All Products
Search

This Product

    Key Management Service:CreateClientKey

    Document Center

    Key Management Service:CreateClientKey

    Last Updated:Oct 11, 2023

    Creates a client key.

    Usage notes

    To perform cryptographic operations and retrieve secret values, self-managed applications must use a client key to access a Key Management Service (KMS) instance. The following process shows how to create a client key-based application access point (AAP):

    1. Create an access control rule: You can configure the private IP addresses or private CIDR blocks that are allowed to access a KMS instance. For more information, see CreateNetworkRule.

    2. Create a permission policy: You can configure the keys and secrets that are allowed to access and bind access control rules to the keys and secrets. For more information, see CreatePolicy.

    3. Create an AAP: You can configure an authentication method and bind a permission policy to an AAP. For more information, see CreateApplicationAccessPoint.

    4. Create a client key: You can configure the encryption password and validity period of a client key and bind the client key to an AAP.

    Precautions

    A client key has a validity period. After a client key expires, applications into which the client key is integrated cannot access the required KMS instance. You must replace the client key before the client key expires. We recommend that you delete the expired client key in KMS after the new client key is used.

    Debugging

    OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

    Request parameters

    Parameter

    Type

    Required

    Example

    Description
    Action String Yes CreateClientKey

    The operation that you want to perform. Set the value to CreateClientKey.

    AapName String Yes aap_test

    The name of the AAP.

    Password String Yes bcfefe15-46f0****

    The encryption password of the client key.

    The password must be 8 to 64 characters in length and must contain at least two of the following types: digits, letters, and special characters. Special characters include ~ ! @ # $ % ^ & * ? _ -.

    NotAfter String No 2028-08-31T17:14:33Z

    The end of the validity period of the client key.

    Specify the time in the ISO 8601 standard. The time must be in UTC. The time must be in the yyyy-MM-ddTHH:mm:ssZ format.

    Note
    • If you do not configure NotAfter, the default value is the time when the client key was created plus five years.
    • If you configure NotAfter, you must configure NotBefore.
    NotBefore String No 2023-08-31T17:14:33Z

    The beginning of the validity period of the client key.

    Specify the time in the ISO 8601 standard. The time must be in UTC. The time must be in the yyyy-MM-ddTHH:mm:ssZ format.

    Note
    • If you do not configure NotBefore, the default value is the time when the client key was created.
    • If you configure NotBefore, you must configure NotAfter.

    Response parameters

    Parameter

    Type

    Example

    Description
    RequestId String 2312e45f-b2fa-4c34-ad94-3eca50932916

    The ID of the request, which is used to locate and troubleshoot issues.

    ClientKeyId String KAAP.66abf237-63f6-4625-b8cf-47e1086e****

    The ID of the client key.

    KeyAlgorithm String RSA_2048

    The algorithm that is used to encrypt the private key of the client key. Currently, only RSA_2048 is supported.

    PrivateKeyData String MIIJqwIBAzCCCXcGCSqGSIb3DQEHAaCCCWgEgglkMIIJYDCCBBcGCSqGSIb3DQEHBqCCBAgwgg******

    The private key of the client key.

    NotBefore String 2023-08-31T17:14:33Z

    The beginning of the validity period of the client key.

    NotAfter String 2028-08-31T17:14:33Z

    The end of the validity period of the client key.

    Examples

    Sample requests

    http(s)://[Endpoint]/?Action=CreateClientKey
&AapName=aap_test
&Password=bcfefe15-46f0****
&NotAfter=2028-08-31T17:14:33Z
&NotBefore=2023-08-31T17:14:33Z
&Common request parameters

    Sample success responses

    XML format

    HTTP/1.1 200 OK
Content-Type:application/xml

<CreateClientKeyResponse>
    <RequestId>2312e45f-b2fa-4c34-ad94-3eca50932916</RequestId>
    <ClientKeyId>KAAP.66abf237-63f6-4625-b8cf-47e1086e****</ClientKeyId>
    <KeyAlgorithm>RSA_2048</KeyAlgorithm>
    <PrivateKeyData>MIIJqwIBAzCCCXcGCSqGSIb3DQEHAaCCCWgEgglkMIIJYDCCBBcGCSqGSIb3DQEHBqCCBAgwgg******</PrivateKeyData>
    <NotBefore>2023-08-31T17:14:33Z</NotBefore>
    <NotAfter>2028-08-31T17:14:33Z</NotAfter>
</CreateClientKeyResponse>

    JSON format

    HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "2312e45f-b2fa-4c34-ad94-3eca50932916",
  "ClientKeyId" : "KAAP.66abf237-63f6-4625-b8cf-47e1086e****",
  "KeyAlgorithm" : "RSA_2048",
  "PrivateKeyData" : "MIIJqwIBAzCCCXcGCSqGSIb3DQEHAaCCCWgEgglkMIIJYDCCBBcGCSqGSIb3DQEHBqCCBAgwgg******",
  "NotBefore" : "2023-08-31T17:14:33Z",
  "NotAfter" : "2028-08-31T17:14:33Z"
}

    Error codes

    For a list of error codes, see Service error codes.