Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Google Cloud Key Ring APIs

Granting Permissions to Users or Groups

search

Please Note:

You are not viewing the most recent version of this page. 2.19 is the latest version available.

print

Granting Permissions to Users or Groups

Use the post /v1/cckm/google/key-rings/{id}/update-acls API to grant permissions to users or groups to perform specified operations on a Google Cloud key ring with a given ID on the CipherTrust Manager.

User ID and group are mutually exclusive – specify either. For the first time users or groups, actions are permitted as configured by the CCKM administrator. However, if the permissions of a user or group need to be modified later, for example, a new action is to be permitted or an existing action is to be revoked, the CCKM administrator needs to set that particular action to true or false.

For example, a user or group is permitted actions, keycreate and keyupdate. Now, to permit one more action keydestroy to the user or group, set "permit":true and "actions": "keydestroy" and run the API. Similarly, now to deny permission to the action keycreate, set "permit":false, "actions": "keycreate", and run the API.

Refer to Actions for actions supported by different APIs.

copy link to clipboardSyntax

curl -k '<IP>/api/v1/cckm/google/key-rings/{id}/update-acls' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n  "acls": [\n    {\n      "group": "<group>",\n      "actions": [\n        "<action1>", "<action2>"\n      ],\n      "permit": <true|false>\n    }\n  ]\n}' --compressed

Here, {id} represents the resource ID of the Google key ring on the CipherTrust Manager.

copy link to clipboardRequest Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization token.
aclsarray of JSONsPermissions to be granted to users and groups. Refer to ACLs for details.

copy link to clipboardACLs

ParameterTypeDescription
actionsarray of stringsList of actions. The actions can be:
• keycreate
• keyupdate
• keysynchronize
• view
• keydestroy
• keycanceldestroy
• keyupload
Refer to Actions for details.
groupstringName of the user group to be granted permissions. User ID and group are mutually exclusive – specify either.
permitbooleanWhether to permit users to perform specific operations. Set true to permit, false to deny.
user_idstringID of the user to be granted permissions. User ID and group are mutually exclusive – specify either.

copy link to clipboardActions

The following table lists the accepted values:

APIsActionsDescription
CreatekeycreatePermission to create Google Cloud keys.
SynchronizekeysynchronizePermission to synchronize Google Cloud keys.
CancelkeysynchronizePermission to cancel the Google Cloud key synchronization job.
UpdatekeyupdatePermission to update the Google Cloud key attributes, tags, and key operations.
Enable KeykeyupdatePermission to enable the Google Cloud keys.
Disable KeykeyupdatePermission to disable the Google Cloud keys.
Schedule DestroykeydestroyPermission to schedule destruction of Google Cloud keys.
Cancel DestroykeycanceldestroyPermission to cancel schedule destruction of Google Cloud keys.
UploadkeyuploadPermission to upload Google Cloud keys to key rings.
ListviewPermission to view Google Cloud key rings and their keys.
Get (Google Cloud Keys)viewPermission to view details of a Google Cloud key with the given ID.
List Key RingviewPermission to view Google Cloud key rings and their keys.
Get (Google Cloud Key Rings)viewPermission to view details of Google Cloud key rings with the given ID.

copy link to clipboardExample Request

curl -k 'https://127.0.0.1/api/v1/cckm/google/key-rings/0545492c-ebcc-4c0e-a456-b335b6fbdd3d/update-acls' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhOGY3N2IxZS1lOTY2LTQwMjEtODRjMC01YjZiNjAzMTBmOWEiLCJzdWIiOiJsb2NhbHwzM2Y5ZDFmNi04MjJiLTQ0NTItOGM4MC1mYzM0ZGYyZTI3OGQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNjcyMjMzMDAtYjU2ZC00ZmVmLTkwMDEtZGE1NGY2ZDdiMzY4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNkNWM4OWYzLTM1OWYtNGZmYS04ZTMyLWMxZjk0NTIyMWYzNiIsImlhdCI6MTYyMDE5NTY0NCwiZXhwIjoxNjIwMTk1OTQ0fQ.NAHcbm9TIB3YmVg-i_nfXf0-B0wMbAoXMSTaAJ-Ke-U' -H 'Content-Type: application/json' --data-binary $'{\n  "acls": [\n {\n            "actions": [\n                "view"\n            ],\n            "group": "CCKM Users",\n            "permit": true\n        }\n]\n}' --compressed

copy link to clipboardExample Response

{
    "id": "0545492c-ebcc-4c0e-a456-b335b6fbdd3d",
    "uri": "kylo:kylo:cckm:gcp-key-ring:0545492c-ebcc-4c0e-a456-b335b6fbdd3d",
    "account": "kylo:kylo:admin:accounts:kylo",
    "application": "ncryptify:gemalto:admin:apps:kylo",
    "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
    "createdAt": "2021-05-05T06:19:44.602449Z",
    "updatedAt": "2021-05-05T06:23:24.676857218Z",
    "name": "projects/gemalto-kyloeng/locations/global/keyRings/demo-key-ring",
    "key_ring_id": "demo-key-ring",
    "location": "global",
    "project_id": "gemalto-kyloeng",
    "project_name": "projects/gemalto-kyloeng",
    "connection": "gcp-connection",
    "cloud_name": "gcp",
    "acls": [
        {
            "group": "CCKM Users",
            "actions": [
                "view"
            ]
        }
    ],
    "organization_name": "organizations/123456789012",
    "organization_display_name": "123456789012"
}

The output shows the updated permissions for the Google Cloud key ring with ID 0545492c-ebcc-4c0e-a456-b335b6fbdd3d.

copy link to clipboardResponse Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

On this page