Imports key material into an existing symmetric AWS KMS customer master key (CMK) that was created without key material. After you successfully import key material into a CMK, you can reimport the same key material into that CMK, but you cannot import different key material.
kms_import_key_material(KeyId, ImportToken, EncryptedKeyMaterial, ValidTo, ExpirationModel)
[required] The identifier of the symmetric CMK that receives the imported key
material. The CMK\'s
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
[required] The import token that you received in the response to a previous GetParametersForImport request. It must be from the same response that contained the public key that you used to encrypt the key material.
[required] The encrypted key material to import. The key material must be encrypted
with the public wrapping key that GetParametersForImport returned, using
the wrapping algorithm that you specified in the same
The time at which the imported key material expires. When the key
material expires, AWS KMS deletes the key material and the CMK becomes
unusable. You must omit this parameter when the
Specifies whether the key material expires. The default is
You cannot perform this operation on an asymmetric CMK or on any CMK in a different AWS account. For more information about creating CMKs with no key material and then importing key material, see Importing Key Material in the AWS Key Management Service Developer Guide.
Before using this operation, call GetParametersForImport. Its response
includes a public key and an import token. Use the public key to encrypt
the key material. Then, submit the import token from the same
When calling this operation, you must specify the following values:
The key ID or key ARN of a CMK with no key material. Its
To create a CMK with no key material, call CreateKey and set the
value of its
Origin parameter to
EXTERNAL. To get the
of a CMK, call DescribeKey.)
The encrypted key material. To get the public key to encrypt the key material, call GetParametersForImport.
The import token that GetParametersForImport returned. You must use
a public key and token from the same
Whether the key material expires and if so, when. If you set an expiration date, AWS KMS deletes the key material from the CMK on the specified date, and the CMK becomes unusable. To use the CMK again, you must reimport the same key material. The only way to change an expiration date is by reimporting the same key material and specifying a new expiration date.
When this operation is successful, the key state of the CMK changes from
Enabled, and you can use the CMK.
If this operation fails, use the exception to help determine the problem. If the error is related to the key material, the import token, or wrapping key, use GetParametersForImport to get a new public key and import token for the CMK and repeat the import procedure. For help, see How To Import Key Material in the AWS Key Management Service Developer Guide.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
1 2 3 4 5 6 7 8 9
1 2 3 4 5 6 7
# The following example imports key material into the specified CMK. svc$import_key_material( EncryptedKeyMaterial = "<binary data>", ExpirationModel = "KEY_MATERIAL_DOES_NOT_EXPIRE", ImportToken = "<binary data>", KeyId = "1234abcd-12ab-34cd-56ef-1234567890ab" )
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.