Changing the Primary Key of a Multi-Region AWS Key
Use the post /v1/cckm/aws/keys/{id}/update-primary-region API to set a replica key as the primary key of a multi-region AWS key. The original primary key becomes the replica key.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/a152ad26-df3f-4116-abae-b93a914e76ac/update-primary-region' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "PrimaryRegion": "<primary-region>"\n}' --compressed
Here, {id} represents the resource ID of the replica key that you want to set as the primary key for the multi-region AWS key.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| PrimaryRegion | string | Region ID (for example, us-east-1 or ap-southeast-2) of the new primary key. The replica with the specified resource ID must exist in the PrimaryRegion region. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/a152ad26-df3f-4116-abae-b93a914e76ac/update-primary-region' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIzMjhkNDU4YS1jZjk3LTQwZWMtYTgyNS1kN2E2OTBmZjE1MTUiLCJzdWIiOiJsb2NhbHw3NmU2NGY5Zi1hNTU2LTQ5Y2UtOWRmZC0xNmI1YzU4ZDEyZTMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiYzExMzFiMzktNzlmZC00YzNhLTlkZTgtYjg5ZWM4ZDZkNmIwIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjdmNTU0NzMwLTQ4OGYtNDU5MS1hMjdmLWM3NDBlOTQwMGQ5ZiIsImlhdCI6MTYyODU3ODAzMiwiZXhwIjoxNjI4NTc4MzMyfQ.tTrel3vmidVb3tG46Kz3eHoCHDUhJR08l93o258uLPg' -H 'Content-Type: application/json' --data-binary $'{\n "PrimaryRegion": "ap-southeast-1"\n}' --compressed
Example Response
{
"id": "a152ad26-df3f-4116-abae-b93a914e76ac",
"uri": "kylo:kylo:cckm:aws-replica-key:a152ad26-df3f-4116-abae-b93a914e76ac",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-08-10T05:55:49.010163Z",
"updatedAt": "2021-08-10T06:47:37.856490404Z",
"kms_id": "10fa8bf3-3070-4bdc-8f19-f7cbed593f40",
"kms": "kms",
"synced_at": "2021-08-10T05:55:48.907774Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "556782317223",
"Arn": "arn:aws:kms:ap-south-1:556782317223:key/mrk-6ad3ab90026044a2a24fef020c5d02dc",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "Replicated key",
"Enabled": false,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "mrk-6ad3ab90026044a2a24fef020c5d02dc",
"KeyManager": "CUSTOMER",
"KeyState": "Updating",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2021-08-10T05:55:48.542Z",
"Alias": [
"alias/ab-mr-key"
],
"KeyRotationEnabled": false,
"MultiRegion": true,
"MultiRegionConfiguration": {
"PrimaryKey": {
"Arn": "arn:aws:kms:ap-southeast-1:556782317223:key/mrk-6ad3ab90026044a2a24fef020c5d02dc",
"Region": "ap-southeast-1"
},
"ReplicaKeys": [
{
"Arn": "arn:aws:kms:ap-south-1:556782317223:key/mrk-6ad3ab90026044a2a24fef020c5d02dc",
"Region": "ap-south-1"
}
],
"MultiRegionKeyType": "REPLICA"
},
"ReplicaPolicy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::556782317223:root"
}
}
]
},
"ReplicaTags": [
{
"TagKey": "key",
"TagValue": "value"
}
]
}
}
The sample output shows that the replica key (with the unique ID a152ad26-df3f-4116-abae-b93a914e76ac) is set as the new primary key in the AWS region "ap-southeast-1".
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
