Imports externally generated key material into a CMK whose origin is EXTERNAL.
Operation description
When you call CreateKey to create a CMK, you can set Origin to EXTERNAL to specify that the key material comes from an external source. Use this operation to import the key material into such a CMK.
-
To view the CMK Origin, see DescribeKey.
-
Before importing key material, call GetParametersForImport to obtain the parameters required for the import, including the public key and import token.
-
For a CMK of type Aliyun_AES_256, the key material must be 256 bits. For a CMK of type Aliyun_SM4, the key material must be 128 bits.
-
You can set the expiration time for the key material, or you can set it to never expire.
-
You can reimport the key material and reset the expiration time for the specified CMK at any time, but the same key material must be imported.
-
After the imported key material expires or is deleted, the specified CMK becomes unavailable until the same key material is imported again.
-
The same key material can be imported into multiple CMKs, but data or data keys encrypted by one CMK cannot be decrypted by another CMK.
For more information about the access policy required for a RAM user or RAM role to call this operation, see Resource Access Management.
Try it now
Test
RAM authorization
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
| KeyId |
string |
Yes |
The ID of the CMK to be imported. |
1234abcd-12ab-34cd-56ef-12345678**** |
| EncryptedKeyMaterial |
string |
Yes |
The key material encrypted with the public key returned by GetParametersForImport, and then Base64-encoded. |
bCPZx7I6v6KXsqEpr2OXKxuj2CCRtKdwp75Bw+BGncYqBdfjFBYRtOE6HRlT0oeiRDWzwnw9OA54OL36smDJrq4Lo9x0CyYDiuKnRkcKtMtlzW0din7Pd7IlZWWRdVueiw2qpzl7PkUWQGTdsdbzpfJJQ+qj/cRIrk/E83UGyeyytSpgnb+lu0xEYcPajRyWNsbi98N3pqqQzHXNNHO2NJqHlnQgglqTiBEjkGeKFhfKmTc3vjulIdVa3EaVIN6lwWfgx+UUYSrvbA77WDYKlDsZ4SbK2/T7za9Tp1qU7Ynqba7OKGVVj7PMbiaO80AxWZnjUMYCgEp5w7V+seOXqw== |
| ImportToken |
string |
Yes |
The import token obtained by calling GetParametersForImport. |
Base64String |
| KeyMaterialExpireUnix |
integer |
Yes |
The time when the key material expires. If this parameter is not specified or set this parameter to 0, the key material does not expire. Note
The value cannot be earlier than the time when the operation is called (based on the server time). |
0 |
Response elements
|
Element |
Type |
Description |
Example |
|
object |
|||
| RequestId |
string |
The request ID. |
ec1017cf-ead4-f3ca-babc-c3b34f3dbecb |
Examples
Success response
JSON format
{
"RequestId": "ec1017cf-ead4-f3ca-babc-c3b34f3dbecb"
}
Error response
JSON format
//xml response
ec1017cf-ead4-f3ca-babc-c3b34f3dbecb
Error codes
|
HTTP status code |
Error code |
Error message |
Description |
|---|---|---|---|
| 400 | InvalidKeyMaterial | key material is invalid | |
| 400 | InvalidImportToken | import token is invalid | |
| 400 | ExpiredImportToken | import token is expired | |
| 400 | Unsupported.Origin | This key origin is not valid for this api | The key origin is not supported for this API operation. |
| 400 | InvalidParameter | The specified parameter is not valid. | An invalid value is specified for the parameter. |
| 404 | InvalidAccessKeyId.NotFound | The Access Key ID provided does not exist in our records. |
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.