Method: cryptoKeyVersions.import

HTTP request
Path parameters
Request body
- JSON representation
Response body
Authorization scopes
Try it!

Full name: projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.import

Import wrapped key material into a CryptoKeyVersion.

All requests must specify a CryptoKey. If a CryptoKeyVersion is additionally specified in the request, key material will be reimported into that version. Otherwise, a new version will be created, and will be assigned the next sequential id within the CryptoKey.

HTTP request

Choose a location:

The URLs use gRPC Transcoding syntax.

Path parameters

Parameters

Parameters
`parent`	`string` Required. The `name` of the `CryptoKey` to be imported into. The create permission is only required on this key when creating a new `CryptoKeyVersion`. Authorization requires the following IAM permission on the specified resource `parent`: `cloudkms.cryptoKeyVersions.create`

parent

string

Required. The name of the CryptoKey to be imported into.

The create permission is only required on this key when creating a new CryptoKeyVersion.

Authorization requires the following IAM permission on the specified resource parent:

cloudkms.cryptoKeyVersions.create

Request body

The request body contains data with the following structure:

JSON representation

JSON representation
{ "cryptoKeyVersion": string, "algorithm": enum (`CryptoKeyVersionAlgorithm`), "importJob": string, "wrappedKey": string, // Union field `wrapped_key_material` can be only one of the following: "rsaAesWrappedKey": string // End of list of possible types for union field `wrapped_key_material`. }

{
  "cryptoKeyVersion": string,
  "algorithm": enum (CryptoKeyVersionAlgorithm),
  "importJob": string,
  "wrappedKey": string,

  // Union field wrapped_key_material can be only one of the following:
  "rsaAesWrappedKey": string
  // End of list of possible types for union field wrapped_key_material.
}

Fields
`cryptoKeyVersion`	`string` Optional. The optional `name` of an existing `CryptoKeyVersion` to target for an import operation. If this field is not present, a new `CryptoKeyVersion` containing the supplied key material is created. If this field is present, the supplied key material is imported into the existing `CryptoKeyVersion`. To import into an existing `CryptoKeyVersion`, the `CryptoKeyVersion` must be a child of `ImportCryptoKeyVersionRequest.parent`, have been previously created via [cryptoKeyVersions.import][], and be in `DESTROYED` or `IMPORT_FAILED` state. The key material and algorithm must match the previous `CryptoKeyVersion` exactly if the `CryptoKeyVersion` has ever contained key material. Authorization requires the following IAM permission on the specified resource `cryptoKeyVersion`: `cloudkms.cryptoKeyVersions.update`
`algorithm`	`enum (CryptoKeyVersionAlgorithm)` Required. The `algorithm` of the key being imported. This does not need to match the `versionTemplate` of the `CryptoKey` this version imports into.
`importJob`	`string` Required. The `name` of the `ImportJob` that was used to wrap this key material. Authorization requires the following IAM permission on the specified resource `importJob`: `cloudkms.importjobs.useToImport`
`wrappedKey`	`string (bytes format)` Optional. The wrapped key material to import. Before wrapping, key material must be formatted. If importing symmetric key material, the expected key material format is plain bytes. If importing asymmetric key material, the expected key material format is PKCS#8-encoded DER (the PrivateKeyInfo structure from RFC 5208). When wrapping with import methods (`RSA_OAEP_3072_SHA1_AES_256` or `RSA_OAEP_4096_SHA1_AES_256` or `RSA_OAEP_3072_SHA256_AES_256` or `RSA_OAEP_4096_SHA256_AES_256`), this field must contain the concatenation of: An ephemeral AES-256 wrapping key wrapped with the `publicKey` using RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an empty label. The formatted key to be imported, wrapped with the ephemeral AES-256 key using AES-KWP (RFC 5649). This format is the same as the format produced by PKCS#11 mechanism CKM_RSA_AES_KEY_WRAP. When wrapping with import methods (`RSA_OAEP_3072_SHA256` or `RSA_OAEP_4096_SHA256`), this field must contain the formatted key to be imported, wrapped with the `publicKey` using RSAES-OAEP with SHA-256, MGF1 with SHA-256, and an empty label. A base64-encoded string.
Union field `wrapped_key_material`. This field is legacy. Use the field `wrapped_key` instead. `wrapped_key_material` can be only one of the following:
`rsaAesWrappedKey`	`string (bytes format)` Optional. This field has the same meaning as `wrappedKey`. Prefer to use that field in new work. Either that field or this field (but not both) must be specified. A base64-encoded string.

Response body

If successful, the response body contains an instance of CryptoKeyVersion.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/cloudkms
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.