Queries the parameters that are used to import key material for a customer master key (CMK).
Operation description
The returned parameters can be used to call the ImportKeyMaterial operation.
- You can import key material only for CMKs whose Origin parameter is set to EXTERNAL.
- The public key and token that are returned by the GetParametersForImport operation must be used together. The public key and token can be used to import key material only for the CMK that is specified when you call the operation.
- The public key and token that are returned vary each time you call the GetParametersForImport operation.
- You must specify the type of the public key and the encryption algorithm that are used to encrypt key material. The following table lists the types of public keys and the encryption algorithms allowed for each type.
| Public key type | Encryption algorithm | Description |
|---|---|---|
| RSA_2048 | RSAES_PKCS1_V1_5 |
RSAES_OAEP_SHA_1
RSAES_OAEP_SHA_256 | CMKs of all regions and all protection levels are supported.
Dedicated Key Management Service (KMS) does not support RSAES_OAEP_SHA_1. |
| EC_SM2 | SM2PKE | CMKs whose ProtectionLevel is set to HSM are supported. The SM2 algorithm is developed and approved by the State Cryptography Administration of China. The SM2 algorithm can be used only to import key material for a CMK whose ProtectionLevel is set to HSM. You can use the SM2 algorithm only when you enable the Managed HSM feature for KMS in the Chinese mainland. For more information, see Overview of Managed HSM. |
For more information, see Import key material. This topic provides an example on how to query the parameters that are used to import key material for a CMK. The ID of the CMK is 1234abcd-12ab-34cd-56ef-12345678****, the encryption algorithm is RSAES_PKCS1_V1_5, and the public key is of the RSA_2048 type. The parameters that are returned include the ID of the CMK, the public key that is used to encrypt the key material, the token that is used to import the key material, and the time when the token expires.
Debugging
Authorization information
Request parameters
| Parameter | Type | Required | Description | Example |
|---|---|---|---|---|
| KeyId | string | Yes | The globally unique ID of the CMK. Note
You can import key material only for CMKs whose Origin parameter is set to EXTERNAL.
| 202b9877-5a25-46e3-a763-e20791b5**** |
| WrappingAlgorithm | string | Yes | The algorithm that is used to encrypt key material. | RSAES_PKCS1_V1_5 |
| WrappingKeySpec | string | Yes | The type of the public key that is used to encrypt key material. | RSA_2048 |
For more information about common request parameters, see Common parameters.
Response parameters
Examples
Sample success responses
JSONformat
{
"KeyId": "202b9877-5a25-46e3-a763-e20791b5****",
"ImportToken": "Base64String",
"RequestId": "8cdf51fd-bcd6-d79a-0ef4-e52c9b5466dc",
"TokenExpireTime": "2018-01-25T00:01:02Z",
"PublicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlls4uIBxD0GG84C+lGBO6Dhpf1J3XimC6cPmPNaKKJMOzoX4tD+C+r7aZv8lZ3vnPfxuxvy/YwG+whUxTEEFUdqJTOIzhPfYucupqKM92crVHIuG+xtMVeHKjyTr+UrtKCsQikqHT+19yDRN/RMoo2HUx0gmEnRyXd8t3JyUXun9FdoxKA08GrsV7nodb9ZsoBLhnev7tTLcXvLyKW6XG1ZQCQm6dPnbnwLeDXR7uK0Lqn9PM28mBIdaiQUQxj2XbM1CoJA+JiyVX3Ptdb+4rqukb4Rb05B80Bs9xV/cf7FIku08l7xGhrGiQFq+DFXwQWtwihXHZxz3LhldU+4ZPwID****"
}Error codes
| HTTP status code | Error code | Error message | Description |
|---|---|---|---|
| 400 | Unsupported.Origin | This key origin is not valid for this api | The key origin is not supported for this API operation. |
| 400 | InvalidParameter | The specified parameter is not valid. | An invalid value is specified for the parameter. |
| 404 | InvalidAccessKeyId.NotFound | The Access Key ID provided does not exist in our records. | - |
For a list of error codes, visit the Service error codes.