All Products
Search
Document Center

Key Management Service:ImportKeyMaterial

Last Updated:Apr 02, 2026

Imports externally generated key material into a CMK whose origin is EXTERNAL.

Operation description

When you call CreateKey to create a CMK, you can set Origin to EXTERNAL to specify that the key material comes from an external source. Use this operation to import the key material into such a CMK.

  • To view the CMK Origin, see DescribeKey.

  • Before importing key material, call GetParametersForImport to obtain the parameters required for the import, including the public key and import token.

Note
  • For a CMK of type Aliyun_AES_256, the key material must be 256 bits. For a CMK of type Aliyun_SM4, the key material must be 128 bits.

  • You can set the expiration time for the key material, or you can set it to never expire.

  • You can reimport the key material and reset the expiration time for the specified CMK at any time, but the same key material must be imported.

  • After the imported key material expires or is deleted, the specified CMK becomes unavailable until the same key material is imported again.

  • The same key material can be imported into multiple CMKs, but data or data keys encrypted by one CMK cannot be decrypted by another CMK.

For more information about the access policy required for a RAM user or RAM role to call this operation, see Resource Access Management.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

No authorization for this operation. If you encounter issues with this operation, contact technical support.

Request parameters

Parameter

Type

Required

Description

Example

KeyId

string

Yes

The ID of the CMK to be imported.

1234abcd-12ab-34cd-56ef-12345678****

EncryptedKeyMaterial

string

Yes

The key material encrypted with the public key returned by GetParametersForImport, and then Base64-encoded.

bCPZx7I6v6KXsqEpr2OXKxuj2CCRtKdwp75Bw+BGncYqBdfjFBYRtOE6HRlT0oeiRDWzwnw9OA54OL36smDJrq4Lo9x0CyYDiuKnRkcKtMtlzW0din7Pd7IlZWWRdVueiw2qpzl7PkUWQGTdsdbzpfJJQ+qj/cRIrk/E83UGyeyytSpgnb+lu0xEYcPajRyWNsbi98N3pqqQzHXNNHO2NJqHlnQgglqTiBEjkGeKFhfKmTc3vjulIdVa3EaVIN6lwWfgx+UUYSrvbA77WDYKlDsZ4SbK2/T7za9Tp1qU7Ynqba7OKGVVj7PMbiaO80AxWZnjUMYCgEp5w7V+seOXqw==

ImportToken

string

Yes

The import token obtained by calling GetParametersForImport.

Base64String

KeyMaterialExpireUnix

integer

Yes

The time when the key material expires.

If this parameter is not specified or set this parameter to 0, the key material does not expire.

Note

The value cannot be earlier than the time when the operation is called (based on the server time).

0

Response elements

Element

Type

Description

Example

object

RequestId

string

The request ID.

ec1017cf-ead4-f3ca-babc-c3b34f3dbecb

Examples

Success response

JSON format

{
  "RequestId": "ec1017cf-ead4-f3ca-babc-c3b34f3dbecb"
}

Error response

JSON format

//xml response

  ec1017cf-ead4-f3ca-babc-c3b34f3dbecb

Error codes

HTTP status code

Error code

Error message

Description

400 InvalidKeyMaterial key material is invalid
400 InvalidImportToken import token is invalid
400 ExpiredImportToken import token is expired
400 Unsupported.Origin This key origin is not valid for this api The key origin is not supported for this API operation.
400 InvalidParameter The specified parameter is not valid. An invalid value is specified for the parameter.
404 InvalidAccessKeyId.NotFound The Access Key ID provided does not exist in our records.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.