Signs data using an asymmetric key.
Usage notes
The request body (after Protocol Buffers encoding) cannot exceed 3 MB. Requests exceeding this limit are rejected with HTTP 413.
For large messages, generate a digest locally and pass it with
MessageTypeset toDIGEST, rather than sending the raw message.For supported key specifications and algorithm compatibility, see Key types and specifications.
Request parameters
| Parameter | Type | Required | Example | Description |
|---|---|---|---|---|
| KeyId | string | Yes | 1234abcd-12ab-34cd-56ef-12345678**** | The globally unique ID of the key. You can also pass an alias bound to the key. |
| Algorithm | string | Yes | RSAES_OAEP_SHA_256 | The signature algorithm. Valid values: RSA_PSS_SHA_256, RSA_PKCS1_SHA_256, ECDSA_SHA_256, SM2DSA. |
| MessageType | string | Yes | RAW | The type of the message to sign. Valid values: RAW (default): KMS hashes the raw data using the algorithm specified by Algorithm, then signs the digest. DIGEST: KMS skips hashing and signs the provided digest directly using a private key. The digest must be no longer than 32 bytes. |
| Message | bytes | Yes | Binary data | The message to sign. If MessageType is RAW, pass the raw data. If MessageType is DIGEST, pass the pre-computed message digest (up to 32 bytes). |
Response parameters
| Parameter | Type | Example | Description |
|---|---|---|---|
| Signature | bytes | Binary data | The calculated signature value. |
| KeyId | string | 1234abcd-12ab-34cd-56ef-12345678**** | The globally unique ID of the key. If you passed an alias in the request, the ID of the key bound to that alias is returned. |
| Algorithm | string | RSAES_OAEP_SHA_256 | The signing algorithm used. |
| MessageType | string | RAW | The message type used. |
| RequestId | string | 475f1620-b9d3-4d35-b5c6-3fbdd941423d | The request ID. |
Error codes
For a list of error codes, see Service error codes.