Method: cryptoKeyVersions.import

HTTP request
Path parameters
Request body
- JSON representation
Response body
Authorization Scopes
Try it!

Full name: projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.import

Imports a new CryptoKeyVersion into an existing CryptoKey using the wrapped key material provided in the request.

The version ID will be assigned the next sequential id within the CryptoKey.

HTTP request

POST https://cloudkms.googleapis.com/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions:import

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters

Parameters
`parent`	`string` Required. The `name` of the `CryptoKey` to be imported into. Authorization requires the following IAM permission on the specified resource `parent`: `cloudkms.cryptoKeyVersions.create`

parent

string

Required. The name of the CryptoKey to be imported into.

Authorization requires the following IAM permission on the specified resource parent:

cloudkms.cryptoKeyVersions.create

Request body

The request body contains data with the following structure:

JSON representation
{ "algorithm": enum (`CryptoKeyVersionAlgorithm`), "importJob": string, "rsaAesWrappedKey": string }

Fields

Fields
`algorithm`	`enum (CryptoKeyVersionAlgorithm)` Required. The `algorithm` of the key being imported. This does not need to match the `versionTemplate` of the `CryptoKey` this version imports into.
`importJob`	`string` Required. The `name` of the `ImportJob` that was used to wrap this key material. Authorization requires the following IAM permission on the specified resource `importJob`: `cloudkms.importjobs.useToImport`
`rsaAesWrappedKey`	`string (bytes format)` Wrapped key material produced with `RSA_OAEP_3072_SHA1_AES_256` or `RSA_OAEP_4096_SHA1_AES_256`. This field contains the concatenation of two wrapped keys: An ephemeral AES-256 wrapping key wrapped with the `publicKey` using RSAES-OAEP with SHA-1, MGF1 with SHA-1, and an empty label. The key to be imported, wrapped with the ephemeral AES-256 key using AES-KWP (RFC 5649). If importing symmetric key material, it is expected that the unwrapped key contains plain bytes. If importing asymmetric key material, it is expected that the unwrapped key is in PKCS#8-encoded DER format (the PrivateKeyInfo structure from RFC 5208). This format is the same as the format produced by PKCS#11 mechanism CKM_RSA_AES_KEY_WRAP. A base64-encoded string.

algorithm

enum (CryptoKeyVersionAlgorithm)

Required. The algorithm of the key being imported. This does not need to match the versionTemplate of the CryptoKey this version imports into.

importJob

string

Required. The name of the ImportJob that was used to wrap this key material.

Authorization requires the following IAM permission on the specified resource importJob:

cloudkms.importjobs.useToImport

rsaAesWrappedKey

string (bytes format)

Wrapped key material produced with RSA_OAEP_3072_SHA1_AES_256 or RSA_OAEP_4096_SHA1_AES_256.

This field contains the concatenation of two wrapped keys:

An ephemeral AES-256 wrapping key wrapped with the publicKey using RSAES-OAEP with SHA-1, MGF1 with SHA-1, and an empty label.
The key to be imported, wrapped with the ephemeral AES-256 key using AES-KWP (RFC 5649).

If importing symmetric key material, it is expected that the unwrapped key contains plain bytes. If importing asymmetric key material, it is expected that the unwrapped key is in PKCS#8-encoded DER format (the PrivateKeyInfo structure from RFC 5208).

This format is the same as the format produced by PKCS#11 mechanism CKM_RSA_AES_KEY_WRAP.

A base64-encoded string.

Response body

If successful, the response body contains an instance of CryptoKeyVersion.

Authorization Scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/cloudkms
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.