Attaching an IAM Policy to a Key
Use the post /v1/cckm/google/keys/{id}/policy
API to attach an IAM policy to a Google Cloud key with the given ID.
Syntax
curl -k '<IP>/api/v1/cckm/google/keys/{id}/policy' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n\x09"version": 1,\n\x09"bindings": [\n\x09\x09{\n\x09\x09\x09"role": "<role>",\n\x09\x09\x09"members": [\n\x09\x09\x09\x09"user:<user>"\n\x09\x09\x09]\n\x09\x09},\n\x09\x09{\n\x09\x09\x09"role": "roles/cloudkms.viewer",\n\x09\x09\x09"members": [\n\x09\x09\x09\x09"user:<user>"\n\x09\x09\x09]\n\x09\x09}\n\x09],\n\x09"etag": "<etag-value>"\n}' --compressed
Here, {id}
represents the resource ID of the Google Cloud key on the CipherTrust Manager.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
bindings | array of json | Associates a list of members or principals with a role. Optionally, you can specify a condition that determines how and when the bindings are applied. Every binding must contain at least one principal. Refer to Binding Parameters for details. |
etag | string | A base64-encoded string. |
version | string | Specifies the format of the policy. Valid values are 0 , 1 , and 3 . Requests that specify an invalid value are rejected. |
Binding Parameters
Parameter | Type | Description |
---|---|---|
condition | string | Condition associated with the binding. |
members | array of strings | Principals requesting access for a Google Cloud resource. |
role | string | Role assigned to the list of members or principals. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/google/keys/2f18eade-2fd9-4c48-85f7-550107729299/policy' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIyYTNhODM5Ny1hNzg3LTQ0NzctOGE0MS1jODA0MjAyYTdiMzIiLCJzdWIiOiJsb2NhbHw1NWU1NzQ1OC1kNWU0LTQ2OTUtOWEwOC1mYTNjZGUzNzAyNWEiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJjbGllbnRfaWQiOiI4MzdjODQwZC03NWRkLTRiNGYtYTMxOC03OWNiMTZjYTI0OGQiLCJjbGllbnRfbmFtZSI6ImFwaS1wbGF5Z3JvdW5kIiwiY2xpZW50X3R5cGUiOiJwdWJsaWMiLCJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjZiODdkZTAtZTYxZS00MTFmLTg0NDMtZTNkNzA0YTI2ZmJhIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjgwOTcyNWZiLTMwM2MtNGFkMC05M2EyLTI0YzZkMDUwNWVlZiIsImlhdCI6MTY4NTQ0MjQzMiwiZXhwIjoxNjg1NDQyNzMyfQ.q23aSRM3Qf1Kzu0Bi5tYFTU44FOcVKWUVQOqfwzVe6Q' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n\x09"version": 1,\n\x09"bindings": [\n\x09\x09{\n\x09\x09\x09"role": "roles/cloudkms.admin",\n\x09\x09\x09"members": [\n\x09\x09\x09\x09"user:user1.user1@domain.com"\n\x09\x09\x09]\n\x09\x09},\n\x09\x09{\n\x09\x09\x09"role": "roles/cloudkms.viewer",\n\x09\x09\x09"members": [\n\x09\x09\x09\x09"user:user1.user1@domain.com"\n\x09\x09\x09]\n\x09\x09}\n\x09],\n\x09"etag": "BwX6OUU48Hw="\n}' --compressed
Example Response
{
"id": "2f18eade-2fd9-4c48-85f7-550107729299",
"uri": "kylo:kylo:cckm:gcp-keys:2f18eade-2fd9-4c48-85f7-550107729299",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-05-04T11:29:39.90657103Z",
"updatedAt": "2021-05-04T11:29:39.90537929Z",
"cloud_name": "gcp",
"key_id": "NewTestKey",
"project_id": "gemalto-kyloeng",
"location_id": "global",
"key_ring_id": "ny-test-ring",
"key_ring_name": "projects/gemalto-kyloeng/locations/global/keyRings/ny-test-ring",
"gone": false,
"auto_rotate": false,
"status": "AVAILABLE",
"gcp_params": {
"name": "projects/gemalto-kyloeng/locations/global/keyRings/ny-test-ring/cryptoKeys/NewTestKey",
"primary": "projects/gemalto-kyloeng/locations/global/keyRings/ny-test-ring/cryptoKeys/NewTestKey/cryptoKeyVersions/1",
"createTime": "2021-05-04T11:29:40.551270629Z",
"labels": {
"isakey": "yes"
},
"purpose": "ENCRYPT_DECRYPT",
"next_rotation_time": null,
"protectionLevel": "SOFTWARE",
"algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
"policy": {
"version": 1,
"bindings": [
{
"role": "roles/cloudkms.admin",
"members": [
"user:user1.user1@domain.com"
]
},
{
"role": "roles/cloudkms.viewer",
"members": [
"user:user1.user1@domain.com"
]
}
],
"etag": "BwX85rA4XNc="
}
}
}
The output shows that the IAM policy attached to the specified Google Cloud key has been updated.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.