KMS Management APIs
This section describes how CCKM manages the AWS resources such as KMS and keys.
Before proceeding, make sure to fulfill the prerequisites.
Use the AWS KMS APIs to perform the following tasks:
Listing AWS Account and Regions
Use the post /v1/cckm/aws/accounts API to list the account and regions associated with the connection that you have added to the CipherTrust Manager.
Syntax
curl -k '<IP>/api/v1/cckm/aws/accounts' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "validate": <boolean>,\n "connection": "<connection_identifier>"\n}' --compressed
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Request Query Parameters
| Parameter | Type | Description |
|---|---|---|
| connection | string | Name or ID of the connection in which the AWS account is managed. |
| validate | boolean | Flag to validate whether the AWS account is already managed by a connection. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/accounts' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI5Mjg1NzViYS1iNzg0LTRkNzgtODhiMS1jNjNiMTY5ZDM1YTciLCJzdWIiOiJsb2NhbHxkMWM1MzM2Ni0xMGNiLTQxMjEtYTM3ZC00MmNhMzlkNzNjZmMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiYmE0YjFhZDAtYzEzMC00NjgyLWE5NjQtMzZlNWVhYjExZTM2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjQ2MTMwYzE3LWYwMWQtNDU2YS1hZjBlLWNkMjIyZWNhNzgwOSIsImlhdCI6MTU5NTk5NTcxNiwiZXhwIjoxNTk1OTk2MDE2fQ.pgvpBaDXFlvXwbkFFPc4ENL4buhg8lQrK-njtQbF_TE' -H 'Content-Type: application/json' --data-binary $'{\n "validate": true,\n "connection": "test_aws-connection"\n}' --compressed
Example Response
{
"account_id": "123456789012",
"regions": [
"eu-north-1",
"ap-south-1",
"eu-west-3",
"eu-west-2",
"eu-west-1",
"ap-northeast-2",
"ap-northeast-1",
"sa-east-1",
"ca-central-1",
"ap-southeast-1",
"ap-southeast-2",
"eu-central-1",
"us-east-1",
"us-east-2",
"us-west-1",
"us-west-2"
]
}
The sample output displays the account (123456789012) and regions managed by the connection (test_aws-connection).
To know more about response parameters, refer to Response Parameters of AWS KMS APIs.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Adding AWS KMS Account and Regions to CCKM
Use the post /v1/cckm/aws/kms API to add the AWS KMS account and regions to the CCKM. You can perform cryptographic and key management operations on the AWS KMS.
Syntax
curl -k '<IP>/api/v1/cckm/aws/kms' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "account_id": "<account_id>",\n "connection": "<connection_identifier>",\n "name": "<KMS_identifirer>",\n "regions": [region]\n}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| account_id | string | ID of the AWS account. |
| connection | string | Name or ID of the connection in which the AWS account is managed. |
| name | string | Unique name for the AWS KMS. |
| regions | array of strings | AWS regions to be added to the CCKM. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/kms' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI5Mjg1NzViYS1iNzg0LTRkNzgtODhiMS1jNjNiMTY5ZDM1YTciLCJzdWIiOiJsb2NhbHxkMWM1MzM2Ni0xMGNiLTQxMjEtYTM3ZC00MmNhMzlkNzNjZmMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiYmE0YjFhZDAtYzEzMC00NjgyLWE5NjQtMzZlNWVhYjExZTM2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImY1ZWVjMTc5LTlhZjQtNGQ3Yi04Njc5LTU1MWRkYzQ0OGRlNiIsImlhdCI6MTU5NTk5NzkxMSwiZXhwIjoxNTk1OTk4MjExfQ.hKpRsjPANFWyEFU9Q0YfEq32cG5TL-ouOyQtrmgqj-M' -H 'Content-Type: application/json' --data-binary $'{\n "account_id": "123456789012",\n "connection": "test_aws-connection",\n "name": "kms-name",\n "regions": [\n"eu-north-1",\n"ap-south-1",\n"eu-west-3",\n"eu-west-2",\n"eu-west-1",\n"ap-northeast-2",\n"ap-northeast-1",\n"sa-east-1",\n"ca-central-1",\n"ap-southeast-1",\n"ap-southeast-2",\n"eu-central-1",\n"us-east-1",\n"us-east-2",\n"us-west-1",\n"us-west-2"\n]\n}' --compressed
Example Response
{
"id": "5e221b78-a24e-4b5f-9af2-a7c46a0cf542",
"uri": "kylo:kylo:cckm:kms:kms-name",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-07-29T04:46:23.452225925Z",
"name": "kms-name",
"account_id": "123456789012",
"arn": "arn:aws:iam::123456789012:user/DummyUser",
"connection": "test_aws-connection",
"regions": [
"eu-north-1",
"ap-south-1",
"eu-west-3",
"eu-west-2",
"eu-west-1",
"ap-northeast-2",
"ap-northeast-1",
"sa-east-1",
"ca-central-1",
"ap-southeast-1",
"ap-southeast-2",
"eu-central-1",
"us-east-1",
"us-east-2",
"us-west-1",
"us-west-2"
],
"cloud_name": "aws"
}
The sample output shows that the AWS account and regions are added to the CCKM, and a unique ID (5e221b78-a24e-4b5f-9af2-a7c46a0cf542) is returned.
To know more about response parameters, refer to Response Parameters of AWS KMS APIs.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Viewing List of AWS KMS
Use the get /v1/cckm/aws/kms API to view the list of the AWS KMSs. The results can be filtered using the query parameters.
Syntax
curl -k '<IP>/api/v1/cckm/aws/kms?skip=0&limit=10' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN string Authorization token. |
Request Query Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | ID of the AWS KMS. |
| name | string | Name of the KMS. |
| account_id | string | ID of the AWS account. |
| skip | integer | Number of records to skip. For example, if "skip":5 is specified, the first five records will not be displayed in the output. |
| limit | integer | Numbers of records to display. For example, if "limit":10 is specified, then the next 10 records (after skipping the number of records specified in the skip parameter) will be displayed in the output. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/kms?skip=0&limit=10' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI5Mjg1NzViYS1iNzg0LTRkNzgtODhiMS1jNjNiMTY5ZDM1YTciLCJzdWIiOiJsb2NhbHxkMWM1MzM2Ni0xMGNiLTQxMjEtYTM3ZC00MmNhMzlkNzNjZmMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiYmE0YjFhZDAtYzEzMC00NjgyLWE5NjQtMzZlNWVhYjExZTM2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjJhZjM0NGU3LTAzNjItNDU5My04OTM3LWNmYjRjY2JiOWNkZCIsImlhdCI6MTU5NjAwMDQwOSwiZXhwIjoxNTk2MDAwNzA5fQ.hLVRNt9JbgCraJI9Z71j5IOBEGDWXMr3ue9CNCGWn4I' --compressed
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "5e221b78-a24e-4b5f-9af2-a7c46a0cf542",
"uri": "kylo:kylo:cckm:kms:kms-name",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-07-29T04:46:23.452226Z",
"name": "kms-name",
"account_id": "123456789012",
"arn": "arn:aws:iam::123456789012:user/DummyUser",
"connection": "test_aws-connection",
"regions": [
"eu-north-1",
"ap-south-1",
"eu-west-3",
"eu-west-2",
"eu-west-1",
"ap-northeast-2",
"ap-northeast-1",
"sa-east-1",
"ca-central-1",
"ap-southeast-1",
"ap-southeast-2",
"eu-central-1",
"us-east-1",
"us-east-2",
"us-west-1",
"us-west-2"
],
"cloud_name": "aws"
}
]
}
The sample output shows the list of the available AWS KMSs on the CCKM.
To know more about response parameters, refer to Response Parameters of AWS KMS APIs.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Viewing Details of AWS KMSes
Use the get /v1/cckm/aws/kms/{id} API to view the details of an AWS KMS with a specific ID.
Syntax
curl -k '<IP>/api/v1/cckm/aws/kms/{id}' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id} represents the KMS ID.
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/kms/5e221b78-a24e-4b5f-9af2-a7c46a0cf542' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI5Mjg1NzViYS1iNzg0LTRkNzgtODhiMS1jNjNiMTY5ZDM1YTciLCJzdWIiOiJsb2NhbHxkMWM1MzM2Ni0xMGNiLTQxMjEtYTM3ZC00MmNhMzlkNzNjZmMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiYmE0YjFhZDAtYzEzMC00NjgyLWE5NjQtMzZlNWVhYjExZTM2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjUxYzE3OTc1LTVlNzYtNGMzZi1hMmYwLTc0YTcyNTZmMzkzZCIsImlhdCI6MTU5NjAwMTM4MCwiZXhwIjoxNTk2MDAxNjgwfQ.8UvKPGUqmalDwFebXVENxJ_hMFBmKlxrdAeKau-brQo' --compressed
Example Response
{
"id": "5e221b78-a24e-4b5f-9af2-a7c46a0cf542",
"uri": "kylo:kylo:cckm:kms:kms-name",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-07-29T04:46:23.452226Z",
"name": "kms-name",
"account_id": "123456789012",
"arn": "arn:aws:iam::123456789012:user/DummyUser",
"connection": "test_aws-connection",
"regions": [
"eu-north-1",
"ap-south-1",
"eu-west-3",
"eu-west-2",
"eu-west-1",
"ap-northeast-2",
"ap-northeast-1",
"sa-east-1",
"ca-central-1",
"ap-southeast-1",
"ap-southeast-2",
"eu-central-1",
"us-east-1",
"us-east-2",
"us-west-1",
"us-west-2"
],
"cloud_name": "aws"
}
The sample output shows the details corresponding to the AWS KMS ID (5e221b78-a24e-4b5f-9af2-a7c46a0cf542).
To know more about response parameters, refer to Response Parameters of AWS KMS APIs.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Deleting AWS KMS Accounts
Use the delete /v1/cckm/aws/kms/{id} API to delete an AWS KMS account from the CCKM.
Syntax
curl -k '<IP>/api/v1/cckm/aws/kms/{id}' -X DELETE -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id} represents the KMS ID.
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/kms/5e221b78-a24e-4b5f-9af2-a7c46a0cf542' -X DELETE -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI5Mjg1NzViYS1iNzg0LTRkNzgtODhiMS1jNjNiMTY5ZDM1YTciLCJzdWIiOiJsb2NhbHxkMWM1MzM2Ni0xMGNiLTQxMjEtYTM3ZC00MmNhMzlkNzNjZmMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiYmE0YjFhZDAtYzEzMC00NjgyLWE5NjQtMzZlNWVhYjExZTM2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImU5MDMwOWUwLTc5MWMtNDBlNi05NGFkLThjZGQwY2JiNWJjMSIsImlhdCI6MTU5NjAwMjU2NywiZXhwIjoxNTk2MDAyODY3fQ.mgE0Qs350Z2s1tJrux2Dw7-HbxziG8-8ILXqznl5jmU' --compressed
Example Response
{
"status": 204
}
The sample output shows that the AWS KMS account (with ID 5e221b78-a24e-4b5f-9af2-a7c46a0cf542) is deleted successfully from the CCKM and "status": 204 is returned in response.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Updating AWS KMS Accounts
Use the patch /v1/cckm/aws/kms/{id} API to modify the AWS KMS parameters such as connection and regions. You can update only one parameter at a time.
Syntax
curl -k '<IP>/api/v1/cckm/aws/kms/{id}' -X PATCH -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n \n "regions": ["region"]\n}' --compressed
Here, {id} represents the KMS ID.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| connection | string | Name or ID of the connection in which the AWS account is managed. |
| regions | array of strings | Regions to be updated. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/kms/c60cc1e5-46ea-451f-9da0-b2e9af4358c3' -X PATCH -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI5Mjg1NzViYS1iNzg0LTRkNzgtODhiMS1jNjNiMTY5ZDM1YTciLCJzdWIiOiJsb2NhbHxkMWM1MzM2Ni0xMGNiLTQxMjEtYTM3ZC00MmNhMzlkNzNjZmMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMTE1ZmE5NTItMjgzYy00MTY3LWJlMWItMTQyOThiMTM4NzhiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjIxMjA1YjcwLWMwMzktNDAyZC05MGNkLTMzMjQ5ZTE2Y2MxOSIsImlhdCI6MTU5NjAyMTgxMSwiZXhwIjoxNTk2MDIyMTExfQ.4ol00Aw6xuF_z6sqRPwpFspMGUsGfFFkNa8C3TVpeu8' -H 'Content-Type: application/json' --data-binary $'{\n "regions": ["us-east-1"]\n \n}' --compressed
Example Response
{
"id": "c60cc1e5-46ea-451f-9da0-b2e9af4358c3",
"uri": "kylo:kylo:cckm:kms:kms-name",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-07-29T09:50:29.673598Z",
"name": "kms-name",
"account_id": "123456789012",
"arn": "arn:aws:iam::123456789012:user/DummyUser",
"connection": "test1-connection1",
"regions": [
"us-east-1"
],
"cloud_name": "aws"
}
The sample output shows that the updated region (us-east-1) replaces the existing regions for the AWS KMS ID (c60cc1e5-46ea-451f-9da0-b2e9af4358c3).
To know more about response parameters, refer to Response Parameters of AWS KMS APIs.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Managing User Permissions on AWS KMS
Use the post /v1/cckm/aws/kms/{id}/update-acls API to grant permissions to users to perform specific actions on the AWS KMS.
For the first time users, actions are permitted as configured by the CCKM administrator. However, if the permissions of a user need to be modified later, for example, a new action is to be permitted or an existing action is to be revoked, the CCKM administrator needs to set that particular action to true or false.
Syntax
curl -k '<IP>/api/v1/cckm/aws/kms/{id}/update-acls' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "user_id": "<user id>", \n "permit": <boolean>,\n "actions": [actions]\n}' --compressed
Here, {id} represents the KMS ID.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| actions | array of strings | Permitted actions on the AWS KMS. For example, a user with the keyupdate permission can perform actions such as update the key policy, enable/disable key, and add/remove alias. Refer to APIs and Action Mapping for details. Supported actions are: • keycreate • keyupdate • keymaterialimport • keymaterialdelete • keyrotate • keydelete • keycanceldelete • keysynchronize • getreports • keyupload • view |
| group | string | Name of the group to be granted permissions. |
| permit | boolean | Flag to permit users to perform specific actions on the AWS KMS. Set to true to permit, false to deny. |
| user_id | string | ID of the user to be granted permissions. |
Note
User ID and group are mutually exclusive – specify either of the two.
APIs and Action Mapping
The following table lists the mapping of APIs and actions required to call these APIs.
| APIs | Actions Required |
|---|---|
| Create | keycreate |
| Import | keymaterialimport |
| Delete key material | keymaterialdelete |
| Rotate | keyrotate |
| Schedule Deletion | keydelete |
| Cancel delete | keycanceldelete |
| Synchronize | keysynchronize |
| Cancel | keysynchronize |
| Get Reports | getreports |
| Update key policy | keyupdate |
| Update key description | keyupdate |
| Enable key | keyupdate |
| Disable key | keyupdate |
| Add tags | keyupdate |
| Remove tags | keyupdate |
| Add alias | keyupdate |
| Delete alias | keyupdate |
| Enable key rotation | keyupdate |
| Enable key for rotation job | keyupdate |
| Disable key for rotation job | keyupdate |
| Disable key rotation | keyupdate |
| Upload | keyupload |
| List | view |
| Get (AWS Keys) | view |
| List AWS KMS | view |
| Get (AWS KmS) | view |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/kms/b25433cf-104a-455d-ab6e-e2ab9f081517/update-acls' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIxMzNiNzY4NS1iNzY1LTQ5ZWQtYTc3Mi1iNDA0ZTVmOWMxY2IiLCJzdWIiOiJsb2NhbHw0NjJhZjBiZS1hMTJhLTQ3NmYtOWI3MS1jYmQ0NjgzNDA1OTEiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMTQzNDIwYzAtNTYwNC00NzExLWI1ODItNmFkZTBmOTI1NjMxIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjU4MzA2ODUxLTFjNWYtNGYxZS05Y2NmLTI1Mjg4YWFmNTYwMiIsImlhdCI6MTU5ODU4ODU1NSwiZXhwIjoxNTk4NTg4ODU1fQ.bnR0UnziE-Vx70pZUktb0W2AwtDWgmp3Kd2eDbOiQBA' -H 'Content-Type: application/json' --data-binary $'{\n "user_id": "local|17870d64-14d7-41d0-9835-c6c8d3d344cf", \n "permit": true,\n "actions": ["view","keycreate", "keyupdate", "keymaterialimport", "keymaterialdelete","keyrotate","keydelete","keycanceldelete","keysynchronize"]\n}' --compressed
Example Response
{
"id": "b25433cf-104a-455d-ab6e-e2ab9f081517",
"uri": "kylo:kylo:cckm:kms:aws_kms",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-08-28T04:19:30.846168Z",
"name": "aws_kms",
"account_id": "123456789012012",
"arn": "arn:aws:iam::123456789012012:user/DummyUser",
"acls": [
{
"user_id": "local|17870d64-14d7-41d0-9835-c6c8d3d344cf",
"actions": [
"view",
"keycreate",
"keyupdate",
"keymaterialimport",
"keymaterialdelete",
"keyrotate",
"keydelete",
"keycanceldelete",
"keysynchronize"
]
}
],
"connection": "aws_conn",
"regions": [
"ap-northeast-1",
"ap-northeast-2",
"ap-south-1",
"ap-southeast-1",
"ap-southeast-2",
"ca-central-1",
"eu-central-1",
"eu-north-1",
"eu-west-1",
"eu-west-2",
"eu-west-3",
"sa-east-1",
"us-east-1",
"us-east-2",
"us-west-1",
"us-west-2"
],
"cloud_name": "aws"
}
The sample output shows that the user (with ID local|17870d64-14d7-41d0-9835-c6c8d3d344cf) is granted permissions to perform the view, keycreate, keyupdate, keymaterialimport, keymaterialdelete, keyrotate, keydelete, keycanceldelete, and keysynchronize operations on the AWS KMS.
To know more about response parameters, refer to Response Parameters of AWS KMS APIs.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
After the permissions are configured on the AWS KMS, run the get /v1/cckm/aws/kms API to view the details of the AWS KMS with the list of actions a user can perform on the AWS KMS.
