feat(client-payment-cryptography): Adds optional support to retrieve previously generated import and export tokens to simplify import and export functions

awstools · awstools · commit 7627474328ec · 2026-04-03T18:14:17.000Z
diff --git a/clients/client-payment-cryptography/src/commands/GetParametersForExportCommand.ts b/clients/client-payment-cryptography/src/commands/GetParametersForExportCommand.ts
@@ -31,7 +31,7 @@ export interface GetParametersForExportCommandInput extends GetParametersForExpo
 export interface GetParametersForExportCommandOutput extends GetParametersForExportOutput, __MetadataBearer {}
 
 /**
- * <p>Gets the export token and the signing key certificate to initiate a TR-34 key export from Amazon Web Services Payment Cryptography.</p> <p>The signing key certificate signs the wrapped key under export within the TR-34 key payload. The export token and signing key certificate must be in place and operational before calling <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ExportKey.html">ExportKey</a>. The export token expires in 30 days. You can use the same export token to export multiple keys from your service account.</p> <p> <b>Cross-account use:</b> This operation can't be used across different Amazon Web Services accounts.</p> <p> <b>Related operations:</b> </p> <ul> <li> <p> <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ExportKey.html">ExportKey</a> </p> </li> <li> <p> <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetParametersForImport.html">GetParametersForImport</a> </p> </li> </ul>
+ * <p>Gets the export token and the signing key certificate to initiate a TR-34 key export from Amazon Web Services Payment Cryptography.</p> <p>The signing key certificate signs the wrapped key under export within the TR-34 key payload. The export token and signing key certificate must be in place and operational before calling <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ExportKey.html">ExportKey</a>. The export token expires in 30 days. You can use the same export token to export multiple keys from your service account.</p> <p>To return a previously generated export token and signing key certificate instead of generating new ones, set <code>ReuseLastGeneratedToken</code> to <code>true</code>.</p> <p> <b>Cross-account use:</b> This operation can't be used across different Amazon Web Services accounts.</p> <p> <b>Related operations:</b> </p> <ul> <li> <p> <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ExportKey.html">ExportKey</a> </p> </li> <li> <p> <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetParametersForImport.html">GetParametersForImport</a> </p> </li> </ul>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -43,6 +43,7 @@ export interface GetParametersForExportCommandOutput extends GetParametersForExp
  * const input = { // GetParametersForExportInput
  *   KeyMaterialType: "STRING_VALUE", // required
  *   SigningKeyAlgorithm: "STRING_VALUE", // required
+ *   ReuseLastGeneratedToken: true || false,
  * };
  * const command = new GetParametersForExportCommand(input);
  * const response = await client.send(command);
diff --git a/clients/client-payment-cryptography/src/commands/GetParametersForImportCommand.ts b/clients/client-payment-cryptography/src/commands/GetParametersForImportCommand.ts
@@ -31,7 +31,7 @@ export interface GetParametersForImportCommandInput extends GetParametersForImpo
 export interface GetParametersForImportCommandOutput extends GetParametersForImportOutput, __MetadataBearer {}
 
 /**
- * <p>Gets the import token and the wrapping key certificate in PEM format (base64 encoded) to initiate a TR-34 WrappedKeyBlock or a RSA WrappedKeyCryptogram import into Amazon Web Services Payment Cryptography.</p> <p>The wrapping key certificate wraps the key under import. The import token and wrapping key certificate must be in place and operational before calling <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html">ImportKey</a>. The import token expires in 30 days. You can use the same import token to import multiple keys into your service account.</p> <p> <b>Cross-account use:</b> This operation can't be used across different Amazon Web Services accounts.</p> <p> <b>Related operations:</b> </p> <ul> <li> <p> <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetParametersForExport.html">GetParametersForExport</a> </p> </li> <li> <p> <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html">ImportKey</a> </p> </li> </ul>
+ * <p>Gets the import token and the wrapping key certificate in PEM format (base64 encoded) to initiate a TR-34 WrappedKeyBlock or a RSA WrappedKeyCryptogram import into Amazon Web Services Payment Cryptography.</p> <p>The wrapping key certificate wraps the key under import. The import token and wrapping key certificate must be in place and operational before calling <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html">ImportKey</a>. The import token expires in 30 days. You can use the same import token to import multiple keys into your service account.</p> <p>To return a previously generated import token and wrapping key certificate instead of generating new ones, set <code>ReuseLastGeneratedToken</code> to <code>true</code>.</p> <p> <b>Cross-account use:</b> This operation can't be used across different Amazon Web Services accounts.</p> <p> <b>Related operations:</b> </p> <ul> <li> <p> <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetParametersForExport.html">GetParametersForExport</a> </p> </li> <li> <p> <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html">ImportKey</a> </p> </li> </ul>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -43,6 +43,7 @@ export interface GetParametersForImportCommandOutput extends GetParametersForImp
  * const input = { // GetParametersForImportInput
  *   KeyMaterialType: "STRING_VALUE", // required
  *   WrappingKeyAlgorithm: "STRING_VALUE", // required
+ *   ReuseLastGeneratedToken: true || false,
  * };
  * const command = new GetParametersForImportCommand(input);
  * const response = await client.send(command);
diff --git a/clients/client-payment-cryptography/src/models/models_0.ts b/clients/client-payment-cryptography/src/models/models_0.ts
@@ -1158,6 +1158,12 @@ export interface GetParametersForExportInput {
    * @public
    */
   SigningKeyAlgorithm: KeyAlgorithm | undefined;
+
+  /**
+   * <p>Specifies whether to reuse the existing export token and signing key certificate. If set to <code>true</code> and a valid export token exists for the same key material type and signing key algorithm with at least 7 days of remaining validity, the existing token and signing key certificate are returned. Otherwise, a new export token and signing key certificate are generated. The default value is <code>false</code>, which generates a new export token and signing key certificate on every call.</p>
+   * @public
+   */
+  ReuseLastGeneratedToken?: boolean | undefined;
 }
 
 /**
@@ -1210,6 +1216,12 @@ export interface GetParametersForImportInput {
    * @public
    */
   WrappingKeyAlgorithm: KeyAlgorithm | undefined;
+
+  /**
+   * <p>Specifies whether to reuse the existing import token and wrapping key certificate. If set to <code>true</code> and a valid import token exists for the same key material type and wrapping key algorithm with at least 7 days of remaining validity, the existing token and wrapping key certificate are returned. Otherwise, a new import token and wrapping key certificate are generated. The default value is <code>false</code>, which generates a new import token and wrapping key certificate on every call.</p>
+   * @public
+   */
+  ReuseLastGeneratedToken?: boolean | undefined;
 }
 
 /**
@@ -1263,7 +1275,7 @@ export interface GetPublicKeyCertificateInput {
  */
 export interface GetPublicKeyCertificateOutput {
   /**
-   * <p>The public key component of the asymmetric key pair in a certificate PEM format (base64 encoded). It is signed by the root certificate authority (CA). The certificate expires in 90 days.</p>
+   * <p>The public key component of the asymmetric key pair in a certificate PEM format (base64 encoded). It is signed by the root certificate authority (CA). The certificate is valid for 90 days from the time it is issued. The service returns a cached certificate if one exists with at least 30 days of remaining validity. Otherwise, a new 90-day certificate is issued.</p>
    * @public
    */
   KeyCertificate: string | undefined;
diff --git a/clients/client-payment-cryptography/src/schemas/schemas_0.ts b/clients/client-payment-cryptography/src/schemas/schemas_0.ts
@@ -155,6 +155,7 @@ const _RKO = "RestoreKeyOutput";
 const _RKRR = "RemoveKeyReplicationRegions";
 const _RKRRI = "RemoveKeyReplicationRegionsInput";
 const _RKRRO = "RemoveKeyReplicationRegionsOutput";
+const _RLGT = "ReuseLastGeneratedToken";
 const _RN = "RandomNonce";
 const _RNFE = "ResourceNotFoundException";
 const _RR = "ReplicationRegions";
@@ -481,8 +482,8 @@ export var GetKeyOutput$: StaticStructureSchema = [3, n0, _GKO,
 ];
 export var GetParametersForExportInput$: StaticStructureSchema = [3, n0, _GPFEI,
   0,
-  [_KMT, _SKA],
-  [0, 0], 2
+  [_KMT, _SKA, _RLGT],
+  [0, 0, 2], 2
 ];
 export var GetParametersForExportOutput$: StaticStructureSchema = [3, n0, _GPFEO,
   0,
@@ -491,8 +492,8 @@ export var GetParametersForExportOutput$: StaticStructureSchema = [3, n0, _GPFEO
 ];
 export var GetParametersForImportInput$: StaticStructureSchema = [3, n0, _GPFII,
   0,
-  [_KMT, _WKA],
-  [0, 0], 2
+  [_KMT, _WKA, _RLGT],
+  [0, 0, 2], 2
 ];
 export var GetParametersForImportOutput$: StaticStructureSchema = [3, n0, _GPFIO,
   0,
diff --git a/codegen/sdk-codegen/aws-models/payment-cryptography.json b/codegen/sdk-codegen/aws-models/payment-cryptography.json
@@ -1545,7 +1545,7 @@
       ],
       "traits": {
         "aws.api#controlPlane": {},
-        "smithy.api#documentation": "<p>Gets the export token and the signing key certificate to initiate a TR-34 key export from Amazon Web Services Payment Cryptography.</p> <p>The signing key certificate signs the wrapped key under export within the TR-34 key payload. The export token and signing key certificate must be in place and operational before calling <a href=\"https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ExportKey.html\">ExportKey</a>. The export token expires in 30 days. You can use the same export token to export multiple keys from your service account.</p> <p> <b>Cross-account use:</b> This operation can't be used across different Amazon Web Services accounts.</p> <p> <b>Related operations:</b> </p> <ul> <li> <p> <a href=\"https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ExportKey.html\">ExportKey</a> </p> </li> <li> <p> <a href=\"https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetParametersForImport.html\">GetParametersForImport</a> </p> </li> </ul>"
+        "smithy.api#documentation": "<p>Gets the export token and the signing key certificate to initiate a TR-34 key export from Amazon Web Services Payment Cryptography.</p> <p>The signing key certificate signs the wrapped key under export within the TR-34 key payload. The export token and signing key certificate must be in place and operational before calling <a href=\"https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ExportKey.html\">ExportKey</a>. The export token expires in 30 days. You can use the same export token to export multiple keys from your service account.</p> <p>To return a previously generated export token and signing key certificate instead of generating new ones, set <code>ReuseLastGeneratedToken</code> to <code>true</code>.</p> <p> <b>Cross-account use:</b> This operation can't be used across different Amazon Web Services accounts.</p> <p> <b>Related operations:</b> </p> <ul> <li> <p> <a href=\"https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ExportKey.html\">ExportKey</a> </p> </li> <li> <p> <a href=\"https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetParametersForImport.html\">GetParametersForImport</a> </p> </li> </ul>"
       }
     },
     "com.amazonaws.paymentcryptography#GetParametersForExportInput": {
@@ -1564,6 +1564,12 @@
             "smithy.api#documentation": "<p>The signing key algorithm to generate a signing key certificate. This certificate signs the wrapped key under export within the TR-34 key block. <code>RSA_2048</code> is the only signing key algorithm allowed.</p>",
             "smithy.api#required": {}
           }
+        },
+        "ReuseLastGeneratedToken": {
+          "target": "smithy.api#Boolean",
+          "traits": {
+            "smithy.api#documentation": "<p>Specifies whether to reuse the existing export token and signing key certificate. If set to <code>true</code> and a valid export token exists for the same key material type and signing key algorithm with at least 7 days of remaining validity, the existing token and signing key certificate are returned. Otherwise, a new export token and signing key certificate are generated. The default value is <code>false</code>, which generates a new export token and signing key certificate on every call.</p>"
+          }
         }
       },
       "traits": {
@@ -1649,7 +1655,7 @@
       ],
       "traits": {
         "aws.api#controlPlane": {},
-        "smithy.api#documentation": "<p>Gets the import token and the wrapping key certificate in PEM format (base64 encoded) to initiate a TR-34 WrappedKeyBlock or a RSA WrappedKeyCryptogram import into Amazon Web Services Payment Cryptography.</p> <p>The wrapping key certificate wraps the key under import. The import token and wrapping key certificate must be in place and operational before calling <a href=\"https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html\">ImportKey</a>. The import token expires in 30 days. You can use the same import token to import multiple keys into your service account.</p> <p> <b>Cross-account use:</b> This operation can't be used across different Amazon Web Services accounts.</p> <p> <b>Related operations:</b> </p> <ul> <li> <p> <a href=\"https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetParametersForExport.html\">GetParametersForExport</a> </p> </li> <li> <p> <a href=\"https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html\">ImportKey</a> </p> </li> </ul>"
+        "smithy.api#documentation": "<p>Gets the import token and the wrapping key certificate in PEM format (base64 encoded) to initiate a TR-34 WrappedKeyBlock or a RSA WrappedKeyCryptogram import into Amazon Web Services Payment Cryptography.</p> <p>The wrapping key certificate wraps the key under import. The import token and wrapping key certificate must be in place and operational before calling <a href=\"https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html\">ImportKey</a>. The import token expires in 30 days. You can use the same import token to import multiple keys into your service account.</p> <p>To return a previously generated import token and wrapping key certificate instead of generating new ones, set <code>ReuseLastGeneratedToken</code> to <code>true</code>.</p> <p> <b>Cross-account use:</b> This operation can't be used across different Amazon Web Services accounts.</p> <p> <b>Related operations:</b> </p> <ul> <li> <p> <a href=\"https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetParametersForExport.html\">GetParametersForExport</a> </p> </li> <li> <p> <a href=\"https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html\">ImportKey</a> </p> </li> </ul>"
       }
     },
     "com.amazonaws.paymentcryptography#GetParametersForImportInput": {
@@ -1668,6 +1674,12 @@
             "smithy.api#documentation": "<p>The wrapping key algorithm to generate a wrapping key certificate. This certificate wraps the key under import.</p> <p>At this time, <code>RSA_2048</code> is the allowed algorithm for TR-34 WrappedKeyBlock import. Additionally, <code>RSA_2048</code>, <code>RSA_3072</code>, <code>RSA_4096</code> are the allowed algorithms for RSA WrappedKeyCryptogram import.</p>",
             "smithy.api#required": {}
           }
+        },
+        "ReuseLastGeneratedToken": {
+          "target": "smithy.api#Boolean",
+          "traits": {
+            "smithy.api#documentation": "<p>Specifies whether to reuse the existing import token and wrapping key certificate. If set to <code>true</code> and a valid import token exists for the same key material type and wrapping key algorithm with at least 7 days of remaining validity, the existing token and wrapping key certificate are returned. Otherwise, a new import token and wrapping key certificate are generated. The default value is <code>false</code>, which generates a new import token and wrapping key certificate on every call.</p>"
+          }
         }
       },
       "traits": {
@@ -1772,7 +1784,7 @@
         "KeyCertificate": {
           "target": "com.amazonaws.paymentcryptography#CertificateType",
           "traits": {
-            "smithy.api#documentation": "<p>The public key component of the asymmetric key pair in a certificate PEM format (base64 encoded). It is signed by the root certificate authority (CA). The certificate expires in 90 days.</p>",
+            "smithy.api#documentation": "<p>The public key component of the asymmetric key pair in a certificate PEM format (base64 encoded). It is signed by the root certificate authority (CA). The certificate is valid for 90 days from the time it is issued. The service returns a cached certificate if one exists with at least 30 days of remaining validity. Otherwise, a new 90-day certificate is issued.</p>",
             "smithy.api#required": {}
           }
         },
