Last updated: 2020-12-02 11:27:28

1. API Description

Domain name for API request:

This API is used to import key material into an EXTERNAL CMK. The key obtained through the GetParametersForImport API is used to encrypt the key material. You can only reimport the same key material into the specified CMK and set a new expiration time. After the CMK key material is imported, it cannot be replaced. After the key material is expired or deleted, the CMK will remain unavailable until the same key material is reimported. CMKs are independent, which means that the same key material can be imported into different CMKs, but data encrypted by one CMK cannot be decrypted by another one.
Key material can only be imported into CMKs in Enabled and PendingImport status.

A maximum of 10 requests can be initiated per second for this API.

We recommend you to use API Explorer
Try it
API Explorer provides a range of capabilities, including online call, signature authentication, SDK code generation, and API quick search. It enables you to view the request, response, and auto-generated examples.

2. Input Parameters

The following request parameter list only provides API request parameters and some common parameters. For the complete common parameter list, see Common Request Parameters.

Parameter Name Required Type Description
Action Yes String Common parameter. The value used for this API: ImportKeyMaterial.
Version Yes String Common parameter. The value used for this API: 2019-01-18.
Region Yes String Common parameter. For more information, please see the list of regions supported by the product.
EncryptedKeyMaterial Yes String Base64-encoded key material that encrypted with the PublicKey returned by GetParametersForImport. For the KMS of SM-CRYPTO version, the length of the key material should be 128 bits, while for KMS of FIPS-compliant version, the length should be 256 bits.
ImportToken Yes String Import token obtained by calling GetParametersForImport.
KeyId Yes String Specifies the CMK into which to import key material, which must be the same as the one specified by GetParametersForImport.
ValidTo No Integer Unix timestamp of the key material's expiration time. If this value is empty or 0, the key material will never expire. To specify the expiration time, it should be later than the current time. Maximum value: 2147443200.

3. Output Parameters

Parameter Name Type Description
RequestId String The unique request ID, which is returned for each request. RequestId is required for locating a problem.

4. Example

Example1 Importing key material

Input Example
&<Common request parameters>

Output Example

  "Response": {
    "RequestId": "1b580852-1e38-11e9-b129-5cb9019b4b00"

5. Developer Resources


TencentCloud API 3.0 integrates SDKs that support various programming languages to make it easier for you to call APIs.

Command Line Interface

6. Error Code

The following only lists the error codes related to the API business logic. For other error codes, see Common Error Codes.

Error Code Description
InternalError Internal error.
InvalidParameter Invalid parameter.
InvalidParameter.DecryptMaterialError Decryption of EncryptedKeyMaterial failed.
InvalidParameterValue.MaterialNotMatch The key material is different from the one previously imported.
ResourceUnavailable.CmkNotFound The CMK does not exist.
ResourceUnavailable.CmkStateNotSupport This operation cannot be performed under the current CMK status.
ResourceUnavailable.TokenExpired Token has expired.
UnsupportedOperation.NotExternalCmk Incorrect CMK type. Only External CMKs are supported.
UnsupportedOperation.ServiceTemporaryUnavailable The service is temporarily unavailable.