AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.
Imports key material into an existing AWS KMS customer master key (CMK) that was created without key material. You cannot perform this operation on a CMK in a different AWS account. For more information about creating CMKs with no key material and then importing key material, see Importing Key Material in the AWS Key Management Service Developer Guide.
Before using this operation, call GetParametersForImport. Its response includes
a public key and an import token. Use the public key to encrypt the key material.
Then, submit the import token from the same GetParametersForImport response.
When calling this operation, you must specify the following values:
The key ID or key ARN of a CMK with no key material. Its Origin must
be EXTERNAL.
To create a CMK with no key material, call CreateKey and set the value of its
Origin parameter to EXTERNAL. To get the Origin
of a CMK, call DescribeKey.)
The encrypted key material. To get the public key to encrypt the key material, call GetParametersForImport.
The import token that GetParametersForImport returned. This token and the public key used to encrypt the key material must have come from the same response.
Whether the key material expires and if so, when. If you set an expiration date, you can change it only by reimporting the same key material and specifying a new expiration date. If the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. To use the CMK again, you must reimport the same key material.
When this operation is successful, the CMK's key state changes from PendingImport
to Enabled, and you can use the CMK. After you successfully import key
material into a CMK, you can reimport the same key material into that CMK, but you
cannot import different key material.
The result of this operation varies with the key state of the CMK. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
For .NET Core and PCL this operation is only available in asynchronous form. Please refer to ImportKeyMaterialAsync.
Namespace: Amazon.KeyManagementService
Assembly: AWSSDK.KeyManagementService.dll
Version: 3.x.y.z
public virtual ImportKeyMaterialResponse ImportKeyMaterial( ImportKeyMaterialRequest request )
Container for the necessary parameters to execute the ImportKeyMaterial service method.
| Exception | Condition |
|---|---|
| DependencyTimeoutException | The system timed out while trying to fulfill the request. The request can be retried. |
| ExpiredImportTokenException | The request was rejected because the provided import token is expired. Use GetParametersForImport to get a new import token and public key, use the new public key to encrypt the key material, and then try the request again. |
| IncorrectKeyMaterialException | The request was rejected because the provided key material is invalid or is not the same key material that was previously imported into this customer master key (CMK). |
| InvalidArnException | The request was rejected because a specified ARN was not valid. |
| InvalidCiphertextException | The request was rejected because the specified ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption context, is corrupted, missing, or otherwise invalid. |
| InvalidImportTokenException | The request was rejected because the provided import token is invalid or is associated with a different customer master key (CMK). |
| KMSInternalException | The request was rejected because an internal exception occurred. The request can be retried. |
| KMSInvalidStateException | The request was rejected because the state of the specified resource is not valid for this request. For more information about how key state affects the use of a CMK, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide. |
| NotFoundException | The request was rejected because the specified entity or resource could not be found. |
| UnsupportedOperationException | The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation. |
The following example imports key material into the specified CMK.
var response = client.ImportKeyMaterial(new ImportKeyMaterialRequest
{
EncryptedKeyMaterial = new MemoryStream(), // The encrypted key material to import.
ExpirationModel = "KEY_MATERIAL_DOES_NOT_EXPIRE", // A value that specifies whether the key material expires.
ImportToken = new MemoryStream(), // The import token that you received in the response to a previous GetParametersForImport request.
KeyId = "1234abcd-12ab-34cd-56ef-1234567890ab" // The identifier of the CMK to import the key material into. You can use the key ID or the Amazon Resource Name (ARN) of the CMK.
});
.NET Framework:
Supported in: 4.5, 4.0, 3.5
Portable Class Library:
Supported in: Windows Store Apps
Supported in: Windows Phone 8.1
Supported in: Xamarin Android
Supported in: Xamarin iOS (Unified)
Supported in: Xamarin.Forms
