CreateClientKey - Key Management Service - Alibaba Cloud Documentation Center

Creates a client key.

Operation description

To perform cryptographic operations and retrieve secret values, self-managed applications must use a client key to access a Key Management Service (KMS) instance. The following process shows how to create a client key-based application access point (AAP):

1.Create an access control rule: You can configure the private IP addresses or private CIDR blocks that are allowed to access a KMS instance. For more information, see CreateNetworkRule .

2.Create a permission policy: You can configure the keys and secrets that are allowed to access and bind access control rules to the keys and secrets. For more information, see CreatePolicy .

3.Create an AAP: You can configure an authentication method and bind a permission policy to an AAP. For more information, see CreateApplicationAccessPoint .

4.Create a client key: You can configure the encryption password and validity period of a client key and bind the client key to an AAP.

Precautions

A client key has a validity period. After a client key expires, applications into which the client key is integrated cannot access the required KMS instance. You must replace the client key before the client key expires. We recommend that you delete the expired client key in KMS after the new client key is used.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Debug

Authorization information

There is currently no authorization information disclosed in the API.

Request parameters

Parameter	Type	Required	Description	Example
AapName	string	Yes	The operation that you want to perform. Set the value to CreateClientKey.	aap_test
Password	string	Yes	The name of the AAP.	bcfefe15-46f0****
NotAfter	string	No	The encryption password of the client key. The password must be 8 to 64 characters in length and must contain at least two of the following types: digits, letters, and special characters. Special characters include `~ ! @ # $ % ^ & * ? _ -`.	2028-08-31T17:14:33Z
NotBefore	string	No	The end of the validity period of the client key. Specify the time in the ISO 8601 standard. The time must be in UTC. The time must be in the yyyy-MM-ddTHH:mm:ssZ format. Note If you do not configure NotAfter, the default value is the time when the client key was created plus five years. If you configure NotAfter, you must configure NotBefore.	2023-08-31T17:14:33Z

Response parameters

Parameter	Type	Description	Example
	object
RequestId	string	The beginning of the validity period of the client key. Specify the time in the ISO 8601 standard. The time must be in UTC. The time must be in the yyyy-MM-ddTHH:mm:ssZ format. Note If you do not configure NotBefore, the default value is the time when the client key was created. If you configure NotBefore, you must configure NotAfter.	2312e45f-b2fa-4c34-ad94-3eca50932916
ClientKeyId	string	The ID of the request, which is used to locate and troubleshoot issues.	KAAP.66abf237-63f6-4625-b8cf-47e1086e****
KeyAlgorithm	string	The ID of the client key.	RSA_2048
PrivateKeyData	string	The algorithm that is used to encrypt the private key of the client key. Currently, only RSA_2048 is supported.	MIIJqwIBAzCCCXcGCSqGSIb3DQEHAaCCCWgEgglkMIIJYDCCBBcGCSqGSIb3DQEHBqCCBAgwgg******
NotBefore	string	The private key of the client key.	2023-08-31T17:14:33Z
NotAfter	string	The beginning of the validity period of the client key.	2028-08-31T17:14:33Z

Examples

Sample success responses

JSONformat

{
  "RequestId": "2312e45f-b2fa-4c34-ad94-3eca50932916",
  "ClientKeyId": "KAAP.66abf237-63f6-4625-b8cf-47e1086e****",
  "KeyAlgorithm": "RSA_2048",
  "PrivateKeyData": "MIIJqwIBAzCCCXcGCSqGSIb3DQEHAaCCCWgEgglkMIIJYDCCBBcGCSqGSIb3DQEHBqCCBAgwgg******",
  "NotBefore": "2023-08-31T17:14:33Z",
  "NotAfter": "2028-08-31T17:14:33Z"
}

Error codes

For a list of error codes, visit the Service error codes.