Cloud Keys 2020 Node.js Edition

Questions / Feedback?

CreateKey Method

Creates a new CMK.


amazonkms.createKey(keySpec, forSigning, description, [callback])


The 'callback' parameter specifies a function which will be called when the operation completes (or an error is encountered). If the 'callback' parameter is not specified, then the method will block and will not return until the operation completes (or an error is encountered).

The callback for this method is defined as:

function(err, data){ }

'err' is the error that occurred. If there was no error, then 'err' is 'null'.

'data' is the value returned by the method.

'err' has 2 properties which hold detailed information:



This method creates a new CMK of the specified KeySpec, and returns its Amazon resource name (ARN). The new CMK's Id is the last part of the returned ARN; for example, if the ARN is arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab, then the CMK's Id is 1234abcd-12ab-34cd-56ef-1234567890ab.

The KeySpec parameter specifies the type of CMK that should be created. To create a symmetric key, pass SYMMETRIC_DEFAULT (or empty string); this will create a key using a symmetric algorithm based on AES-256-GCM. To create an asymmetric key, pass one of the following strings instead:

  • RSA_2048
  • RSA_3072
  • RSA_4096
  • ECC_NIST_P256 (secp256r1)
  • ECC_NIST_P384 (secp384r1)
  • ECC_NIST_P521 (secp521r1)
  • ECC_SECG_P256K1 (secp256k1)

The ForSigning parameter specifies whether the new CMK should be for encryption and decryption (false) or signing and verification (true). However, this is only applicable for RSA key specs; symmetric keys are always for encryption/decryption, and elliptic curve key specs are always for signing/verification, so this parameter is ignored if one of those specs is passed for KeySpec.

The Description parameter specifies the CMK's description. This description can be changed at any time using the UpdateKeyDescription method.

To create the CMK in a custom key store, set the CustomKeyStoreId configuration setting before calling this method. To set the CMK's key policy, set the CreateKeyPolicy configuration setting before calling this method. Refer to these configuration settings for more information.

Copyright (c) 2022 /n software inc. - All rights reserved.
Cloud Keys 2020 Node.js Edition - Version 20.0 [Build 8157]