Queries the parameters that are used to import key material for a customer master key (CMK).
- The returned parameters can be used to call the ImportKeyMaterial operation.
- You can import key material only for CMKs whose Origin parameter is set to EXTERNAL.
- The public key and token that are returned by the GetParametersForImport operation must be used together. The public key and token can be used to import key material only for the CMK that is specified when you call the operation.
- The public key and token that are returned vary each time you call the GetParametersForImport operation.
-
You must specify the type of the public key and the encryption algorithm that are used to encrypt key material. The following table lists the types of public keys and the encryption algorithms allowed for each type.
Public key type
Encryption algorithm
Description
RSA_2048
RSAES_PKCS1_V1_5
RSAES_OAEP_SHA_1
RSAES_OAEP_SHA_256
CMKs of all regions and all protection levels are supported.
Dedicated Key Management Service (KMS) does not support RSAES_OAEP_SHA_1.
EC_SM2
SM2PKE
CMKs whose ProtectionLevel is set to HSM are supported. The SM2 algorithm is developed and approved by the State Cryptography Administration of China. The SM2 algorithm can be used only to import key material for a CMK whose ProtectionLevel is set to HSM. You can use the SM2 algorithm only when you enable the Managed HSM feature for KMS in the Chinese mainland. For more information, see Overview of Managed HSM.
For more information, see Import key material. This topic provides an example on how to query the parameters that are used to import key material for a CMK. The ID of the CMK is
1234abcd-12ab-34cd-56ef-12345678****
, the encryption algorithm isRSAES_PKCS1_V1_5
, and the public key is of theRSA_2048
type. The parameters that are returned include the ID of the CMK, the public key that is used to encrypt the key material, the token that is used to import the key material, and the time when the token expires.
Debugging
Request parameters
Parameter | Type | Required | Example | Description |
---|---|---|---|---|
Action | String | Yes | GetParametersForImport |
The operation that you want to perform. Set the value to GetParametersForImport. |
KeyId | String | Yes | 202b9877-5a25-46e3-a763-e20791b5**** |
The globally unique ID of the CMK. Note You can import key material only for CMKs whose Origin parameter is set to EXTERNAL.
|
WrappingAlgorithm | String | Yes | RSAES_PKCS1_V1_5 |
The algorithm that is used to encrypt key material. |
WrappingKeySpec | String | Yes | RSA_2048 |
The type of the public key that is used to encrypt key material. |
For more information about common request parameters, see Common parameters.
Response parameters
Parameter | Type | Example | Description |
---|---|---|---|
KeyId | String | 202b9877-5a25-46e3-a763-e20791b5**** |
The globally unique ID of the CMK. The value of this parameter is required when you call the ImportKeyMaterial operation. |
ImportToken | String | Base64String |
The token that is used to import key material. The token is valid for 24 hours. The value of this parameter is required when you call the ImportKeyMaterial operation. |
RequestId | String | 8cdf51fd-bcd6-d79a-0ef4-e52c9b5466dc |
The ID of the request, which is used to locate and troubleshoot issues. |
TokenExpireTime | String | 2018-01-25T00:01:02Z |
The time when the token expires. |
PublicKey | String | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlls4uIBxD0GG84C+lGBO6Dhpf1J3XimC6cPmPNaKKJMOzoX4tD+C+r7aZv8lZ3vnPfxuxvy/YwG+whUxTEEFUdqJTOIzhPfYucupqKM92crVHIuG+xtMVeHKjyTr+UrtKCsQikqHT+19yDRN/RMoo2HUx0gmEnRyXd8t3JyUXun9FdoxKA08GrsV7nodb9ZsoBLhnev7tTLcXvLyKW6XG1ZQCQm6dPnbnwLeDXR7uK0Lqn9PM28mBIdaiQUQxj2XbM1CoJA+JiyVX3Ptdb+4rqukb4Rb05B80Bs9xV/cf7FIku08l7xGhrGiQFq+DFXwQWtwihXHZxz3LhldU+4ZPwID**** |
The public key that is used to encrypt key material. The public key is Base64-encoded. |
Examples
Sample requests
http(s)://[Endpoint]/?Action=GetParametersForImport
&KeyId=202b9877-5a25-46e3-a763-e20791b5****
&WrappingAlgorithm=RSAES_PKCS1_V1_5
&WrappingKeySpec=RSA_2048
&Common request parameters
Sample success responses
XML
format
HTTP/1.1 200 OK
Content-Type:application/xml
<GetParametersForImportResponse>
<KeyId>202b9877-5a25-46e3-a763-e20791b5****</KeyId>
<ImportToken>Base64String</ImportToken>
<RequestId>8cdf51fd-bcd6-d79a-0ef4-e52c9b5466dc</RequestId>
<TokenExpireTime>2018-01-25T00:01:02Z</TokenExpireTime>
<PublicKey>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlls4uIBxD0GG84C+lGBO6Dhpf1J3XimC6cPmPNaKKJMOzoX4tD+C+r7aZv8lZ3vnPfxuxvy/YwG+whUxTEEFUdqJTOIzhPfYucupqKM92crVHIuG+xtMVeHKjyTr+UrtKCsQikqHT+19yDRN/RMoo2HUx0gmEnRyXd8t3JyUXun9FdoxKA08GrsV7nodb9ZsoBLhnev7tTLcXvLyKW6XG1ZQCQm6dPnbnwLeDXR7uK0Lqn9PM28mBIdaiQUQxj2XbM1CoJA+JiyVX3Ptdb+4rqukb4Rb05B80Bs9xV/cf7FIku08l7xGhrGiQFq+DFXwQWtwihXHZxz3LhldU+4ZPwID****</PublicKey>
</GetParametersForImportResponse>
JSON
format
HTTP/1.1 200 OK
Content-Type:application/json
{
"KeyId" : "202b9877-5a25-46e3-a763-e20791b5****",
"ImportToken" : "Base64String",
"RequestId" : "8cdf51fd-bcd6-d79a-0ef4-e52c9b5466dc",
"TokenExpireTime" : "2018-01-25T00:01:02Z",
"PublicKey" : "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlls4uIBxD0GG84C+lGBO6Dhpf1J3XimC6cPmPNaKKJMOzoX4tD+C+r7aZv8lZ3vnPfxuxvy/YwG+whUxTEEFUdqJTOIzhPfYucupqKM92crVHIuG+xtMVeHKjyTr+UrtKCsQikqHT+19yDRN/RMoo2HUx0gmEnRyXd8t3JyUXun9FdoxKA08GrsV7nodb9ZsoBLhnev7tTLcXvLyKW6XG1ZQCQm6dPnbnwLeDXR7uK0Lqn9PM28mBIdaiQUQxj2XbM1CoJA+JiyVX3Ptdb+4rqukb4Rb05B80Bs9xV/cf7FIku08l7xGhrGiQFq+DFXwQWtwihXHZxz3LhldU+4ZPwID****"
}
Error codes
HTTP status code | Error code | Error message | Description |
---|---|---|---|
400 | Unsupported.Origin | This key origin is not valid for this api | The error message returned because the operation is supported only for CMKs whose Origin parameter is set to EXTERNAL. |
For a list of error codes, visit the API Error Center.