Imports key material into an existing AWS KMS customer master key (CMK) that was created without key material. You cannot perform this operation on a CMK in a different AWS account. For more information about creating CMKs with no key material and then importing key material, see Importing Key Material in the AWS Key Management Service Developer Guide.
kms_import_key_material(KeyId, ImportToken, EncryptedKeyMaterial,
ValidTo, ExpirationModel)[required] The identifier of the CMK to import the key material into. The CMK's
Origin must be EXTERNAL.
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
[required] The import token that you received in the response to a previous GetParametersForImport request. It must be from the same response that contained the public key that you used to encrypt the key material.
[required] The encrypted key material to import. It must be encrypted with the public key that you received in the response to a previous GetParametersForImport request, using the wrapping algorithm that you specified in that request.
The time at which the imported key material expires. When the key
material expires, AWS KMS deletes the key material and the CMK becomes
unusable. You must omit this parameter when the ExpirationModel
parameter is set to KEY_MATERIAL_DOES_NOT_EXPIRE. Otherwise it is
required.
Specifies whether the key material expires. The default is
KEY_MATERIAL_EXPIRES, in which case you must include the ValidTo
parameter. When this parameter is set to KEY_MATERIAL_DOES_NOT_EXPIRE,
you must omit the ValidTo parameter.
svc$import_key_material(
KeyId = "string",
ImportToken = raw,
EncryptedKeyMaterial = raw,
ValidTo = as.POSIXct(
"2015-01-01"
),
ExpirationModel = "KEY_MATERIAL_EXPIRES"|"KEY_MATERIAL_DOES_NOT_EXPIRE"
)
Before using this operation, call GetParametersForImport. Its response
includes a public key and an import token. Use the public key to encrypt
the key material. Then, submit the import token from the same
GetParametersForImport response.
When calling this operation, you must specify the following values:
The key ID or key ARN of a CMK with no key material. Its Origin
must be EXTERNAL.
To create a CMK with no key material, call CreateKey and set the
value of its Origin parameter to EXTERNAL. To get the Origin
of a CMK, call DescribeKey.)
The encrypted key material. To get the public key to encrypt the key material, call GetParametersForImport.
The import token that GetParametersForImport returned. This token and the public key used to encrypt the key material must have come from the same response.
Whether the key material expires and if so, when. If you set an expiration date, you can change it only by reimporting the same key material and specifying a new expiration date. If the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. To use the CMK again, you must reimport the same key material.
When this operation is successful, the key state of the CMK changes from
PendingImport to Enabled, and you can use the CMK. After you
successfully import key material into a CMK, you can reimport the same
key material into that CMK, but you cannot import different key
material.
The result of this operation varies with the key state of the CMK. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
# NOT RUN {
# The following example imports key material into the specified CMK.
# }
# NOT RUN {
svc$import_key_material(
EncryptedKeyMaterial = "<binary data>",
ExpirationModel = "KEY_MATERIAL_DOES_NOT_EXPIRE",
ImportToken = "<binary data>",
KeyId = "1234abcd-12ab-34cd-56ef-1234567890ab"
)
# }
# NOT RUN {
# }
Run the code above in your browser using DataCamp Workspace