Creates a client key.
Usage notes
To perform cryptographic operations and retrieve secret values, self-managed applications must use a client key to access a Key Management Service (KMS) instance. The following process shows how to create a client key-based application access point (AAP):
1. Create an access control rule: You can configure the private IP addresses or private CIDR blocks that are allowed to access a KMS instance. For more information, see CreateNetworkRule.
2. Create a permission policy: You can configure the keys and secrets that are allowed to access and bind access control rules to the keys and secrets. For more information, see CreatePolicy.
3. Create an AAP: You can configure an authentication method and bind a permission policy to an AAP. For more information, see CreateApplicationAccessPoint.
4. Create a client key: You can configure the encryption password and validity period of a client key and bind the client key to an AAP.
Precautions
A client key has a validity period. After a client key expires, applications into which the client key is integrated cannot access the required KMS instance. You must replace the client key before the client key expires. We recommend that you delete the expired client key in KMS after the new client key is used.
Debugging
Request parameters
Parameter |
Type |
Required |
Example |
Description |
Action | String | Yes | CreateClientKey | The operation that you want to perform. Set the value to CreateClientKey. |
AapName | String | Yes | aap_test | The name of the AAP. |
Password | String | Yes | bcfefe15-46f0**** | The encryption password of the client key. The password must be 8 to 64 characters in length and must contain at least two of the following types: digits, letters, and special characters. Special characters include |
NotAfter | String | No | 2028-08-31T17:14:33Z | The end of the validity period of the client key. Specify the time in the ISO 8601 standard. The time must be in UTC. The time must be in the yyyy-MM-ddTHH:mm:ssZ format. Note
|
NotBefore | String | No | 2023-08-31T17:14:33Z | The beginning of the validity period of the client key. Specify the time in the ISO 8601 standard. The time must be in UTC. The time must be in the yyyy-MM-ddTHH:mm:ssZ format. Note
|
Response parameters
Parameter |
Type |
Example |
Description |
RequestId | String | 2312e45f-b2fa-4c34-ad94-3eca50932916 | The ID of the request, which is used to locate and troubleshoot issues. |
ClientKeyId | String | KAAP.66abf237-63f6-4625-b8cf-47e1086e**** | The ID of the client key. |
KeyAlgorithm | String | RSA_2048 | The algorithm that is used to encrypt the private key of the client key. Currently, only RSA_2048 is supported. |
PrivateKeyData | String | MIIJqwIBAzCCCXcGCSqGSIb3DQEHAaCCCWgEgglkMIIJYDCCBBcGCSqGSIb3DQEHBqCCBAgwgg****** | The private key of the client key. |
NotBefore | String | 2023-08-31T17:14:33Z | The beginning of the validity period of the client key. |
NotAfter | String | 2028-08-31T17:14:33Z | The end of the validity period of the client key. |
Examples
Sample requests
http(s)://[Endpoint]/?Action=CreateClientKey
&AapName=aap_test
&Password=bcfefe15-46f0****
&NotAfter=2028-08-31T17:14:33Z
&NotBefore=2023-08-31T17:14:33Z
&Common request parameters
Sample success responses
XML
format
HTTP/1.1 200 OK
Content-Type:application/xml
<CreateClientKeyResponse>
<RequestId>2312e45f-b2fa-4c34-ad94-3eca50932916</RequestId>
<ClientKeyId>KAAP.66abf237-63f6-4625-b8cf-47e1086e****</ClientKeyId>
<KeyAlgorithm>RSA_2048</KeyAlgorithm>
<PrivateKeyData>MIIJqwIBAzCCCXcGCSqGSIb3DQEHAaCCCWgEgglkMIIJYDCCBBcGCSqGSIb3DQEHBqCCBAgwgg******</PrivateKeyData>
<NotBefore>2023-08-31T17:14:33Z</NotBefore>
<NotAfter>2028-08-31T17:14:33Z</NotAfter>
</CreateClientKeyResponse>
JSON
format
HTTP/1.1 200 OK
Content-Type:application/json
{
"RequestId" : "2312e45f-b2fa-4c34-ad94-3eca50932916",
"ClientKeyId" : "KAAP.66abf237-63f6-4625-b8cf-47e1086e****",
"KeyAlgorithm" : "RSA_2048",
"PrivateKeyData" : "MIIJqwIBAzCCCXcGCSqGSIb3DQEHAaCCCWgEgglkMIIJYDCCBBcGCSqGSIb3DQEHBqCCBAgwgg******",
"NotBefore" : "2023-08-31T17:14:33Z",
"NotAfter" : "2028-08-31T17:14:33Z"
}
Error codes
For a list of error codes, see Service error codes.