatePendingImport is a KeyState enum value
+	KeyStatePendingImport = "PendingImport"
+
+	// KeyStateUnavailable is a KeyState enum value
+	KeyStateUnavailable = "Unavailable"
+)
+
+const (
+	// KeyUsageTypeEncryptDecrypt is a KeyUsageType enum value
+	KeyUsageTypeEncryptDecrypt = "ENCRYPT_DECRYPT"
+)
+
+const (
+	// OriginTypeAwsKms is a OriginType enum value
+	OriginTypeAwsKms = "AWS_KMS"
+
+	// OriginTypeExternal is a OriginType enum value
+	OriginTypeExternal = "EXTERNAL"
+
+	// OriginTypeAwsCloudhsm is a OriginType enum value
+	OriginTypeAwsCloudhsm = "AWS_CLOUDHSM"
+)
+
+const (
+	// WrappingKeySpecRsa2048 is a WrappingKeySpec enum value
+	WrappingKeySpecRsa2048 = "RSA_2048"
+)
diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/doc.go b/vendor/github.com/aws/aws-sdk-go/service/kms/doc.go
new file mode 100644
index 00000000..fad9002e
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go/service/kms/doc.go
@@ -0,0 +1,98 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+// Package kms provides the client and types for making API
+// requests to AWS Key Management Service.
+//
+// AWS Key Management Service (AWS KMS) is an encryption and key management
+// web service. This guide describes the AWS KMS operations that you can call
+// programmatically. For general information about AWS KMS, see the AWS Key
+// Management Service Developer Guide (http://docs.aws.amazon.com/kms/latest/developerguide/).
+//
+// AWS provides SDKs that consist of libraries and sample code for various programming
+// languages and platforms (Java, Ruby, .Net, macOS, Android, etc.). The SDKs
+// provide a convenient way to create programmatic access to AWS KMS and other
+// AWS services. For example, the SDKs take care of tasks such as signing requests
+// (see below), managing errors, and retrying requests automatically. For more
+// information about the AWS SDKs, including how to download and install them,
+// see Tools for Amazon Web Services (http://aws.amazon.com/tools/).
+//
+// We recommend that you use the AWS SDKs to make programmatic API calls to
+// AWS KMS.
+//
+// Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS
+// 1.2. Clients must also support cipher suites with Perfect Forward Secrecy
+// (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral
+// Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support
+// these modes.
+//
+// Signing Requests
+//
+// Requests must be signed by using an access key ID and a secret access key.
+// We strongly recommend that you do not use your AWS account (root) access
+// key ID and secret key for everyday work with AWS KMS. Instead, use the access
+// key ID and secret access key for an IAM user, or you can use the AWS Security
+// Token Service to generate temporary security credentials that you can use
+// to sign requests.
+//
+// All AWS KMS operations require Signature Version 4 (http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html).
+//
+// Logging API Requests
+//
+// AWS KMS supports AWS CloudTrail, a service that logs AWS API calls and related
+// events for your AWS account and delivers them to an Amazon S3 bucket that
+// you specify. By using the information collected by CloudTrail, you can determine
+// what requests were made to AWS KMS, who made the request, when it was made,
+// and so on. To learn more about CloudTrail, including how to turn it on and
+// find your log files, see the AWS CloudTrail User Guide (http://docs.aws.amazon.com/awscloudtrail/latest/userguide/).
+//
+// Additional Resources
+//
+// For more information about credentials and request signing, see the following:
+//
+//    * AWS Security Credentials (http://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html)
+//    - This topic provides general information about the of credentials used
+//    for accessing AWS.
+//
+//    * Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
+//    - This section of the IAM User Guide describes how to create and use temporary
+//    security credentials.
+//
+//    * Signature Version 4 Signing Process (http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html)
+//    - This set of topics walks you through the process of signing a request
+//    using an access key ID and a secret access key.
+//
+// Commonly Used APIs
+//
+// Of the APIs discussed in this guide, the following will prove the most useful
+// for most applications. You will likely perform actions other than these,
+// such as creating keys and assigning policies, by using the console.
+//
+//    * Encrypt
+//
+//    * Decrypt
+//
+//    * GenerateDataKey
+//
+//    * GenerateDataKeyWithoutPlaintext
+//
+// See https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01 for more information on this service.
+//
+// See kms package documentation for more information.
+// https://docs.aws.amazon.com/sdk-for-go/api/service/kms/
+//
+// Using the Client
+//
+// To contact AWS Key Management Service with the SDK use the New function to create
+// a new service client. With that client you can make API requests to the service.
+// These clients are safe to use concurrently.
+//
+// See the SDK's documentation for more information on how to use the SDK.
+// https://docs.aws.amazon.com/sdk-for-go/api/
+//
+// See aws.Config documentation for more information on configuring SDK clients.
+// https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config
+//
+// See the AWS Key Management Service client KMS for more
+// information on creating client for this service.
+// https://docs.aws.amazon.com/sdk-for-go/api/service/kms/#New
+package kms
diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go b/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go
new file mode 100644
index 00000000..e41edf66
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go
@@ -0,0 +1,280 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+package kms
+
+const (
+
+	// ErrCodeAlreadyExistsException for service response error code
+	// "AlreadyExistsException".
+	//
+	// The request was rejected because it attempted to create a resource that already
+	// exists.
+	ErrCodeAlreadyExistsException = "AlreadyExistsException"
+
+	// ErrCodeCloudHsmClusterInUseException for service response error code
+	// "CloudHsmClusterInUseException".
+	//
+	// The request was rejected because the specified AWS CloudHSM cluster is already
+	// associated with a custom key store or it shares a backup history with a cluster
+	// that is associated with a custom key store. Each custom key store must be
+	// associated with a different AWS CloudHSM cluster.
+	//
+	// Clusters that share a backup history have the same cluster certificate. To
+	// view the cluster certificate of a cluster, use the DescribeClusters (http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
+	// operation.
+	ErrCodeCloudHsmClusterInUseException = "CloudHsmClusterInUseException"
+
+	// ErrCodeCloudHsmClusterInvalidConfigurationException for service response error code
+	// "CloudHsmClusterInvalidConfigurationException".
+	//
+	// The request was rejected because the associated AWS CloudHSM cluster did
+	// not meet the configuration requirements for a custom key store. The cluster
+	// must be configured with private subnets in at least two different Availability
+	// Zones in the Region. Also, it must contain at least as many HSMs as the operation
+	// requires.
+	//
+	// For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations,
+	// the AWS CloudHSM cluster must have at least two active HSMs, each in a different
+	// Availability Zone. For the ConnectCustomKeyStore operation, the AWS CloudHSM
+	// must contain at least one active HSM.
+	//
+	// For information about creating a private subnet for a AWS CloudHSM cluster,
+	// see Create a Private Subnet (http://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html)
+	// in the AWS CloudHSM User Guide. To add HSMs, use the AWS CloudHSM CreateHsm
+	// (http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
+	// operation.
+	ErrCodeCloudHsmClusterInvalidConfigurationException = "CloudHsmClusterInvalidConfigurationException"
+
+	// ErrCodeCloudHsmClusterNotActiveException for service response error code
+	// "CloudHsmClusterNotActiveException".
+	//
+	// The request was rejected because the AWS CloudHSM cluster that is associated
+	// with the custom key store is not active. Initialize and activate the cluster
+	// and try the command again. For detailed instructions, see Getting Started
+	// (http://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
+	// in the AWS CloudHSM User Guide.
+	ErrCodeCloudHsmClusterNotActiveException = "CloudHsmClusterNotActiveException"
+
+	// ErrCodeCloudHsmClusterNotFoundException for service response error code
+	// "CloudHsmClusterNotFoundException".
+	//
+	// The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster
+	// with the specified cluster ID. Retry the request with a different cluster
+	// ID.
+	ErrCodeCloudHsmClusterNotFoundException = "CloudHsmClusterNotFoundException"
+
+	// ErrCodeCloudHsmClusterNotRelatedException for service response error code
+	// "CloudHsmClusterNotRelatedException".
+	//
+	// The request was rejected because the specified AWS CloudHSM cluster has a
+	// different cluster certificate than the original cluster. You cannot use the
+	// operation to specify an unrelated cluster.
+	//
+	// Specify a cluster that shares a backup history with the original cluster.
+	// This includes clusters that were created from a backup of the current cluster,
+	// and clusters that were created from the same backup that produced the current
+	// cluster.
+	//
+	// Clusters that share a backup history have the same cluster certificate. To
+	// view the cluster certificate of a cluster, use the DescribeClusters (http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
+	// operation.
+	ErrCodeCloudHsmClusterNotRelatedException = "CloudHsmClusterNotRelatedException"
+
+	// ErrCodeCustomKeyStoreHasCMKsException for service response error code
+	// "CustomKeyStoreHasCMKsException".
+	//
+	// The request was rejected because the custom key store contains AWS KMS customer
+	// master keys (CMKs). After verifying that you do not need to use the CMKs,
+	// use the ScheduleKeyDeletion operation to delete the CMKs. After they are
+	// deleted, you can delete the custom key store.
+	ErrCodeCustomKeyStoreHasCMKsException = "CustomKeyStoreHasCMKsException"
+
+	// ErrCodeCustomKeyStoreInvalidStateException for service response error code
+	// "CustomKeyStoreInvalidStateException".
+	//
+	// The request was rejected because of the ConnectionState of the custom key
+	// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores
+	// operation.
+	//
+	// This exception is thrown under the following conditions:
+	//
+	//    * You requested the CreateKey or GenerateRandom operation in a custom
+	//    key store that is not connected. These operations are valid only when
+	//    the custom key store ConnectionState is CONNECTED.
+	//
+	//    * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
+	//    on a custom key store that is not disconnected. This operation is valid
+	//    only when the custom key store ConnectionState is DISCONNECTED.
+	//
+	//    * You requested the ConnectCustomKeyStore operation on a custom key store
+	//    with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
+	//    for all other ConnectionState values.
+	ErrCodeCustomKeyStoreInvalidStateException = "CustomKeyStoreInvalidStateException"
+
+	// ErrCodeCustomKeyStoreNameInUseException for service response error code
+	// "CustomKeyStoreNameInUseException".
+	//
+	// The request was rejected because the specified custom key store name is already
+	// assigned to another custom key store in the account. Try again with a custom
+	// key store name that is unique in the account.
+	ErrCodeCustomKeyStoreNameInUseException = "CustomKeyStoreNameInUseException"
+
+	// ErrCodeCustomKeyStoreNotFoundException for service response error code
+	// "CustomKeyStoreNotFoundException".
+	//
+	// The request was rejected because AWS KMS cannot find a custom key store with
+	// the specified key store name or ID.
+	ErrCodeCustomKeyStoreNotFoundException = "CustomKeyStoreNotFoundException"
+
+	// ErrCodeDependencyTimeoutException for service response error code
+	// "DependencyTimeoutException".
+	//
+	// The system timed out while trying to fulfill the request. The request can
+	// be retried.
+	ErrCodeDependencyTimeoutException = "DependencyTimeoutException"
+
+	// ErrCodeDisabledException for service response error code
+	// "DisabledException".
+	//
+	// The request was rejected because the specified CMK is not enabled.
+	ErrCodeDisabledException = "DisabledException"
+
+	// ErrCodeExpiredImportTokenException for service response error code
+	// "ExpiredImportTokenException".
+	//
+	// The request was rejected because the provided import token is expired. Use
+	// GetParametersForImport to get a new import token and public key, use the
+	// new public key to encrypt the key material, and then try the request again.
+	ErrCodeExpiredImportTokenException = "ExpiredImportTokenException"
+
+	// ErrCodeIncorrectKeyMaterialException for service response error code
+	// "IncorrectKeyMaterialException".
+	//
+	// The request was rejected because the provided key material is invalid or
+	// is not the same key material that was previously imported into this customer
+	// master key (CMK).
+	ErrCodeIncorrectKeyMaterialException = "IncorrectKeyMaterialException"
+
+	// ErrCodeIncorrectTrustAnchorException for service response error code
+	// "IncorrectTrustAnchorException".
+	//
+	// The request was rejected because the trust anchor certificate in the request
+	// is not the trust anchor certificate for the specified AWS CloudHSM cluster.
+	//
+	// When you initialize the cluster (http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr),
+	// you create the trust anchor certificate and save it in the customerCA.crt
+	// file.
+	ErrCodeIncorrectTrustAnchorException = "IncorrectTrustAnchorException"
+
+	// ErrCodeInternalException for service response error code
+	// "KMSInternalException".
+	//
+	// The request was rejected because an internal exception occurred. The request
+	// can be retried.
+	ErrCodeInternalException = "KMSInternalException"
+
+	// ErrCodeInvalidAliasNameException for service response error code
+	// "InvalidAliasNameException".
+	//
+	// The request was rejected because the specified alias name is not valid.
+	ErrCodeInvalidAliasNameException = "InvalidAliasNameException"
+
+	// ErrCodeInvalidArnException for service response error code
+	// "InvalidArnException".
+	//
+	// The request was rejected because a specified ARN was not valid.
+	ErrCodeInvalidArnException = "InvalidArnException"
+
+	// ErrCodeInvalidCiphertextException for service response error code
+	// "InvalidCiphertextException".
+	//
+	// The request was rejected because the specified ciphertext, or additional
+	// authenticated data incorporated into the ciphertext, such as the encryption
+	// context, is corrupted, missing, or otherwise invalid.
+	ErrCodeInvalidCiphertextException = "InvalidCiphertextException"
+
+	// ErrCodeInvalidGrantIdException for service response error code
+	// "InvalidGrantIdException".
+	//
+	// The request was rejected because the specified GrantId is not valid.
+	ErrCodeInvalidGrantIdException = "InvalidGrantIdException"
+
+	// ErrCodeInvalidGrantTokenException for service response error code
+	// "InvalidGrantTokenException".
+	//
+	// The request was rejected because the specified grant token is not valid.
+	ErrCodeInvalidGrantTokenException = "InvalidGrantTokenException"
+
+	// ErrCodeInvalidImportTokenException for service response error code
+	// "InvalidImportTokenException".
+	//
+	// The request was rejected because the provided import token is invalid or
+	// is associated with a different customer master key (CMK).
+	ErrCodeInvalidImportTokenException = "InvalidImportTokenException"
+
+	// ErrCodeInvalidKeyUsageException for service response error code
+	// "InvalidKeyUsageException".
+	//
+	// The request was rejected because the specified KeySpec value is not valid.
+	ErrCodeInvalidKeyUsageException = "InvalidKeyUsageException"
+
+	// ErrCodeInvalidMarkerException for service response error code
+	// "InvalidMarkerException".
+	//
+	// The request was rejected because the marker that specifies where pagination
+	// should next begin is not valid.
+	ErrCodeInvalidMarkerException = "InvalidMarkerException"
+
+	// ErrCodeInvalidStateException for service response error code
+	// "KMSInvalidStateException".
+	//
+	// The request was rejected because the state of the specified resource is not
+	// valid for this request.
+	//
+	// For more information about how key state affects the use of a CMK, see How
+	// Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+	// in the AWS Key Management Service Developer Guide.
+	ErrCodeInvalidStateException = "KMSInvalidStateException"
+
+	// ErrCodeKeyUnavailableException for service response error code
+	// "KeyUnavailableException".
+	//
+	// The request was rejected because the specified CMK was not available. The
+	// request can be retried.
+	ErrCodeKeyUnavailableException = "KeyUnavailableException"
+
+	// ErrCodeLimitExceededException for service response error code
+	// "LimitExceededException".
+	//
+	// The request was rejected because a limit was exceeded. For more information,
+	// see Limits (http://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
+	// in the AWS Key Management Service Developer Guide.
+	ErrCodeLimitExceededException = "LimitExceededException"
+
+	// ErrCodeMalformedPolicyDocumentException for service response error code
+	// "MalformedPolicyDocumentException".
+	//
+	// The request was rejected because the specified policy is not syntactically
+	// or semantically correct.
+	ErrCodeMalformedPolicyDocumentException = "MalformedPolicyDocumentException"
+
+	// ErrCodeNotFoundException for service response error code
+	// "NotFoundException".
+	//
+	// The request was rejected because the specified entity or resource could not
+	// be found.
+	ErrCodeNotFoundException = "NotFoundException"
+
+	// ErrCodeTagException for service response error code
+	// "TagException".
+	//
+	// The request was rejected because one or more tags are not valid.
+	ErrCodeTagException = "TagException"
+
+	// ErrCodeUnsupportedOperationException for service response error code
+	// "UnsupportedOperationException".
+	//
+	// The request was rejected because a specified parameter is not supported or
+	// a specified resource is not valid for this operation.
+	ErrCodeUnsupportedOperationException = "UnsupportedOperationException"
+)
diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/service.go b/vendor/github.com/aws/aws-sdk-go/service/kms/service.go
new file mode 100644
index 00000000..6d062f32
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go/service/kms/service.go
@@ -0,0 +1,97 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+package kms
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/client"
+	"github.com/aws/aws-sdk-go/aws/client/metadata"
+	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/aws/signer/v4"
+	"github.com/aws/aws-sdk-go/private/protocol/jsonrpc"
+)
+
+// KMS provides the API operation methods for making requests to
+// AWS Key Management Service. See this package's package overview docs
+// for details on the service.
+//
+// KMS methods are safe to use concurrently. It is not safe to
+// modify mutate any of the struct's properties though.
+type KMS struct {
+	*client.Client
+}
+
+// Used for custom client initialization logic
+var initClient func(*client.Client)
+
+// Used for custom request initialization logic
+var initRequest func(*request.Request)
+
+// Service information constants
+const (
+	ServiceName = "kms"       // Name of service.
+	EndpointsID = ServiceName // ID to lookup a service endpoint with.
+	ServiceID   = "KMS"       // ServiceID is a unique identifer of a specific service.
+)
+
+// New creates a new instance of the KMS client with a session.
+// If additional configuration is needed for the client instance use the optional
+// aws.Config parameter to add your extra config.
+//
+// Example:
+//     // Create a KMS client from just a session.
+//     svc := kms.New(mySession)
+//
+//     // Create a KMS client with additional configuration
+//     svc := kms.New(mySession, aws.NewConfig().WithRegion("us-west-2"))
+func New(p client.ConfigProvider, cfgs ...*aws.Config) *KMS {
+	c := p.ClientConfig(EndpointsID, cfgs...)
+	return newClient(*c.Config, c.Handlers, c.Endpoint, c.SigningRegion, c.SigningName)
+}
+
+// newClient creates, initializes and returns a new service client instance.
+func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegion, signingName string) *KMS {
+	svc := &KMS{
+		Client: client.New(
+			cfg,
+			metadata.ClientInfo{
+				ServiceName:   ServiceName,
+				ServiceID:     ServiceID,
+				SigningName:   signingName,
+				SigningRegion: signingRegion,
+				Endpoint:      endpoint,
+				APIVersion:    "2014-11-01",
+				JSONVersion:   "1.1",
+				TargetPrefix:  "TrentService",
+			},
+			handlers,
+		),
+	}
+
+	// Handlers
+	svc.Handlers.Sign.PushBackNamed(v4.SignRequestHandler)
+	svc.Handlers.Build.PushBackNamed(jsonrpc.BuildHandler)
+	svc.Handlers.Unmarshal.PushBackNamed(jsonrpc.UnmarshalHandler)
+	svc.Handlers.UnmarshalMeta.PushBackNamed(jsonrpc.UnmarshalMetaHandler)
+	svc.Handlers.UnmarshalError.PushBackNamed(jsonrpc.UnmarshalErrorHandler)
+
+	// Run custom client initialization if present
+	if initClient != nil {
+		initClient(svc.Client)
+	}
+
+	return svc
+}
+
+// newRequest creates a new request for a KMS operation and runs any
+// custom request initialization.
+func (c *KMS) newRequest(op *request.Operation, params, data interface{}) *request.Request {
+	req := c.NewRequest(op, params, data)
+
+	// Run custom request initialization if present
+	if initRequest != nil {
+		initRequest(req)
+	}
+
+	return req
+}