Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account
ListPublicKeys - AWS CloudTrail
Request SyntaxRequest ParametersResponse SyntaxResponse ElementsErrorsSee Also

ListPublicKeys

PDF

Returns all public keys whose private keys were used to sign the digest files within the specified time range. The public key is needed to validate digest files that were signed with its corresponding private key.

Note

CloudTrail uses different private and public key pairs per Region. Each digest file is signed with a private key unique to its Region. When you validate a digest file from a specific Region, you must look in the same Region for its corresponding public key.

Request Syntax

{
   "EndTime": number,
   "NextToken": "string",
   "StartTime": number
}

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

EndTime

Optionally specifies, in UTC, the end of the time range to look up public keys for CloudTrail digest files. If not specified, the current time is used.

Type: Timestamp

Required: No

NextToken

Reserved for future use.

Type: String

Required: No

StartTime

Optionally specifies, in UTC, the start of the time range to look up public keys for CloudTrail digest files. If not specified, the current time is used, and the current public key is returned.

Type: Timestamp

Required: No

Response Syntax

{
   "NextToken": "string",
   "PublicKeyList": [ 
      { 
         "Fingerprint": "string",
         "ValidityEndTime": number,
         "ValidityStartTime": number,
         "Value": blob
      }
   ]
}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

NextToken

Reserved for future use.

Type: String

PublicKeyList

Contains an array of PublicKey objects.

Note

The returned public keys may have validity time ranges that overlap.

Type: Array of PublicKey objects

Errors

For information about the errors that are common to all actions, see Common Errors.

InvalidTimeRangeException

Occurs if the timestamp values are not valid. Either the start time occurs after the end time, or the time range is outside the range of possible values.

HTTP Status Code: 400

InvalidTokenException

Reserved for future use.

HTTP Status Code: 400

OperationNotPermittedException

This exception is thrown when the requested operation is not permitted.

HTTP Status Code: 400

UnsupportedOperationException

This exception is thrown when the requested operation is not supported.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

Next topic:

ListQueries

Previous topic:

ListInsightsMetricData

Need help?

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.