ImportKeyMaterial
Imports key material into a KMS key.
Description
The ImportKeyMaterial operation imports key material into a KMS key. This operation completes the process of importing key material into QKMS. Before calling this operation, you must first call GetParametersForImport to get the public key and import token.
note
- The KMS key must be in a compatible key state and have no key material.
- The key material must be encrypted with the public key from a
GetParametersForImportresponse. - The import token must be from the same
GetParametersForImportresponse. - The public key, import token, and encrypted key material must be from the same
GetParametersForImportresponse. - For more information about importing key material, see Importing Key Material.
Request Syntax
Headers
| Name | Description | Required | Type |
|---|---|---|---|
| Content-Type | Must be "application/x-amz-json-1.1" | Yes | string |
| X-Amz-Target | Must be "TrentService.ImportKeyMaterial" | Yes | string |
Request Body
| Name | Description | Required | Type |
|---|---|---|---|
| EncryptedKeyMaterial | The encrypted key material to import. The key material must be encrypted with the public key from the same GetParametersForImport response. | Yes | blob |
| ExpirationModel | Specifies whether the key material expires. Valid Values: KEY_MATERIAL_EXPIRES | KEY_MATERIAL_DOES_NOT_EXPIRE. | Yes | string |
| ImportToken | The import token that you received in the response to a previous GetParametersForImport request. | Yes | blob |
| KeyId | The identifier of the KMS key to import the key material into. This must identify a symmetric encryption KMS key with no key material. | Yes | string |
| ValidTo | The time at which the imported key material expires. Required when ExpirationModel is KEY_MATERIAL_EXPIRES. | No | timestamp |
POST / HTTP/1.1
Content-Type: application/x-amz-json-1.1
X-Amz-Target: TrentService.ImportKeyMaterial
{
"EncryptedKeyMaterial": "AQICAHiBzWrXqca+q2GRHuHjYWJP+Xz9sXBxqt/9pB1lXKg4HQGZ4gXL/8Aw/zrIQEUHAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM6v4DhjrVUqgdqVEuAgEQgDsgli8KqqW4qp0g9ZWnHdRGYc3ZJzpV3xH9qVGFRwzVVKJNK/Ey/fGS2tl4TOQXLcTYJMEOxR8gPjA=",
"ExpirationModel": "KEY_MATERIAL_EXPIRES",
"ImportToken": "AQICAHiBzWrXqca+q2GRHuHjYWJP+Xz9sXBxqt/9pB1lXKg4HQGZ4gXL/8Aw/zrIQEUHAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM6v4DhjrVUqgdqVEuAgEQgDsgli8KqqW4qp0g9ZWnHdRGYc3ZJzpV3xH9qVGFRwzVVKJNK/Ey/fGS2tl4TOQXLcTYJMEOxR8gPjA=",
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"ValidTo": 1668815672
}
Values in italics indicate user input and should be replaced with actual values.
Response Elements
This operation returns no response data.
Special Errors
| Error Code | Description |
|---|---|
| DependencyTimeoutException | The system timed out while trying to fulfill the request. |
| ExpiredImportTokenException | The request was rejected because the provided import token has expired. |
| IncorrectKeyMaterialException | The request was rejected because the provided key material is invalid or incompatible with the KMS key. |
| InvalidArnException | The request was rejected because a specified ARN was not valid. |
| InvalidCiphertextException | The request was rejected because the specified ciphertext has been corrupted or is otherwise invalid. |
| InvalidImportTokenException | The request was rejected because the provided import token is invalid or is not associated with the specified KMS key. |
| KMSInternalException | An internal error occurred. |
| KMSInvalidStateException | The request was rejected because the key state is not valid for this operation. |
| NotFoundException | The request was rejected because the specified entity or resource could not be found. |
Permissions
To use the ImportKeyMaterial operation, you must have the following permissions:
kms:ImportKeyMaterialon the KMS key (specified in the policy)
Try It Out
Test ImportKeyMaterial
Import key material into a KMS key.
Coming Soon
This feature is currently under development and will be available soon.