AWS SDK Version 3 for .NET
API Reference

AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

Creates a customer managed customer master key (CMK) in your AWS account.

You can use a CMK to encrypt small amounts of data (up to 4096 bytes) directly. But CMKs are more commonly used to encrypt the data keys that are used to encrypt data.

To create a CMK for imported key material, use the Origin parameter with a value of EXTERNAL.

To create a CMK in a custom key store, use the CustomKeyStoreId parameter to specify the custom key store. You must also use the Origin parameter with a value of AWS_CLOUDHSM. The AWS CloudHSM cluster that is associated with the custom key store must have at least two active HSMs in different Availability Zones in the AWS Region.

You cannot use this operation to create a CMK in a different AWS account.

Note:

For .NET Core and PCL this operation is only available in asynchronous form. Please refer to CreateKeyAsync.

Namespace: Amazon.KeyManagementService
Assembly: AWSSDK.KeyManagementService.dll
Version: 3.x.y.z

Syntax

C#
public virtual CreateKeyResponse CreateKey(
         CreateKeyRequest request
)
Parameters
request
Type: Amazon.KeyManagementService.Model.CreateKeyRequest

Container for the necessary parameters to execute the CreateKey service method.

Return Value
The response from the CreateKey service method, as returned by KeyManagementService.

Exceptions

ExceptionCondition
CloudHsmClusterInvalidConfigurationException The request was rejected because the associated AWS CloudHSM cluster did not meet the configuration requirements for a custom key store. The cluster must be configured with private subnets in at least two different Availability Zones in the Region. The security group for the cluster (cloudhsm-cluster--sg) must include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the Destination in the outbound rules must match the security group ID. These rules are set by default when you create the cluster. Do not delete or change them. To get information about a particular security group, use the DescribeSecurityGroups operation. The cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the AWS CloudHSM CreateHsm operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the AWS CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the ConnectCustomKeyStore operation, the AWS CloudHSM must contain at least one active HSM. For information about the requirements for an AWS CloudHSM cluster that is associated with a custom key store, see Assemble the Prerequisites in the AWS Key Management Service Developer Guide. For information about creating a private subnet for an AWS CloudHSM cluster, see Create a Private Subnet in the AWS CloudHSM User Guide. For information about cluster security groups, see Configure a Default Security Group in the AWS CloudHSM User Guide.
CustomKeyStoreInvalidStateException The request was rejected because of the ConnectionState of the custom key store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores operation. This exception is thrown under the following conditions: You requested the CreateKey or GenerateRandom operation in a custom key store that is not connected. These operations are valid only when the custom key store ConnectionState is CONNECTED. You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key store that is not disconnected. This operation is valid only when the custom key store ConnectionState is DISCONNECTED. You requested the ConnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or FAILED. This operation is valid for all other ConnectionState values.
CustomKeyStoreNotFoundException The request was rejected because AWS KMS cannot find a custom key store with the specified key store name or ID.
DependencyTimeoutException The system timed out while trying to fulfill the request. The request can be retried.
InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
KMSInternalException The request was rejected because an internal exception occurred. The request can be retried.
LimitExceededException The request was rejected because a limit was exceeded. For more information, see Limits in the AWS Key Management Service Developer Guide.
MalformedPolicyDocumentException The request was rejected because the specified policy is not syntactically or semantically correct.
TagException The request was rejected because one or more tags are not valid.
UnsupportedOperationException The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation.

Examples

The following example creates a CMK.

To create a customer master key (CMK)


var response = client.CreateKey(new CreateKeyRequest 
{
    Tags = new List<Tag> {
        new Tag {
            TagKey = "CreatedBy",
            TagValue = "ExampleUser"
        }
    } // One or more tags. Each tag consists of a tag key and a tag value.
});

KeyMetadata keyMetadata = response.KeyMetadata; // An object that contains information about the CMK created by this operation.

            

Version Information

.NET Framework:
Supported in: 4.5, 4.0, 3.5

Portable Class Library:
Supported in: Windows Store Apps
Supported in: Windows Phone 8.1
Supported in: Xamarin Android
Supported in: Xamarin iOS (Unified)
Supported in: Xamarin.Forms

See Also