All Products
Search

This Product

    Key Management Service:ImportKeyMaterial

    Document Center

    Key Management Service:ImportKeyMaterial

    Last Updated:Jul 29, 2025

    Call the ImportKeyMaterial operation to import the key material.

    Operation description

    Call CreateKey when creating a CMK, you can select its key material source as external. Origin set to EXTERNAL. This API is used to import the key material into the CMK.

    • To view the CMK Origin, see DescribeKey .
    • Before importing key material, you need to call the GetParametersForImport obtain the parameters required to import the key material, including the public key and import token.
    Note
  • The key type of the pair is Aliyun_AES_256 the key material must be 256 bits. The key type must be Aliyun_SM4 the CMK and key material must be 128 bits.
  • You can set the expiration time for the key material, or you can set it to never expire.
  • You can reimport the key material and reset the expiration time for the specified CMK at any time, but the same key material must be imported.
  • After the imported key material expires or is deleted, the specified CMK is unavailable until the same key material are imported again.
  • A Key material can be imported to multiple cmks, but any Data or Data Key encrypted by one CMK cannot be decrypted by another CMK.
    •

    Debugging

    You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

    Authorization information

    There is currently no authorization information disclosed in the API.

    Request parameters

    ParameterTypeRequiredDescriptionExample
    KeyIdstringYes

    The ID of the CMK to be imported.

    		1234abcd-12ab-34cd-56ef-12345678****
    EncryptedKeyMaterialstringYes

    Use GetParametersForImport the Returned public key and the base64-encoded key material.

    		bCPZx7I6v6KXsqEpr2OXKxuj2CCRtKdwp75Bw+BGncYqBdfjFBYRtOE6HRlT0oeiRDWzwnw9OA54OL36smDJrq4Lo9x0CyYDiuKnRkcKtMtlzW0din7Pd7IlZWWRdVueiw2qpzl7PkUWQGTdsdbzpfJJQ+qj/cRIrk/E83UGyeyytSpgnb+lu0xEYcPajRyWNsbi98N3pqqQzHXNNHO2NJqHlnQgglqTiBEjkGeKFhfKmTc3vjulIdVa3EaVIN6lwWfgx+UUYSrvbA77WDYKlDsZ4SbK2/T7za9Tp1qU7Ynqba7OKGVVj7PMbiaO80AxWZnjUMYCgEp5w7V+seOXqw==
    ImportTokenstringYes

    By calling GetParametersForImport the import token.

    		Base64String
    KeyMaterialExpireUnixlongYes

    The time when the key material expires.

    If this parameter is not specified or set this parameter to 0, the key material does not expire.

    Note The value cannot be earlier than the time when the API is called (based on the server time).
    		0

    Response parameters

    ParameterTypeDescriptionExample
    object
    RequestIdstring

    The ID of the request.

    		ec1017cf-ead4-f3ca-babc-c3b34f3dbecb

    Examples

    Sample success responses

    JSONformat

    {
  "RequestId": "ec1017cf-ead4-f3ca-babc-c3b34f3dbecb"
}

    Error codes

    HTTP status codeError codeError messageDescription
    400InvalidKeyMaterialkey material is invalid-
    400InvalidImportTokenimport token is invalid-
    400ExpiredImportTokenimport token is expired-
    400Unsupported.OriginThis key origin is not valid for this apiThe key origin is not supported for this API operation.
    400InvalidParameterThe specified parameter is not valid.An invalid value is specified for the parameter.
    404InvalidAccessKeyId.NotFoundThe Access Key ID provided does not exist in our records.-

    For a list of error codes, visit the Service error codes.