Obtains the parameters that are used to import key material for a customer master key (CMK).

Usage notes
  • The returned parameters can be used to call the ImportKeyMaterial operation.
  • You can import key material only for CMKs whose Origin parameter is set to EXTERNAL.
  • The public key and import token that are returned when you call the GetParametersForImport operation must be used together. The public key and import token can be used to import key material only for CMKs that are specified for the call.
  • The public key and import token that are returned by each call of the GetParametersForImport operation must be unique.
  • You must specify the type of the public key and the encryption algorithm that are used to encrypt key material. The following table lists the types of public keys and the encryption algorithms that are supported for each type.

    Public key type

    Encryption algorithm

    Description

    RSA_2048

    RSAES_PKCS1_V1_5

    RSAES_OAEP_SHA_1

    RSAES_OAEP_SHA_256

    Keys of all regions and all protection levels are supported.

    Dedicated Key Management Service (KMS) does not support RSAES_OAEP_SHA_1.

    EC_SM2

    SM2PKE

    The SM2 algorithm is developed and approved by the State Cryptography Administration of China. The SM2 algorithm can be used only to import key material for a CMK whose ProtectionLevel is set to HSM. KMS supports the SM2 algorithm by using a managed hardware security module (HSM) that is deployed in mainland China. For more information, see Overview of Managed HSM.

    This topic provides an example on how to import key material for a CMK whose ID is 1234abcd-12ab-34cd-56ef-12345678**** by using the RSAES_PKCS1_V1_5 encryption algorithm and a public key of the RSA_2048 type. The returned parameters include the ID of the CMK, the pubic key that is used to encrypt key material, the import token that is used to import key material, and the time when the import token expires.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes GetParametersForImport

The operation that you want to perform. Set the value to GetParametersForImport.

KeyId String Yes 1234abcd-12ab-34cd-56ef-12345678****

The ID of the CMK. The ID is globally unique.

Note You can import key material only for CMKs whose Origin parameter is set to EXTERNAL.
WrappingAlgorithm String Yes RSAES_PKCS1_V1_5

The algorithm that is used to encrypt key material.

WrappingKeySpec String Yes RSA_2048

The type of the public key that is used to encrypt key material.

For more information about common request parameters, see Common parameters.

Response parameters

Parameter Type Example Description
ImportToken String Base64String

The import token that is used to import key material.

The import token is valid for 24 hours. The value of this parameter is required when you call the ImportKeyMaterial operation.

KeyId String 1234abcd-12ab-34cd-56ef-12345678****

The ID of the CMK. The ID is globally unique.

The value of this parameter is required when you call the ImportKeyMaterial operation.

PublicKey String MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlls4uIBxD0GG84C+lGBO6Dhpf1J3XimC6cPmPNaKKJMOzoX4tD+C+r7aZv8lZ3vnPfxuxvy/YwG+whUxTEEFUdqJTOIzhPfYucupqKM92crVHIuG+xtMVeHKjyTr+UrtKCsQikqHT+19yDRN/RMoo2HUx0gmEnRyXd8t3JyUXun9FdoxKA08GrsV7nodb9ZsoBLhnev7tTLcXvLyKW6XG1ZQCQm6dPnbnwLeDXR7uK0Lqn9PM28mBIdaiQUQxj2XbM1CoJA+JiyVX3Ptdb+4rqukb4Rb05B80Bs9xV/cf7FIku08l7xGhrGiQFq+DFXwQWtwihXHZxz3LhldU+4ZPwID****

The public key that is used to encrypt key material.

The public key is encoded in Base64.

RequestId String 8cdf51fd-bcd6-d79a-0ef4-e52c9b5466dc

The ID of the request.

TokenExpireTime String 2018-01-25T00:01:02Z

The time when the import token expires.

Examples

Sample requests

https://[Endpoint]/?Action=GetParametersForImport
&KeyId=1234abcd-12ab-34cd-56ef-12345678****
&WrappingAlgorithm=RSAES_PKCS1_V1_5
&WrappingKeySpec=RSA_2048
&<Common request parameters>

Sample success responses

XML format

<KMS>
    <ImportToken>Base64String</ImportToken>
    <PublicKey>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlls4uIBxD0GG84C+lGBO6Dhpf1J3XimC6cPmPNaKKJMOzoX4tD+C+r7aZv8lZ3vnPfxuxvy/YwG+whUxTEEFUdqJTOIzhPfYucupqKM92crVHIuG+xtMVeHKjyTr+UrtKCsQikqHT+19yDRN/RMoo2HUx0gmEnRyXd8t3JyUXun9FdoxKA08GrsV7nodb9ZsoBLhnev7tTLcXvLyKW6XG1ZQCQm6dPnbnwLeDXR7uK0Lqn9PM28mBIdaiQUQxj2XbM1CoJA+JiyVX3Ptdb+4rqukb4Rb05B80Bs9xV/cf7FIku08l7xGhrGiQFq+DFXwQWtwihXHZxz3LhldU+4ZPwID****</PublicKey>
    <KeyId>1234abcd-12ab-34cd-56ef-12345678****</KeyId>
    <TokenExpireTime>2018-01-25T00:01:02Z</TokenExpireTime>
    <RequestId>8cdf51fd-bcd6-d79a-0ef4-e52c9b5466dc</RequestId>
</KMS>

JSON format

{
        "ImportToken":"Base64String",
        "PublicKey":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlls4uIBxD0GG84C+lGBO6Dhpf1J3XimC6cPmPNaKKJMOzoX4tD+C+r7aZv8lZ3vnPfxuxvy/YwG+whUxTEEFUdqJTOIzhPfYucupqKM92crVHIuG+xtMVeHKjyTr+UrtKCsQikqHT+19yDRN/RMoo2HUx0gmEnRyXd8t3JyUXun9FdoxKA08GrsV7nodb9ZsoBLhnev7tTLcXvLyKW6XG1ZQCQm6dPnbnwLeDXR7uK0Lqn9PM28mBIdaiQUQxj2XbM1CoJA+JiyVX3Ptdb+4rqukb4Rb05B80Bs9xV/cf7FIku08l7xGhrGiQFq+DFXwQWtwihXHZxz3LhldU+4ZPwID****",
        "KeyId":"1234abcd-12ab-34cd-56ef-12345678****",
        "TokenExpireTime":"2018-01-25T00:01:02Z",
        "RequestId":"8cdf51fd-bcd6-d79a-0ef4-e52c9b5466dc"
}

Error codes

For a list of error codes, visit the API Error Center.