GetPublicKey
Downloads the public key of an asymmetric KMS key.
Description
The `GetPublicKey` operation returns the public key from an asymmetric KMS key. The KMS key must be an asymmetric key and the key state must be `Enabled`. You can use the public key to encrypt data or verify signatures outside of QKMS.
note
- The KMS key must be asymmetric.
- The key state must be `Enabled`.
- The public key is returned in plaintext.
- You can use the public key outside of QKMS for encryption or signature verification.
Request Syntax
POST / HTTP/1.1
Content-Type: application/x-amz-json-1.1
X-Amz-Target: TrentService.GetPublicKey
{
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
}
Values in italics indicate user input and should be replaced with actual values.
Request Parameters
Headers
| Name | Description | Required | Type |
|---|---|---|---|
| Content-Type | Must be "application/x-amz-json-1.1" | Yes | string |
| X-Amz-Target | Must be "TrentService.GetPublicKey" | Yes | string |
Request Body
| Name | Description | Required | Type |
|---|---|---|---|
| KeyId | Identifies the asymmetric KMS key that contains the public key. The value can be the ID or ARN of a KMS key. | Yes | string |
| GrantTokens | A list of grant tokens. Use grant tokens when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. | No | array |
Examples
Example 1: Get the public key of an RSA KMS key
POST / HTTP/1.1
Content-Type: application/x-amz-json-1.1
X-Amz-Target: TrentService.GetPublicKey
{
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
}
Values in italics indicate user input and should be replaced with actual values.
HTTP/1.1 200 OK
Content-Type: application/x-amz-json-1.1
{
"KeyId": "arn:verenc:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"PublicKey": "Base64-encoded public key",
"CustomerMasterKeySpec": "RSA_2048",
"KeyUsage": "ENCRYPT_DECRYPT",
"EncryptionAlgorithms": [
"RSAES_OAEP_SHA_1",
"RSAES_OAEP_SHA_256"
]
}
Values in italics indicate variable response values.
Example 2: Get the public key of an ECC signing key
POST / HTTP/1.1
Content-Type: application/x-amz-json-1.1
X-Amz-Target: TrentService.GetPublicKey
{
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
}
Values in italics indicate user input and should be replaced with actual values.
HTTP/1.1 200 OK
Content-Type: application/x-amz-json-1.1
{
"KeyId": "arn:verenc:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"PublicKey": "Base64-encoded public key",
"CustomerMasterKeySpec": "ECC_NIST_P256",
"KeyUsage": "SIGN_VERIFY",
"SigningAlgorithms": [
"ECDSA_SHA_256"
]
}
Values in italics indicate variable response values.
Response Syntax
HTTP/1.1 200 OK
Content-Type: application/x-amz-json-1.1
{
"KeyId": "string",
"PublicKey": "blob",
"CustomerMasterKeySpec": "string",
"KeyUsage": "string",
"EncryptionAlgorithms": [
"string"
],
"SigningAlgorithms": [
"string"
]
}
Values in italics indicate variable response values.
Response Elements
| Name | Description | Required | Type |
|---|---|---|---|
| KeyId | The Amazon Resource Name (ARN) of the asymmetric KMS key from which the public key was downloaded. | No | String |
| PublicKey | The public key (plaintext). | No | String |
| CustomerMasterKeySpec | The type of the asymmetric KMS key (e.g., RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, etc.). | No | String |
| KeyUsage | The permitted use of the public key. Valid values are ENCRYPT_DECRYPT or SIGN_VERIFY. | No | String |
| EncryptionAlgorithms | The encryption algorithms that QKMS supports for this key. Present only for asymmetric KMS keys with KeyUsage of ENCRYPT_DECRYPT. | No | String |
| SigningAlgorithms | The signing algorithms that QKMS supports for this key. Present only for asymmetric KMS keys with KeyUsage of SIGN_VERIFY. | No | String |
Special Errors
| Error Code | Description |
|---|---|
| DependencyTimeoutException | The system timed out while trying to fulfill the request. |
| DisabledException | The request was rejected because the specified KMS key is disabled. |
| InvalidKeyUsageException | The request was rejected because the specified KeyId value cannot be used for this operation. |
| KeyUnavailableException | The request was rejected because the specified KMS key was not available. |
| KMSInternalException | The request was rejected because an internal error occurred. |
| KMSInvalidStateException | The request was rejected because the key state is not valid for this operation. |
| NotFoundException | The request was rejected because the specified entity or resource could not be found. |
| UnsupportedOperationException | The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation. |
Permissions
To use the `GetPublicKey` operation, you must have the following permissions:
- `kms:GetPublicKey` on the KMS key (specified in the policy)
Try It Out
Test GetPublicKey
Download the public key of an asymmetric KMS key.
Coming Soon
This feature is currently under development and will be available soon.