edit-icon download-icon


Last Updated: Apr 17, 2018


Imports key material to an existing KMS CMK that was created without key material.

  • The Origin of the CMK to which you import key material must be EXTERNAL.
    To create a CMK with no key material, call CreateKey and set the value of its Origin parameter to EXTERNAL.
    To get the Origin of a CMK, call DescribeKey.

  • Before calling this API, call GetParametersForImport to get the key material ready to import. It returns a public key and an import token. Use the public key to encrypt the key material. Then, submit the import token from the same GetParametersForImport response to KMS.


  • The key material must be a 256-bit symmetric key.
  • You can set the expiration time for the key material, or you can set it to never expire. You can always reimport the same key material and reset the expiration time, but you cannot import a different key material to the specified CMK.
  • DeleteImportedKeyMaterial or the expired key material makes the specified CMK unusable. You can reimport the same key material.
  • A key material can be imported to multiple CMKs, but any data or data key encrypted by one CMK cannot be decrypted by another CMK.

Request parameters

Name Type Required Description
EncryptedKeyMaterial String Yes Base64-encoded key material to import.
ImportToken String Yes The import token you get by calling GetParametersForImport.
KeyMaterialExpireUnix Timestamp No The time at which the imported key material expires.
- If the value is omitted, or is specified as 0, the key material does not expire.
- The value cannot be earlier than the timestamp at which you call the API (Base on the time set on the API server).

Response parameters

Name Type Description
RequestId String ID of this request.


Request example

  1. https://kms.cn-hangzhou.aliyuncs.com/?Action=ImportKeyMaterial
  2. &EncryptedKeyMaterial=<your encrypted key material>
  3. &ImportToken=<import token from GetParametersForImport>
  4. &KeyMaterialExpireUnix=1518307200
  5. &<Common request parameters>

Response example

JSON format

  1. //json response
  2. {
  3. "RequestId":"ec1017cf-ead4-f3ca-babc-c3b34f3dbecb"
  4. }

XML format

  1. //xml response
  2. <KMS>
  3. <RequestId>ec1017cf-ead4-f3ca-babc-c3b34f3dbecb</RequestId>
  4. </KMS>
Thank you! We've received your feedback.