Queries the parameters that are used to import key material for a customer master key (CMK).

Usage notes
  • The returned parameters can be used to call the ImportKeyMaterial operation.
  • You can import key material only for CMKs whose Origin parameter is set to EXTERNAL.
  • The public key and token that are returned by the GetParametersForImport operation must be used together. The public key and token can be used to import key material only for the CMK that is specified when you call the operation.
  • The public key and token that are returned vary each time you call the GetParametersForImport operation.
  • You must specify the type of the public key and the encryption algorithm that are used to encrypt key material. The following table lists the types of public keys and the encryption algorithms allowed for each type.

    Public key type

    Encryption algorithm

    Description

    RSA_2048

    RSAES_PKCS1_V1_5

    RSAES_OAEP_SHA_1

    RSAES_OAEP_SHA_256

    CMKs of all regions and all protection levels are supported.

    Dedicated Key Management Service (KMS) does not support RSAES_OAEP_SHA_1.

    EC_SM2

    SM2PKE

    CMKs whose ProtectionLevel is set to HSM are supported. The SM2 algorithm is developed and approved by the State Cryptography Administration of China. The SM2 algorithm can be used only to import key material for a CMK whose ProtectionLevel is set to HSM. You can use the SM2 algorithm only when you enable the Managed HSM feature for KMS in the Chinese mainland. For more information, see Overview of Managed HSM.

    For more information, see Import key material. This topic provides an example on how to query the parameters that are used to import key material for a CMK. The ID of the CMK is 1234abcd-12ab-34cd-56ef-12345678****, the encryption algorithm is RSAES_PKCS1_V1_5, and the public key is of the RSA_2048 type. The parameters that are returned include the ID of the CMK, the public key that is used to encrypt the key material, the token that is used to import the key material, and the time when the token expires.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes GetParametersForImport

The operation that you want to perform. Set the value to GetParametersForImport.

KeyId String Yes 202b9877-5a25-46e3-a763-e20791b5****

The globally unique ID of the CMK.

Note You can import key material only for CMKs whose Origin parameter is set to EXTERNAL.
WrappingAlgorithm String Yes RSAES_PKCS1_V1_5

The algorithm that is used to encrypt key material.

WrappingKeySpec String Yes RSA_2048

The type of the public key that is used to encrypt key material.

For more information about common request parameters, see Common parameters.

Response parameters

Parameter Type Example Description
KeyId String 202b9877-5a25-46e3-a763-e20791b5****

The globally unique ID of the CMK.

The value of this parameter is required when you call the ImportKeyMaterial operation.

ImportToken String Base64String

The token that is used to import key material.

The token is valid for 24 hours. The value of this parameter is required when you call the ImportKeyMaterial operation.

RequestId String 8cdf51fd-bcd6-d79a-0ef4-e52c9b5466dc

The ID of the request, which is used to locate and troubleshoot issues.

TokenExpireTime String 2018-01-25T00:01:02Z

The time when the token expires.

PublicKey String MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlls4uIBxD0GG84C+lGBO6Dhpf1J3XimC6cPmPNaKKJMOzoX4tD+C+r7aZv8lZ3vnPfxuxvy/YwG+whUxTEEFUdqJTOIzhPfYucupqKM92crVHIuG+xtMVeHKjyTr+UrtKCsQikqHT+19yDRN/RMoo2HUx0gmEnRyXd8t3JyUXun9FdoxKA08GrsV7nodb9ZsoBLhnev7tTLcXvLyKW6XG1ZQCQm6dPnbnwLeDXR7uK0Lqn9PM28mBIdaiQUQxj2XbM1CoJA+JiyVX3Ptdb+4rqukb4Rb05B80Bs9xV/cf7FIku08l7xGhrGiQFq+DFXwQWtwihXHZxz3LhldU+4ZPwID****

The public key that is used to encrypt key material.

The public key is Base64-encoded.

Examples

Sample requests

http(s)://[Endpoint]/?Action=GetParametersForImport
&KeyId=202b9877-5a25-46e3-a763-e20791b5****
&WrappingAlgorithm=RSAES_PKCS1_V1_5
&WrappingKeySpec=RSA_2048
&Common request parameters

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<GetParametersForImportResponse>
    <KeyId>202b9877-5a25-46e3-a763-e20791b5****</KeyId>
    <ImportToken>Base64String</ImportToken>
    <RequestId>8cdf51fd-bcd6-d79a-0ef4-e52c9b5466dc</RequestId>
    <TokenExpireTime>2018-01-25T00:01:02Z</TokenExpireTime>
    <PublicKey>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlls4uIBxD0GG84C+lGBO6Dhpf1J3XimC6cPmPNaKKJMOzoX4tD+C+r7aZv8lZ3vnPfxuxvy/YwG+whUxTEEFUdqJTOIzhPfYucupqKM92crVHIuG+xtMVeHKjyTr+UrtKCsQikqHT+19yDRN/RMoo2HUx0gmEnRyXd8t3JyUXun9FdoxKA08GrsV7nodb9ZsoBLhnev7tTLcXvLyKW6XG1ZQCQm6dPnbnwLeDXR7uK0Lqn9PM28mBIdaiQUQxj2XbM1CoJA+JiyVX3Ptdb+4rqukb4Rb05B80Bs9xV/cf7FIku08l7xGhrGiQFq+DFXwQWtwihXHZxz3LhldU+4ZPwID****</PublicKey>
</GetParametersForImportResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "KeyId" : "202b9877-5a25-46e3-a763-e20791b5****",
  "ImportToken" : "Base64String",
  "RequestId" : "8cdf51fd-bcd6-d79a-0ef4-e52c9b5466dc",
  "TokenExpireTime" : "2018-01-25T00:01:02Z",
  "PublicKey" : "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlls4uIBxD0GG84C+lGBO6Dhpf1J3XimC6cPmPNaKKJMOzoX4tD+C+r7aZv8lZ3vnPfxuxvy/YwG+whUxTEEFUdqJTOIzhPfYucupqKM92crVHIuG+xtMVeHKjyTr+UrtKCsQikqHT+19yDRN/RMoo2HUx0gmEnRyXd8t3JyUXun9FdoxKA08GrsV7nodb9ZsoBLhnev7tTLcXvLyKW6XG1ZQCQm6dPnbnwLeDXR7uK0Lqn9PM28mBIdaiQUQxj2XbM1CoJA+JiyVX3Ptdb+4rqukb4Rb05B80Bs9xV/cf7FIku08l7xGhrGiQFq+DFXwQWtwihXHZxz3LhldU+4ZPwID****"
}

Error codes

HTTP status code Error code Error message Description
400 Unsupported.Origin This key origin is not valid for this api The error message returned because the operation is supported only for CMKs whose Origin parameter is set to EXTERNAL.

For a list of error codes, visit the API Error Center.