This topic provides information to help you determine why the state of an
imported key version is IMPORT_FAILED.
Cloud Key Management Service allows you to import user-provided cryptographic keys as new
key versions. The initial state for an imported key version is PENDING_IMPORT.
If the key material is imported successfully, the state of the imported key
version is updated to ENABLED. If key material isn't imported successfully,
the state of the key version is updated to IMPORT_FAILED.
Problems with the key's format
Formatting issues are a common cause of import failures. The following error messages are typically caused by incorrectly formatted keys:
An argument to the import operation was malformedThe key material in the import request couldn't be unwrapped or wasn't formatted correctly
Length errors are a specific variety of formatting error that Cloud KMS can detect before it attempts to unwrap your key material. The following length error messages are typically caused by incorrectly formatted keys:
Wrapped ECDSA key has invalid length of (length)Wrapped key is too shortWrapped key does not consist of 64-bit blocksWrapped key has invalid length
You can learn more about formatting keys for import.
Problems wrapping a key
The following errors indicate a problem when manually wrapping keys for import.
An argument to the import operation was malformedThe key material in the import request couldn't be unwrapped or wasn't formatted correctly
Using automatic key wrapping is recommended. If you cannot use automatic key wrapping, verify that you are using the wrapping key from the correct import job and try to wrap the key again.