tencent cloud



Last updated: 2023-03-24 16:02:41

1. API Description

Domain name for API request: kms.tencentcloudapi.com.

Create a master key CMK (Custom Master Key) for user management data keys

A maximum of 100 requests can be initiated per second for this API.

We recommend you to use API Explorer
Try it
API Explorer provides a range of capabilities, including online call, signature authentication, SDK code generation, and API quick search. It enables you to view the request, response, and auto-generated examples.

2. Input Parameters

The following request parameter list only provides API request parameters and some common parameters. For the complete common parameter list, see Common Request Parameters.

Parameter Name Required Type Description
Action Yes String Common Params. The value used for this API: CreateKey.
Version Yes String Common Params. The value used for this API: 2019-01-18.
Region No String Common Params. This parameter is not required for this API.
Alias Yes String Unique alias that makes a key more recognizable and understandable. This parameter cannot be empty, can contain 1-60 letters, digits, -, and _, and must begin with a letter or digit. The kms- prefix is used for Tencent Cloud products.
Description No String CMK description of up to 1,024 bytes in length
KeyUsage No String Defines the purpose of the key. The valid values are as follows: ENCRYPT_DECRYPT (default): creates a symmetric encryption/decryption key; ASYMMETRIC_DECRYPT_RSA_2048: creates an asymmetric encryption/decryption 2048-bit RSA key; ASYMMETRIC_DECRYPT_SM2: creates an asymmetric encryption/decryption SM2 key; ASYMMETRIC_SIGN_VERIFY_SM2: creates an asymmetric SM2 key for signature verification; ASYMMETRIC_SIGN_VERIFY_ECC: creates an asymmetric 2048-bit RSA key for signature verification; ASYMMETRIC_SIGN_VERIFY_ECDSA384: creates an asymmetric ECDSA384 key for signature verification. You can get a full list of supported key purposes and algorithms using the ListAlgorithms API.
Type No Integer Specifies the key type. Default value: 1. Valid value: 1 - default type, indicating that the CMK is created by KMS; 2 - EXTERNAL type, indicating that you need to import key material. For more information, please see the GetParametersForImport and ImportKeyMaterial API documents.
Tags.N No Array of Tag Tag list
HsmClusterId No String ID of the HSM cluster. This field is only valid for Exclusive and Managed KMS instances.

3. Output Parameters

Parameter Name Type Description
KeyId String Globally unique CMK ID
Alias String Alias that makes a key more recognizable and understandable
CreateTime Integer Key creation time in UNIX timestamp format
Description String CMK description
KeyState String CMK status
KeyUsage String CMK usage
TagCode Integer Tag operation return code. 0: success; 1: internal error; 2: business processing error
TagMsg String Tag operation return information
HsmClusterId String ID of the HSM cluster. This field is only valid for Exclusive and Managed KMS instances.
Note: This field may return null, indicating that no valid value can be obtained.
RequestId String The unique request ID, which is returned for each request. RequestId is required for locating a problem.

4. Example

Example1 Creating a CMK

This example shows you how to create a Custom Master Key (CMK) for data encryption key management. The CMK is required for creating data encryption keys, encryption and decryption, and more.

Input Example

&<Common request parameters>

Output Example

    "Response": {
        "KeyId": "9999aed0-4956-11e9-bc70-5254005e86b4",
        "Alias": "alias-0001",
        "CreateTime": 1552897190,
        "Description": "test cmk",
        "TagMsg": "Success",
        "TagCode": 0,
        "KeyState": "Enabled",
        "KeyUsage": "ENCRYPT_DECRYPT",
        "RequestId": "850bf779-2249-4995-8c55-b3966daf0a8c",
        "HsmClusterId": ""

5. Developer Resources


TencentCloud API 3.0 integrates SDKs that support various programming languages to make it easier for you to call APIs.

Command Line Interface

6. Error Code

The following only lists the error codes related to the API business logic. For other error codes, see Common Error Codes.

Error Code Description
FailedOperation.TaggingError Tagging error.
InternalError Internal error.
InvalidParameter Invalid parameter.
InvalidParameterValue.AliasAlreadyExists The alias already exists.
InvalidParameterValue.InvalidAlias Incorrect alias format
InvalidParameterValue.InvalidHsmClusterId Invalid HSM cluster ID.
InvalidParameterValue.InvalidKeyUsage Incorrect KeyUsage parameter.
InvalidParameterValue.InvalidType Incorrect Type parameter.
InvalidParameterValue.TagKeysDuplicated Duplicate tag key.
InvalidParameterValue.TagsNotExisted The tag key or tag value does not exist.
LimitExceeded.CmkLimitExceeded The number of CMKs has reached the upper limit.
UnauthorizedOperation Unauthorized operation.
UnsupportedOperation.ServiceTemporaryUnavailable The service is temporarily unavailable.
UnsupportedOperation.UnsupportedKeyUsageInCurrentRegion The encryption method is not supported in the current region.
Contact Us

Contact our sales team or business advisors to help your business.

Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

7x24 Phone Support