CreateKey
最后更新时间:2025-12-04 15:44:21
1. API Description
Domain name for API request: kms.intl.tencentcloudapi.com.
Create a master key CMK (Custom Master Key) for user management data keys
A maximum of 100 requests can be initiated per second for this API.
We recommend you to use API Explorer
Try it
API Explorer provides a range of capabilities, including online call, signature authentication, SDK code generation, and API quick search. It enables you to view the request, response, and auto-generated examples.
2. Input Parameters
The following request parameter list only provides API request parameters and some common parameters. For the complete common parameter list, see Common Request Parameters.
| Parameter Name | Required | Type | Description |
|---|---|---|---|
| Action | Yes | String | Common Params. The value used for this API: CreateKey. |
| Version | Yes | String | Common Params. The value used for this API: 2019-01-18. |
| Region | Yes | String | Common Params. For more information, please see the list of regions supported by the product. |
| Alias | Yes | String | Unique alias that makes a key more recognizable and understandable. This parameter cannot be empty, can contain 1-60 letters, digits, -, and _, and must begin with a letter or digit. The kms- prefix is used for Tencent Cloud products. |
| Description | No | String | CMK description of up to 1,024 bytes in length |
| KeyUsage | No | String | Specifies the key purpose, defaults to "ENCRYPT_DECRYPT" indicating the creation of a symmetric encryption/decryption key. other supported purposes include "ASYMMETRIC_DECRYPT_RSA_2048" for RSA2048 ASYMMETRIC keys used to ENCRYPT and DECRYPT, "ASYMMETRIC_DECRYPT_SM2" for SM2 ASYMMETRIC keys used to ENCRYPT and DECRYPT, "ASYMMETRIC_SIGN_VERIFY_SM2" for SM2 ASYMMETRIC keys used for signature verification, "ASYMMETRIC_SIGN_VERIFY_ECC" for ECC ASYMMETRIC keys used for signature verification, "ASYMMETRIC_SIGN_VERIFY_RSA_2048" for RSA_2048 ASYMMETRIC keys used for signature verification, and "ASYMMETRIC_SIGN_VERIFY_ECDSA384" for ECDSA384 ASYMMETRIC keys used for signature verification. the complete list of key purposes and algorithm support can be obtained through the ListAlgorithms api. |
| Type | No | Integer | Specifies the key type. Default value: 1. Valid value: 1 - default type, indicating that the CMK is created by KMS; 2 - EXTERNAL type, indicating that you need to import key material. For more information, please see the GetParametersForImport and ImportKeyMaterial API documents. |
| Tags.N | No | Array of Tag | Tag list |
| HsmClusterId | No | String | ID of the HSM cluster. This field is only valid for Exclusive and Managed KMS instances. |
3. Output Parameters
| Parameter Name | Type | Description |
|---|---|---|
| KeyId | String | Globally unique CMK ID |
| Alias | String | Alias that makes a key more recognizable and understandable |
| CreateTime | Integer | Key creation time in UNIX timestamp format |
| Description | String | Specifies the description of the CMK. |
| KeyState | String | CMK status |
| KeyUsage | String | CMK usage |
| TagCode | Integer | Return code of Tag operation. 0: success; 1: cls internal error; 2: business processing error. |
| TagMsg | String | Response information of Tag operation. |
| HsmClusterId | String | HSM cluster ID (valid only for exclusive or managed version KMS service instances). |
| RequestId | String | The unique request ID, generated by the server, will be returned for every request (if the request fails to reach the server for other reasons, the request will not obtain a RequestId). RequestId is required for locating a problem. |
4. Example
Example1 Creating a CMK Example
This example shows you how to create a Custom Master Key (CMK) for user-managed DEKs. Subsequently, you can call other APIs such as creating DEKs and performing encryption and decryption operations.
Input Example
POST / HTTP/1.1
Host: kms.intl.tencentcloudapi.com
Content-Type: application/json
X-TC-Action: CreateKey
<Common request parameters>
{
"Description": "test Description"
"Alias": "test8-lzc",
"KeyUsage": "ENCRYPT_DECRYPT",
"Type": 1,
"Tags": [
{
"TagKey": "env",
"TagValue": "dev"
}
]
}Output Example
{
"Response": {
"Alias": "test8-lzc",
"CreateTime": 1730347170,
"Description": "test description"
"HsmClusterId": "cls-hsm-3dflmo9g",
"KeyId": "87ff856e-973c-11ef-947b-525400d834e5",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"RequestId": "c44aba41-015a-45aa-9e55-1a08ac9d1d78",
"TagCode": 0,
"TagMsg": "ok"
}
}5. Developer Resources
SDK
TencentCloud API 3.0 integrates SDKs that support various programming languages to make it easier for you to call APIs.
- Tencent Cloud SDK 3.0 for Python
- Tencent Cloud SDK 3.0 for Java
- Tencent Cloud SDK 3.0 for PHP
- Tencent Cloud SDK 3.0 for Go
- Tencent Cloud SDK 3.0 for Node.js
- Tencent Cloud SDK 3.0 for .NET
- Tencent Cloud SDK 3.0 for C++
Command Line Interface
6. Error Code
The following only lists the error codes related to the API business logic. For other error codes, see Common Error Codes.
| Error Code | Description |
|---|---|
| FailedOperation.TaggingError | Tagging error. |
| InternalError | Internal error. |
| InvalidParameter | Invalid parameter. |
| InvalidParameterValue.AliasAlreadyExists | The alias already exists. |
| InvalidParameterValue.InvalidAlias | Incorrect alias format |
| InvalidParameterValue.InvalidHsmClusterId | Invalid HSM cluster ID. |
| InvalidParameterValue.InvalidKeyUsage | Incorrect KeyUsage parameter. |
| InvalidParameterValue.InvalidType | Incorrect Type parameter. |
| InvalidParameterValue.TagKeysDuplicated | Duplicate tag key. |
| InvalidParameterValue.TagsNotExisted | The tag key or tag value does not exist. |
| LimitExceeded.CmkLimitExceeded | The number of CMKs has reached the upper limit. |
| UnauthorizedOperation | Unauthorized operation. |
| UnsupportedOperation.ServiceTemporaryUnavailable | The service is temporarily unavailable. |
| UnsupportedOperation.UnsupportedKeyUsageInCurrentRegion | The encryption method is not supported in the current region. |
文档反馈