CreateKey
Creates a unique customer managed KMS key in your QConsole account.
Description
Creates a customer managed KMS key in your QConsole account. You can use a KMS key to encrypt small amounts of data (up to 4,096 bytes) directly, but KMS keys are more commonly used to encrypt data encryption keys (DEKs) which are then used to encrypt larger amounts of data.
Request Syntax
Headers
| Name | Description | Required | Type |
|---|---|---|---|
| Content-Type | Must be "application/x-amz-json-1.1" | Yes | string |
| X-Amz-Target | Must be "TrentService.CreateKey" | Yes | string |
Request Body
| Name | Description | Required | Type |
|---|---|---|---|
| Policy | The key policy to attach to the KMS key. If you do not specify a policy, Q-KMS attaches a default key policy that gives all principals in the QConsole account access to all KMS operations. | No | string |
| Description | A description of the KMS key. Use a description that helps you decide whether the KMS key is appropriate for a task. | No | string |
| KeyUsage | Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This parameter is required only for asymmetric KMS keys. | No | string |
| CustomerMasterKeySpec | Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. | No | string |
| Origin | The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means Q-KMS creates the key material. | No | string |
| BypassPolicyLockoutSafetyCheck | A flag to indicate whether to bypass the key policy lockout safety check. The default value is false. | No | boolean |
| Tags | One or more tags. Each tag consists of a tag key and a tag value. | No | array |
POST / HTTP/1.1
Content-Type: application/x-amz-json-1.1
X-Amz-Target: TrentService.CreateKey
{
"Description": "Example KMS key for general use",
"KeyUsage": "ENCRYPT_DECRYPT",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Origin": "QKMS",
"Tags": [
{
"TagKey": "Purpose",
"TagValue": "Test"
}
]
}
Values in italics indicate user input and should be replaced with actual values.
Response Elements
| Name | Description | Required | Type |
|---|---|---|---|
| KeyMetadata | Metadata associated with the KMS key. | No | String |
Examples
Example 1: Create a symmetric encryption KMS key
POST / HTTP/1.1
Content-Type: application/x-amz-json-1.1
X-Amz-Target: TrentService.CreateKey
{
"Description": "Example symmetric encryption KMS key",
"KeyUsage": "ENCRYPT_DECRYPT",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT"
}
Values in italics indicate user input and should be replaced with actual values.
HTTP/1.1 200 OK
Content-Type: application/x-amz-json-1.1
{
"KeyMetadata": {
"AccountId": "111122223333",
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"Arn": "arn:verenc:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"CreationDate": "2023-12-01T00:00:00-07:00",
"Enabled": true,
"Description": "Example symmetric encryption KMS key",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "QKMS",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"MultiRegion": false
}
}
Values in italics indicate variable response values.
Example 2: Create a multi-Region primary key
POST / HTTP/1.1
Content-Type: application/x-amz-json-1.1
X-Amz-Target: TrentService.CreateKey
{
"Description": "Example multi-Region primary key",
"MultiRegion": true,
"KeyUsage": "ENCRYPT_DECRYPT",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT"
}
Values in italics indicate user input and should be replaced with actual values.
HTTP/1.1 200 OK
Content-Type: application/x-amz-json-1.1
{
"KeyMetadata": {
"AccountId": "111122223333",
"KeyId": "mrk-1234abcd12ab34cd56ef1234567890ab",
"Arn": "arn:verenc:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab",
"CreationDate": "2023-12-01T00:00:00-07:00",
"Enabled": true,
"Description": "Example multi-Region primary key",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "QKMS",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"MultiRegion": true
}
}
Values in italics indicate variable response values.
Special Errors
| Error Code | Description |
|---|---|
| DependencyTimeoutException | The system timed out while trying to fulfill the request. |
| InvalidArnException | The request was rejected because a specified ARN was not valid. |
| KMSInternalException | The request was rejected because an internal error occurred. |
| LimitExceededException | The request was rejected because a quota was exceeded. |
| MalformedPolicyDocumentException | The request was rejected because the specified policy document was malformed. |
| TagException | The request was rejected because one or more tags are not valid. |
| UnsupportedOperationException | The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation. |
Permissions
To use the `CreateKey` operation, you must have the following permissions:
- `kms:CreateKey`
- `iam:CreateServiceLinkedRole` (required only to create multi-Region keys)
Try It Out
Test CreateKey
Create a new KMS key in your QConsole account.
Coming Soon
This feature is currently under development and will be available soon.