Returns a data encryption key encrypted under a customer master key (CMK). This operation is identical to
GenerateDataKey but returns only the encrypted copy of the data key.
This operation is useful in a system that has multiple components with different degrees of trust. For example, consider a system that stores encrypted data in containers. Each container stores the encrypted data and an encrypted copy of the data key. One component of the system, called the control plane, creates new containers. When it creates a new container, it uses this operation (GenerateDataKeyWithoutPlaintext) to get an encrypted data key and then stores it in the container. Later, a different component of the system, called the data plane, puts encrypted data into the containers. To do this, it passes the encrypted data key to the Decrypt operation, then uses the returned plaintext data key to encrypt data, and finally stores the encrypted data in the container. In this system, the control plane never sees the plaintext data key.
/// The system timed out while trying to fulfill the request. The request can be retried.
///
/// The request was rejected because the specified CMK is not enabled.
///
/// The request was rejected because the specified grant token is not valid.
///
/// The request was rejected because the specified
KeySpec value is not valid.
///
/// The request was rejected because the specified CMK was not available. The request
/// can be retried.
///
/// The request was rejected because an internal exception occurred. The request can be
/// retried.
///
/// The request was rejected because the state of the specified resource is not valid
/// for this request.
///
///
///
/// For more information about how key state affects the use of a CMK, see How
/// Key State Affects Use of a Customer Master Key in the AWS Key Management Service
/// Developer Guide.
///
///
/// The request was rejected because the specified entity or resource could not be found.
///
