GetParametersForImport
Gets the import token and the wrapping key certificate in PEM format (base64 encoded) to initiate a TR-34 WrappedKeyBlock or a RSA WrappedKeyCryptogram import into AWS Payment Cryptography.
The wrapping key certificate wraps the key under import. The import token and wrapping key certificate must be in place and operational before calling ImportKey. The import token expires in 30 days. You can use the same import token to import multiple keys into your service account.
Cross-account use: This operation can't be used across different AWS accounts.
Related operations:
Request Syntax
{
"KeyMaterialType": "string",
"WrappingKeyAlgorithm": "string"
}Request Parameters
The request accepts the following data in JSON format.
- KeyMaterialType
-
The method to use for key material import. Import token is only required for TR-34 WrappedKeyBlock (
TR34_KEY_BLOCK) and RSA WrappedKeyCryptogram (KEY_CRYPTOGRAM).Import token is not required for TR-31, root public key cerificate or trusted public key certificate.
Type: String
Valid Values:
TR34_KEY_BLOCK | TR31_KEY_BLOCK | ROOT_PUBLIC_KEY_CERTIFICATE | TRUSTED_PUBLIC_KEY_CERTIFICATE | KEY_CRYPTOGRAMRequired: Yes
- WrappingKeyAlgorithm
-
The wrapping key algorithm to generate a wrapping key certificate. This certificate wraps the key under import.
At this time,
RSA_2048is the allowed algorithm for TR-34 WrappedKeyBlock import. Additionally,RSA_2048,RSA_3072,RSA_4096are the allowed algorithms for RSA WrappedKeyCryptogram import.Type: String
Valid Values:
TDES_2KEY | TDES_3KEY | AES_128 | AES_192 | AES_256 | HMAC_SHA256 | HMAC_SHA384 | HMAC_SHA512 | HMAC_SHA224 | RSA_2048 | RSA_3072 | RSA_4096 | ECC_NIST_P256 | ECC_NIST_P384 | ECC_NIST_P521Required: Yes
Response Syntax
{
"ImportToken": "string",
"ParametersValidUntilTimestamp": number,
"WrappingKeyAlgorithm": "string",
"WrappingKeyCertificate": "string",
"WrappingKeyCertificateChain": "string"
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- ImportToken
-
The import token to initiate key import into AWS Payment Cryptography. The import token expires after 30 days. You can use the same import token to import multiple keys to the same service account.
Type: String
Pattern:
(import-token-[0-9a-zA-Z]{16,64})? - ParametersValidUntilTimestamp
-
The validity period of the import token.
Type: Timestamp
- WrappingKeyAlgorithm
-
The algorithm of the wrapping key for use within TR-34 WrappedKeyBlock or RSA WrappedKeyCryptogram.
Type: String
Valid Values:
TDES_2KEY | TDES_3KEY | AES_128 | AES_192 | AES_256 | HMAC_SHA256 | HMAC_SHA384 | HMAC_SHA512 | HMAC_SHA224 | RSA_2048 | RSA_3072 | RSA_4096 | ECC_NIST_P256 | ECC_NIST_P384 | ECC_NIST_P521 - WrappingKeyCertificate
-
The wrapping key certificate in PEM format (base64 encoded) of the wrapping key for use within the TR-34 key block. The certificate expires in 30 days.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 32768.
Pattern:
[^\[;\]<>]+ - WrappingKeyCertificateChain
-
The AWS Payment Cryptography root certificate authority (CA) that signed the wrapping key certificate in PEM format (base64 encoded).
Type: String
Length Constraints: Minimum length of 1. Maximum length of 32768.
Pattern:
[^\[;\]<>]+
Errors
- AccessDeniedException
-
You do not have sufficient access to perform this action.
This exception is thrown when the caller lacks the necessary IAM permissions to perform the requested operation. Verify that your IAM policy includes the required permissions for the specific AWS Payment Cryptography action you're attempting.
HTTP Status Code: 400
- ConflictException
-
This request can cause an inconsistent state for the resource.
The requested operation conflicts with the current state of the resource. For example, attempting to delete a key that is currently being used, or trying to create a resource that already exists.
HTTP Status Code: 400
- InternalServerException
-
The request processing has failed because of an unknown error, exception, or failure.
This indicates a server-side error within the AWS Payment Cryptography service. If this error persists, contact support for assistance.
HTTP Status Code: 500
- ResourceNotFoundException
-
The request was denied due to resource not found.
The specified key, alias, or other resource does not exist in your account or region. Verify that the resource identifier is correct and that the resource exists in the expected region.
HTTP Status Code: 400
- ServiceQuotaExceededException
-
This request would cause a service quota to be exceeded.
You have reached the maximum number of keys, aliases, or other resources allowed in your account. Review your current usage and consider deleting unused resources or requesting a quota increase.
HTTP Status Code: 400
- ServiceUnavailableException
-
The service cannot complete the request.
The AWS Payment Cryptography service is temporarily unavailable. This is typically a temporary condition - retry your request after a brief delay.
HTTP Status Code: 500
- ThrottlingException
-
The request was denied due to request throttling.
You have exceeded the rate limits for AWS Payment Cryptography API calls. Implement exponential backoff and retry logic in your application to handle throttling gracefully.
HTTP Status Code: 400
- ValidationException
-
The request was denied due to an invalid request error.
One or more parameters in your request are invalid. Check the parameter values, formats, and constraints specified in the API documentation.
HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
