All Products
Search
Document Center

Key Management Service:CreateClientKey

更新時間:Oct 11, 2023

Creates a client key.

Usage notes

To perform cryptographic operations and retrieve secret values, self-managed applications must use a client key to access a Key Management Service (KMS) instance. The following process shows how to create a client key-based application access point (AAP):

1. Create an access control rule: You can configure the private IP addresses or private CIDR blocks that are allowed to access a KMS instance. For more information, see CreateNetworkRule.

2. Create a permission policy: You can configure the keys and secrets that are allowed to access and bind access control rules to the keys and secrets. For more information, see CreatePolicy.

3. Create an AAP: You can configure an authentication method and bind a permission policy to an AAP. For more information, see CreateApplicationAccessPoint.

4. Create a client key: You can configure the encryption password and validity period of a client key and bind the client key to an AAP.

Precautions

A client key has a validity period. After a client key expires, applications into which the client key is integrated cannot access the required KMS instance. You must replace the client key before the client key expires. We recommend that you delete the expired client key in KMS after the new client key is used.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter

Type

Required

Example

Description

Action String Yes CreateClientKey

The operation that you want to perform. Set the value to CreateClientKey.

AapName String Yes aap_test

The name of the AAP.

Password String Yes bcfefe15-46f0****

The encryption password of the client key.

The password must be 8 to 64 characters in length and must contain at least two of the following types: digits, letters, and special characters. Special characters include ~ ! @ # $ % ^ & * ? _ -.

NotAfter String No 2028-08-31T17:14:33Z

The end of the validity period of the client key.

Specify the time in the ISO 8601 standard. The time must be in UTC. The time must be in the yyyy-MM-ddTHH:mm:ssZ format.

Note
  • If you do not configure NotAfter, the default value is the time when the client key was created plus five years.
  • If you configure NotAfter, you must configure NotBefore.
NotBefore String No 2023-08-31T17:14:33Z

The beginning of the validity period of the client key.

Specify the time in the ISO 8601 standard. The time must be in UTC. The time must be in the yyyy-MM-ddTHH:mm:ssZ format.

Note
  • If you do not configure NotBefore, the default value is the time when the client key was created.
  • If you configure NotBefore, you must configure NotAfter.

Response parameters

Parameter

Type

Example

Description

RequestId String 2312e45f-b2fa-4c34-ad94-3eca50932916

The ID of the request, which is used to locate and troubleshoot issues.

ClientKeyId String KAAP.66abf237-63f6-4625-b8cf-47e1086e****

The ID of the client key.

KeyAlgorithm String RSA_2048

The algorithm that is used to encrypt the private key of the client key. Currently, only RSA_2048 is supported.

PrivateKeyData String MIIJqwIBAzCCCXcGCSqGSIb3DQEHAaCCCWgEgglkMIIJYDCCBBcGCSqGSIb3DQEHBqCCBAgwgg******

The private key of the client key.

NotBefore String 2023-08-31T17:14:33Z

The beginning of the validity period of the client key.

NotAfter String 2028-08-31T17:14:33Z

The end of the validity period of the client key.

Examples

Sample requests

http(s)://[Endpoint]/?Action=CreateClientKey
&AapName=aap_test
&Password=bcfefe15-46f0****
&NotAfter=2028-08-31T17:14:33Z
&NotBefore=2023-08-31T17:14:33Z
&Common request parameters

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<CreateClientKeyResponse>
    <RequestId>2312e45f-b2fa-4c34-ad94-3eca50932916</RequestId>
    <ClientKeyId>KAAP.66abf237-63f6-4625-b8cf-47e1086e****</ClientKeyId>
    <KeyAlgorithm>RSA_2048</KeyAlgorithm>
    <PrivateKeyData>MIIJqwIBAzCCCXcGCSqGSIb3DQEHAaCCCWgEgglkMIIJYDCCBBcGCSqGSIb3DQEHBqCCBAgwgg******</PrivateKeyData>
    <NotBefore>2023-08-31T17:14:33Z</NotBefore>
    <NotAfter>2028-08-31T17:14:33Z</NotAfter>
</CreateClientKeyResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "2312e45f-b2fa-4c34-ad94-3eca50932916",
  "ClientKeyId" : "KAAP.66abf237-63f6-4625-b8cf-47e1086e****",
  "KeyAlgorithm" : "RSA_2048",
  "PrivateKeyData" : "MIIJqwIBAzCCCXcGCSqGSIb3DQEHAaCCCWgEgglkMIIJYDCCBBcGCSqGSIb3DQEHBqCCBAgwgg******",
  "NotBefore" : "2023-08-31T17:14:33Z",
  "NotAfter" : "2028-08-31T17:14:33Z"
}

Error codes

For a list of error codes, see Service error codes.