Signs an asymmetric key.

Usage notes

The following table describes the signature algorithms for different types of customer master keys (CMKs).

CMK typeSignature algorithmDescription
  • RSA_2048
  • RSA_3072
  • RSA_4096
RSA_PSS_SHA_256 (default value)RSASSA-PSS using SHA-256 and MGF1 with SHA-256
RSA_PKCS1_SHA_256RSASSA-PKCS1-v1_5 using SHA-256
  • EC_P256
  • EC_P256K
ECDSA_SHA_256 (default value)ECDSA on the P-256 Curve(secp256r1) with a SHA-256 digest
EC_SM2SM2DSA (default value)SM2 elliptic curve public key encryption algorithm

Request message definition

message SignRequest {
     string KeyId = 1;
     string Algorithm = 2;
     bytes Message = 3;
     string MessageType = 4;

Request parameters

KeyIdstringYes1234abcd-12ab-34cd-56ef-12345678****The ID of the customer master key (CMK). The ID must be globally unique. You can also set this parameter to an alias that is bound to the CMK.
Algorithm stringYesRSAES_OAEP_SHA_256The signature algorithm. Valid values:
  • RSA_PSS_SHA_256
  • RSA_PKCS1_SHA_256
  • ECDSA_SHA_256
  • SM2DSA
MessageTypestringYes RAWThe message type. Valid values:
  • RAW: the raw data. This is the default value.
  • DIGEST: the message digest of the raw data. Key Management Service (KMS) does not process the message digest of the raw data. KMS directly uses the private key to sign data.
MessagebytesYesBinary dataThe message to sign.
  • The MessageType parameter is set to RAW: The hash algorithm that is specified by the Algorithm parameter is used to generate a digest for the raw data, and the digest is signed.
  • The MessageType parameter is set to DIGEST: The digest can be up to 32 bytes in length.

Response message definition

message SignResponse {
     string KeyId = 1;
     bytes Signature = 2;
     string RequestId = 3;
     string Algorithm = 4;
     string MessageType = 5;

Response parameters

SignaturebytesBinary dataThe calculated signature value.
KeyIdstring1234abcd-12ab-34cd-56ef-12345678****The ID of the CMK. The ID must be globally unique. If the KeyId parameter is set to an alias of the CMK, the ID of the CMK to which the alias is bound is returned.
AlgorithmstringRSAES_OAEP_SHA_256The signature algorithm.
MessageTypestringRAWThe type of the message.
RequestIdstring475f1620-b9d3-4d35-b5c6-3fbdd941423dThe ID of the request.

Error codes

For more information about error codes, see Common error codes.