Vault Management APIs
This chapter describes how CCKM manages Azure vaults.
Prerequisites
An Azure connection must already exist on the CipherTrust Manager. Refer to the CipherTrust Manager Administrator Guide for details on adding an Azure connection to the CipherTrust Manager.
Use the Azure vault management APIs to perform the following tasks:
Fetching List of Vaults from Azure
Use the post /v1/cckm/azure/get-vaults
API to fetch the list of vaults from Azure.
Syntax
curl -k '<IP>/api/v1/cckm/azure/get-vaults' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "subscription_id":"<subscription_id>",\n "connection": "<connection identifier>",\n "limit":<limit>\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
connection | string | Name or ID of the connection. Connection name must be associated with the key vault to which it belongs. |
subscription_id | string | Subscription ID of the vault limit integer Number of the vaults to view. Default value is 10 . Maximum value is 1000 . |
limit | integer | Number of vaults to view. The default value is 10 and maximum value is 1000. |
nextLink | string | Displays the remaining vaults left in the list. The limit to view the vaults is same as you set for the first time. For example, if there are 20 vaults and you set the limit to 11, then to view the remaining 9 vaults, you need to use nextLink . |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/get-vaults' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIwMGY0MGI0Mi0xODIwLTQwYzEtYTEzZS1kN2YxYjZlY2MxYzIiLCJzdWIiOiJsb2NhbHxkZmM2ZTJlYS0yYTE2LTRlYTMtOGRhNC05ZWM0ZGNhYjA1YmMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjcwODY3MTktNWUyYy00NWQxLWJlYmEtOWM3ZjU5YTdlNWMwIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjRlMWE4YjQ0LWM1ZGYtNGNhOS05OWU5LTkxOTE3MmU5MDI5MSIsImlhdCI6MTYwNDkxMzExNywiZXhwIjoxNjA0OTEzNDE3fQ.7q2fF3PQyP9AMNL62pBRE2bBg_yWO57wjWTY6m1y5a8' -H 'Content-Type: application/json' --data-binary $'{\n "subscription_id": "f716c603-f206-43ed-bb39-758d9d3aa052",\n "connection": "azure-connection",\n "limit": 2\n}' --compressed
Example Response
{
"vaults": [
{
"name": "vault-v1",
"azure_vault_id": "/subscriptions/f716c603-f206-43ed-bb39-758d9d3aa052/resourceGroups/key-vault/providers/Microsoft.KeyVault/vaults/vault-v1",
"type": "Microsoft.KeyVault/vaults",
"location": "westus",
"properties": {
"tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"sku": {
"family": "A",
"name": "standard"
},
"vaultUri": "https://vault-v1.vault.azure.net/",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true
}
},
{
"name": "vault-v10-has-long-name",
"azure_vault_id": "/subscriptions/f716c603-f206-43ed-bb39-758d9d3aa052/resourceGroups/key-vault/providers/Microsoft.KeyVault/vaults/vault-v10-has-long-name",
"type": "Microsoft.KeyVault/vaults",
"location": "westus",
"properties": {
"tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"sku": {
"family": "A",
"name": "standard"
},
"vaultUri": "https://vault-v10-has-long-name.vault.azure.net/",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true
}
}
],
"connection": "azure-connection",
"subscription_id": "f716c603-f206-43ed-bb39-758d9d3aa052",
"nextLink": "https://management.azure.com/subscriptions/f716c603-f206-43ed-bb39-758d9d3aa052/resources?%24filter=resourceType+eq+%27Microsoft.KeyVault%2fvaults%27&%24top=2&api-version=2015-11-01&%24skiptoken=eyJuZXh0UGFydGl0aW9uS2V5IjoiMSE4IU5VSTRNelUtIiwibmV4dFJvd0tleSI6IjEhMTMyIU1qWXdSVU5DUlRjM056ZENORVF6UXpnMFJVRTRPRGMyTWpBME9UZzROak5mVkVkT1RDMU5TVU5TVDFOUFJsUTZNa1ZMUlZsV1FWVk1WRG95UmxaQlZVeFVVeTFCUVVSV1FVdzZNa1JTUnkxQlFVUldRVXc2TWtSV01pMVhSVk5VVlZNLSJ9"
}
The sample output displays the list of Azure vaults associated with the Subscription ID (f716c603-f206-43ed-bb39-758d9d3aa052
).
To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Adding Azure Vaults
Use the post /v1/cckm/azure/add-vaults
API to add an Azure vault to the CCKM. After the vault is added, the CCKM can access and manage it.
Syntax
curl -k '<IP>/api/v1/cckm/azure/add-vaults' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "subscription_id": "<subscription_id>",\n "connection": "<connection_identifier>",\n "vaults": [\n "name": "<vault_name>",\n"azure_vault_id": "<vault_id>",\n"type": "<vault_type>",\n"location": "<location>",\n "properties": {\n"tenantId": "<tenant_id>",\n"sku": {\n"family": "<family>",\n"name": "<name>"\n},\n"vaultUri": "<vault_uri>",\n"enabledForDeployment": <boolean>,\n"enabledForDiskEncryption": <boolean>,\n"enabledForTemplateDeployment": <boolean>\n}\n ]\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
connection | string | Name or ID of the connection. |
subscription_id | string | Subscription ID. |
vaults | array of JSONs | Azure vault parameters. Refer to Azure Vault Parameters for details. |
Azure Vault Parameters
Parameter | Type | Description |
---|---|---|
azure_vault_id | string | ID of the Azure vault. |
location | string | Location of the Azure vault. |
name | string | Name for the vault. |
properties | JSON | Properties of the Azure vault. Refer to Vault Properties for details. |
type | string | Type of the Azure vault. |
tags | JSON | Tags for the Azure vault. |
Vault Properties
Parameter | Type | Description |
---|---|---|
createMode | string | The vault's create mode to indicate whether the vault need to be recovered or not. Possible values are: • CreateModeRecover • CreateModeDefault |
enablePurgeProtection | boolean | Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value. |
enableRbacAuthorization | boolean | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions. |
enableSoftDelete | boolean | Property to specify whether the soft delete functionality is enabled for this key vault. It does not accept the value false . |
enabledForDeployment | boolean | Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. |
enabledForDiskEncryption | boolean | Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. |
enabledForTemplateDeployment | boolean | Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. |
sku | JSON | sku details of the Azure vault. Refer to SKU Details for details. |
softDeleteRetentionInDays | integer | Soft delete data retention days. It accepts value >=7 and <=90. |
tenantId | string | The Azure Active Directory tenant ID that is used for authenticating requests to the key vault. |
vaultUri | string | The URI of the Azure vault for performing operations on keys and secrets. |
SKU Details
Parameter | Type | Description |
---|---|---|
family | string | SKU family name of the Azure vault. |
name | string | SKU name to specify whether the key vault is a standard vault or a premium vault. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/add-vaults' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIwMGY0MGI0Mi0xODIwLTQwYzEtYTEzZS1kN2YxYjZlY2MxYzIiLCJzdWIiOiJsb2NhbHxkZmM2ZTJlYS0yYTE2LTRlYTMtOGRhNC05ZWM0ZGNhYjA1YmMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjcwODY3MTktNWUyYy00NWQxLWJlYmEtOWM3ZjU5YTdlNWMwIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjRlMWE4YjQ0LWM1ZGYtNGNhOS05OWU5LTkxOTE3MmU5MDI5MSIsImlhdCI6MTYwNDkxMzExNywiZXhwIjoxNjA0OTEzNDE3fQ.7q2fF3PQyP9AMNL62pBRE2bBg_yWO57wjWTY6m1y5a8' -H 'Content-Type: application/json' --data-binary $'{\n "subscription_id": "f716c603-f206-43ed-bb39-758d9d3aa052",\n "connection": "azure-connection",\n "vaults": [\n {\n"name": "vault-v1",\n"azure_vault_id": "/subscriptions/f716c603-f206-43ed-bb39-758d9d3aa052/resourceGroups/key-vault/providers/Microsoft.KeyVault/vaults/vault-v1",\n"type": "Microsoft.KeyVault/vaults",\n"location": "westus",\n"properties": {\n"tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",\n"sku": {\n"family": "A",\n"name": "standard"\n},\n"vaultUri": "https://vault-v1.vault.azure.net/",\n"enabledForDeployment": true,\n"enabledForDiskEncryption": true,\n"enabledForTemplateDeployment": true\n}\n}\n ]\n}' --compressed
Example Response
{
"id": "75e916da-1f31-4c9d-b3d8-04f52c268a0a",
"uri": "kylo:kylo:cckm:subscription:75e916da-1f31-4c9d-b3d8-04f52c268a0a",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-09T09:00:43.167607Z",
"updatedAt": "2020-11-09T09:13:19.116352114Z",
"subscription_id": "f716c603-f206-43ed-bb39-758d9d3aa052",
"subscription_uri": "/subscriptions/f716c603-f206-43ed-bb39-758d9d3aa052",
"displayName": "Pay-As-You-Go",
"state": "Enabled",
"subscriptionPolicies": {
"quotaId": "PayAsYouGo_2014-09-01",
"spendingLimit": "Off",
"locationPlacementId": "Public_2014-09-01"
},
"authorizationSource": "RoleBased",
"connection": "azure-connection",
"vaults": [
{
"name": "vault-v1::f716c603-f206-43ed-bb39-758d9d3aa052",
"azure_vault_id": "/subscriptions/f716c603-f206-43ed-bb39-758d9d3aa052/resourceGroups/key-vault/providers/Microsoft.KeyVault/vaults/vault-v1",
"type": "Microsoft.KeyVault/vaults",
"location": "westus",
"properties": {
"tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"sku": {
"family": "A",
"name": "standard"
},
"vaultUri": "https://vault-v1.vault.azure.net/",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true
}
}
]
}
The sample output shows that the vault named vault-v1
is added to CCKM.
To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Removing Azure Vaults
Use the delete /v1/cckm/azure/vaults/{id}/remove-vault
API to delete an Azure vault from the CCKM.
Syntax
curl -k '<IP>/api/v1/cckm/azure/vaults/{id}/remove-vault' -X POST -H 'Authorization:
Bearer AUTHTOKEN' --compressed
Here, {id}
represents the vault ID.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/vaults/543e3f50-aac1-4e07-8499-
e5de03a22528/remove-vault' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3 MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc 3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb2 1haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4 iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAw MDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImExMTZkZWEwLTk0YWUtNDgyNi05M jI4LWI4ZjgwNWM3YjYxYyIsImlhdCI6MTYwMTQ1OTk0OCwiZXhwIjoxNjAxNDYwMjQ4fQ.s1obwpA_ZgDbd8wCO2CXyvbUlZ8AvZ9cgipyfOmksuI' --compressed
Example Response
{
"status": 204
}
The sample output shows that the vault (with ID 543e3f50-aac1-4e07-8499-e5de03a22528
) is deleted successfully from the CCKM and "status": 204
is returned in response.
To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Fetching List of Azure Vaults from CCKM
Use the get /v1/cckm/azure/vaults
API to fetch the list of Azure vaults that are already exists on the CCKM. The results can be filtered using the query parameters.
Syntax
curl -k '<IP>/api/v1/cckm/azure/vaults?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Request Query Parameters
Parameter | Type | Description |
---|---|---|
name | string | Name of the Azure vault. |
location | string | Location of the Azure vault |
id | string | ID of the key vault |
skip | integer | Number of records to skip. For example, if "skip":5 is specified, the first five records will not be displayed in the output. |
limit | integer | Numbers of records to display. For example, if "limit":10 is specified, then the next 10 records (after skipping the number of records specified in skip parameter) will be displayed in the output. |
sort | string | Comma-delimited list of properties to sort the results. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/vaults?skip=0&limit=10&sort=updatedAt' -
H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3 MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc 3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb2 1haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4 iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAw MDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImExMTZkZWEwLTk0YWUtNDgyNi05M jI4LWI4ZjgwNWM3YjYxYyIsImlhdCI6MTYwMTQ1OTk0OCwiZXhwIjoxNjAxNDYwMjQ4fQ.s1obwpA_ZgDbd8wCO2CXyvbUlZ8AvZ9cgipyfOmksuI' --compressed
Example Response
{
"id": "543e3f50-aac1-4e07-8499-e5de03a22528",
"uri": "kylo:kylo:cckm:azure-vault:keyvault-premium::12e533dd-b5c2-
4e58-a264-0cd812dc5a34",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T09:59:12.030403Z",
"name": "keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"updatedAt": "2020-09-30T09:59:12.030403Z",
"azure_vault_id": "/subscriptions/12e533dd-b5c2-4e58-a264-0cd812dc5a34/
resourceGroups/CCKM-resource/providers/Microsoft.KeyVault/vaults/
keyvault-premium",
"type": "Microsoft.KeyVault/vaults",
"location": "northcentralus",
"connection": "azure-connection",
"cloud_name": "AzureCloud",
"subscription_id": "12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"azure_name": "keyvault-premium",
"synced_at": "2020-09-30T09:59:11.991824Z",
"subscription_name": "Pay-As-You-Go",
"properties": {
"tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"sku": {
"family": "A",
"name": "premium"
},
"vaultUri": "https://keyvault-premium.vault.azure.net/"
}
},
{
"id": "bedb82b9-582c-402d-9874-f3368722cf46",
"uri": "kylo:kylo:cckm:azure-vault:keyvault-softkeys::12e533dd-b5c2-4e58-
a264-0cd812dc5a34",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T09:59:12.034062Z",
"name": "keyvault-softkeys::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"updatedAt": "2020-09-30T09:59:12.034062Z",
"azure_vault_id": "/subscriptions/12e533dd-b5c2-4e58-a264-0cd812dc5a34/
resourceGroups/CCKM-resource/providers/Microsoft.KeyVault/vaults/
keyvault-softkeys",
"type": "Microsoft.KeyVault/vaults",
"location": "northcentralus",
"connection": "azure-connection",
"cloud_name": "AzureCloud",
"subscription_id": "12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"azure_name": "keyvault-softkeys",
"azure_name": "keyvault-softkeys",
"synced_at": "2020-09-30T09:59:11.991883Z",
"subscription_name": "Pay-As-You-Go",
"properties": {
"tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"sku": {
"family": "A",
"name": "Standard"
},
"vaultUri": "https://keyvault-softkeys.vault.azure.net/",
"enableSoftDelete": true
}
}
]
}
The sample output shows the list of vaults.
To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Viewing Details of Azure Vaults
Use the get /v1/cckm/azure/vaults/{id}
API to view details of an Azure vault.
Syntax
curl -k '<IP>/api/v1/cckm/azure/vaults/{id}' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
is the vault ID.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/vaults/543e3f50-aac1-4e07-8499-
e5de03a22528' -H 'Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3
MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc
3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb2
1haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4
iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAw
MDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjlmYzczODkyLWEyNDItNGVjMS1hZ
TQ4LWJkMTY4MzY0MTExZCIsImlhdCI6MTYwMTQ2MDI0MywiZXhwIjoxNjAxNDYwNTQzfQ.OkGRkc0O1U6-
geWnhgKISWn0cZeY2gFvnWnzWms5JmQ' --compressed
Example Response
{
"id": "543e3f50-aac1-4e07-8499-e5de03a22528",
"uri": "kylo:kylo:cckm:azure-vault:keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T09:59:12.030403Z",
"name": "keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"updatedAt": "2020-09-30T09:59:12.030403Z",
"azure_vault_id": "/subscriptions/12e533dd-b5c2-4e58-a264-0cd812dc5a34/resourceGroups/
CCKM-resource/providers/Microsoft.KeyVault/vaults/keyvault-premium",
"type": "Microsoft.KeyVault/vaults",
"location": "northcentralus",
"connection": "azure-connection",
"cloud_name": "AzureCloud",
"subscription_id": "12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"azure_name": "keyvault-premium",
"synced_at": "2020-09-30T09:59:11.991824Z",
"subscription_name": "Pay-As-You-Go",
"properties": {
"tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"sku": {
"family": "A",
"name": "premium"
},
"vaultUri": "https://keyvault-premium.vault.azure.net/"
}
}
The sample output shows the details corresponding to the vault (with ID 543e3f50-aac1-4e07-8499-e5de03a22528
).
To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Updating Azure Vaults
Use the patch /v1/cckm/azure/vaults/{id}
API to update details of an Azure vault.
Note
You can only update the connection parameter for an Azure vault.
Syntax
curl -k '<IP>/api/v1/cckm/azure/vaults/5{id}' -X PATCH -H 'Authorization: Bearer
AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "connection":
"<connection_name>"\n}' --compressed
Here, {id}
is the vault ID.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
connection | string | Name or ID of the connection. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/vaults/543e3f50-aac1-4e07-8499-
e5de03a22528' -X PATCH -H 'Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0NjE0MWIyYi04MGVkLTQyMmEtYTY4Yy1jZmMw
MWIzNTQ5NzciLCJzdWIiOiJsb2NhbHxhNjg4YjAwNC0zNTc1LTQzM2EtODYzOC0wMTNiYTJhYzFmNjQiLCJpc
3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb2
1haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4
iXSwic2lkIjoiY2I2NjkwM2EtOTgyMy00NTExLTgyYmYtYzJmMzAzZmU5OTJlIiwiem9uZV9pZCI6IjAwMDAw
MDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjM0NjBhNTYzLTlmMTAtNDkyYS05N
jEwLWRhNmI3YWRlMWU2NCIsImlhdCI6MTYwMTg4NjYxOSwiZXhwIjoxNjAxODg2OTE5fQ.I4n_NBNmd-
61o59ULm8g9Hyh1dSMQow_UaQQgqtqgiA' -H 'Content-Type: application/json' --data-binary
$'{\n "connection": "azure-connection2"\n}' --compressed
Example Response
{
"id": "543e3f50-aac1-4e07-8499-e5de03a22528",
"uri": "kylo:kylo:cckm:azure-vault:keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T09:59:12.030403Z",
"name": "keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"updatedAt": "2020-09-30T09:59:12.030403Z",
"azure_vault_id": "/subscriptions/12e533dd-b5c2-4e58-a264-0cd812dc5a34/resourceGroups/
CCKM-resource/providers/Microsoft.KeyVault/vaults/keyvault-premium",
"type": "Microsoft.KeyVault/vaults",
"location": "northcentralus",
"connection": "azure-connection2",
"cloud_name": "AzureCloud",
"subscription_id": "12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"azure_name": "keyvault-premium",
"synced_at": "2020-09-30T09:59:11.991824Z",
"subscription_name": "Pay-As-You-Go",
"properties": {
"tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"sku": {
"family": "A",
"name": "premium"
},
"vaultUri": "https://keyvault-premium.vault.azure.net/"
}
}
The sample output shows that connection parameter for the vault (with ID 543e3f50-aac1-4e07-8499-e5de03a22528
) is updated to azure-connection2
.
To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Managing User Permissions on Azure Vaults
Use the post /v1/cckm/azure/vaults/{id}/update-acls
API to grant permissions to users to perform specific actions on the Azure vaults.
For the first time users, actions are permitted as configured by the CCKM administrator. However, if the permissions of a user need to be modified later, for example, a new action is to be permitted or an existing action is to be revoked, the CCKM administrator needs to set that particular action to true
or false
.
Syntax
curl -k '<IP>/api/v1/cckm/azure/vaults/{id}/update-acls' -H 'Authorization: Bearer
AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n\n "group":
"<group>",\n "permit": <boolean>,\n "actions": [actions]\n}' --compressed
Here, {id}
represents the vault ID.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
actions | array of strings | Permitted actions on the Azure vault. Refer to APIs and Action Mapping for details. Supported actions are: • keycreate • keyupdate • keydelete • keypurge • keyupload • keyrecover • keyrestore • keysynchronize • view |
group | string | Name of the group to be granted permissions. |
permit | boolean | Flag to permit users to perform specific actions on the Azure vault. Set to true to permit, false to deny. |
user_id | string | ID of the user to be granted permissions. |
Note
User ID and group are mutually exclusive – specify either of the two.
APIs and Action Mapping
The following table lists the mapping of APIs and actions required to call these APIs.
APIs | Actions Required |
---|---|
Create | keycreate |
Recover | keyrecover |
Purge | keypurge |
Soft Delete | keydelete |
Upload | keyupload |
Synchronize | keysynchronize |
Cancel | keysynchronize |
Restore | keyrestore |
Update | keyupdate |
Enable key for rotation job | keyupdate |
Disable key for rotation job | keyupdate |
List | view |
Get (Azure Keys) | view |
List Vaults | view |
Get (Azure Vaults) | view |
Delete Backup | deletebackup |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/vaults/543e3f50-aac1-4e07-8499-
e5de03a22528/update-acls' -H 'Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0NjE0MWIyYi04MGVkLTQyMmEtYTY4Yy1jZmMw
MWIzNTQ5NzciLCJzdWIiOiJsb2NhbHxhNjg4YjAwNC0zNTc1LTQzM2EtODYzOC0wMTNiYTJhYzFmNjQiLCJpc
3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb2
1haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4
iXSwic2lkIjoiY2I2NjkwM2EtOTgyMy00NTExLTgyYmYtYzJmMzAzZmU5OTJlIiwiem9uZV9pZCI6IjAwMDAw
MDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjFlYTQxOTMxLWVjNDUtNGIyZS1hN
TM1LTcyMWIyZWM0NjcwYyIsImlhdCI6MTYwMTg5MDI0MywiZXhwIjoxNjAxODkwNTQzfQ._r1U5EsgJu1kSs_
JFbjjZp-Tb7eEMqHkWP6bf98DQto' -H 'Content-Type: application/json' --data-binary $'
{\n\n "group": "CCKM Users",\n "permit": true,\n "actions":
["view","keycreate"]\n}' --compressed
Example Response
{
"id": "543e3f50-aac1-4e07-8499-e5de03a22528",
"uri": "kylo:kylo:cckm:azure-vault:keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T09:59:12.030403Z",
"name": "keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"updatedAt": "2020-09-30T10:09:08.492827686Z",
"azure_vault_id": "/subscriptions/12e533dd-b5c2-4e58-a264-0cd812dc5a34/resourceGroups/
CCKM-resource/providers/Microsoft.KeyVault/vaults/keyvault-premium",
"type": "Microsoft.KeyVault/vaults",
"location": "northcentralus",
"connection": "azure-connection",
"acls": [
{
"group": "CCKM Users",
"actions": [
"view",
"keycreate"
]
}
],
"cloud_name": "AzureCloud",
"subscription_id": "12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"azure_name": "keyvault-premium",
"synced_at": "2020-09-30T09:59:11.991824Z",
"subscription_name": "Pay-As-You-Go",
"properties": {
"tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"sku": {
"family": "A",
"name": "premium"
},
"vaultUri": "https://keyvault-premium.vault.azure.net/"
}
}
The sample output shows that the group (CCKM Users) is granted permissions to perform the view and keycreateoperations
on the Azure vault.
To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
After the permissions are configured on the Azure vault, use the get /v1/cckm/azure/vaults/{id}
API to view the details of the Azure vault with the list of actions a user or group can perform on the Azure vault.