getPublicKey method
Returns the public key of an asymmetric KMS key. Unlike the private key of
a asymmetric KMS key, which never leaves KMS unencrypted, callers with
kms:GetPublicKey permission can download the public key of an
asymmetric KMS key. You can share the public key to allow others to
encrypt messages and verify signatures outside of KMS. For information
about asymmetric KMS keys, see Asymmetric
KMS keys in the Key Management Service Developer Guide.
You do not need to download the public key. Instead, you can use the public key within KMS by calling the Encrypt, ReEncrypt, or Verify operations with the identifier of an asymmetric KMS key. When you use the public key within KMS, you benefit from the authentication, authorization, and logging that are part of every KMS operation. You also reduce of risk of encrypting data that cannot be decrypted. These features are not effective outside of KMS.
To help you use the public key safely outside of KMS,
GetPublicKey returns important information about the public
key in the response, including:
-
KeySpec:
The type of key material in the public key, such as
RSA_4096orECC_NIST_P521. - KeyUsage: Whether the key is used for encryption, signing, or deriving a shared secret.
- EncryptionAlgorithms, KeyAgreementAlgorithms, or SigningAlgorithms: A list of the encryption algorithms, key agreement algorithms, or signing algorithms for the key.
To verify a signature outside of KMS with an SM2 public key (China Regions
only), you must specify the distinguishing ID. By default, KMS uses
1234567812345678 as the distinguishing ID. For more
information, see Offline
verification with SM2 key pairs.
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.
Cross-account use: Yes. To perform this operation with a KMS key in
a different Amazon Web Services account, specify the key ARN or alias ARN
in the value of the KeyId parameter.
Required permissions: kms:GetPublicKey (key policy)
Related operations: CreateKey
Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.
May throw DependencyTimeoutException.
May throw DisabledException.
May throw InvalidArnException.
May throw InvalidGrantTokenException.
May throw InvalidKeyUsageException.
May throw KeyUnavailableException.
May throw KMSInternalException.
May throw KMSInvalidStateException.
May throw NotFoundException.
May throw UnsupportedOperationException.
Parameter keyId :
Identifies the asymmetric KMS key that includes the public key.
To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
When using an alias name, prefix it with "alias/". To specify
a KMS key in a different Amazon Web Services account, you must use the key
ARN or alias ARN.
For example:
-
Key ID:
1234abcd-12ab-34cd-56ef-1234567890ab -
Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab -
Alias name:
alias/ExampleAlias -
Alias ARN:
arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
Parameter grantTokens :
A list of grant tokens.
Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the Key Management Service Developer Guide.
Implementation
Future<GetPublicKeyResponse> getPublicKey({
required String keyId,
List<String>? grantTokens,
}) async {
final headers = <String, String>{
'Content-Type': 'application/x-amz-json-1.1',
'X-Amz-Target': 'TrentService.GetPublicKey'
};
final jsonResponse = await _protocol.send(
method: 'POST',
requestUri: '/',
exceptionFnMap: _exceptionFns,
// TODO queryParams
headers: headers,
payload: {
'KeyId': keyId,
if (grantTokens != null) 'GrantTokens': grantTokens,
},
);
return GetPublicKeyResponse.fromJson(jsonResponse.body);
}