Troubleshooting failed imports

Cloud Key Management Service allows you to import user-provided cryptographic keys. The initial state for an imported key is PENDING_IMPORT. When your import request is processed, the state is updated to ENABLED if the key material is imported successfully. If key material is not imported successfully, the state is updated to IMPORT_FAILED.

This topic describes the steps that you can take to understand why the state of your imported key is IMPORT_FAILED.

Problems with the key's format

Formatting issues are a common cause of import failures. The following error messages are typically caused by incorrectly formatted keys:

  • An argument to the import operation was malformed

  • The key material in the import request couldn't be unwrapped or wasn't formatted correctly

Length errors are a specific variety of formatting error that Cloud KMS will detect before it attempts to unwrap your key material. The following length error messages are typically caused by incorrectly formatted keys:

  • Wrapped ECDSA key has invalid length of (length)

  • Wrapped key is too short

  • Wrapped key does not consist of 64-bit blocks

  • Wrapped key has invalid length

You can learn more about formatting keys for import.

Problems wrapping a key

The following errors indicate a problem when manually wrapping keys for import.

  • An argument to the import operation was malformed

  • The key material in the import request couldn't be unwrapped or wasn't formatted correctly

Using automatic key wrapping is recommended. If you cannot use automatic key wrapping, verify that you are using the wrapping key from the correct import job and try to wrap the key again.