arazzo: 1.0.1
info:
  title: Amazon KMS Generate and Recover Data Key
  summary: Generate a data key, then decrypt its encrypted form to recover the plaintext key.
  description: >-
    Supports the data-key lifecycle where an application stores only the
    encrypted data key alongside its ciphertext and re-derives the plaintext key
    on demand. The workflow generates a symmetric data key, then immediately
    decrypts the returned encrypted data key to confirm it can be recovered. The
    CiphertextBlob from generation is chained into the decrypt call. Each step
    spells out its request inline, including the AWS JSON protocol X-Amz-Target
    header, so the flow can be read and executed without opening the underlying
    OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: kmsApi
  url: ../openapi/amazon-kms-openapi.yml
  type: openapi
workflows:
- workflowId: generate-and-recover-data-key
  summary: Generate a data key then decrypt the encrypted copy to recover it.
  description: >-
    Generates a symmetric data key under a KMS key and decrypts the returned
    encrypted data key to prove the stored ciphertext can be turned back into a
    usable plaintext key.
  inputs:
    type: object
    required:
    - KeyId
    properties:
      KeyId:
        type: string
        description: Identifies the KMS key that protects the data key.
      KeySpec:
        type: string
        description: The length of the data key to generate (e.g. AES_256).
  steps:
  - stepId: generateDataKey
    description: >-
      Generate a unique symmetric data key under the KMS key, returning both the
      plaintext key and its encrypted form.
    operationId: GenerateDataKey
    parameters:
    - name: KeyId
      in: path
      value: $inputs.KeyId
    - name: X-Amz-Target
      in: header
      value: TrentService.GenerateDataKey
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        KeyId: $inputs.KeyId
        KeySpec: $inputs.KeySpec
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      encryptedDataKey: $response.body#/CiphertextBlob
      plaintextDataKey: $response.body#/Plaintext
  - stepId: recoverDataKey
    description: >-
      Decrypt the encrypted data key returned by generation to recover the
      original plaintext data key.
    operationId: Decrypt
    parameters:
    - name: X-Amz-Target
      in: header
      value: TrentService.Decrypt
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        KeyId: $inputs.KeyId
        CiphertextBlob: $steps.generateDataKey.outputs.encryptedDataKey
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      recoveredPlaintext: $response.body#/Plaintext
  outputs:
    encryptedDataKey: $steps.generateDataKey.outputs.encryptedDataKey
    recoveredPlaintext: $steps.recoverDataKey.outputs.recoveredPlaintext