Creating AWS Keys on CCKM
Use the post /v1/cckm/aws/keys API to create an AWS key on the CCKM. When creating an AWS key, you can specify whether the key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. Later, you can set any replica of the multi-region key as the primary key.
Note
HMAC keys are not available in the cn-north-1 and cn-northwest-1 regions.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "kms": "<kms id>",\n "region": "<region>",\n "aws_param": {<aws parameters>}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| kms | string | Name or ID of the KMS. |
| region | string | Name of the region. |
| aws_param | JSON | Key parameters such as alias, description, and usage. Refer to AWS Key Parameters for details. |
| external_accounts | array of strings | AWS accounts that can use this key. |
| key_admins | array of strings | IAM users who can administer this key using the KMS API. |
| key_admins_roles | array of strings | IAM roles that can administer this key using the KMS API. |
| key_users | array of strings | IAM users who can use this key in cryptographic operations. |
| key_users_roles | array of strings | IAM roles that can use the CMK in cryptographic operations. |
| policytemplate | string | ID of the policy template to apply. Note: When a policy template is applied to an AWS key, CCKM adds the template tag ( cckm_policy_template_id) to the key. Do not modify or delete this tag on the AWS cloud. |
Note
Specify Policy, policytemplate, or one of key_admins, key_admins_roles, key_users, key_users_roles, and external_accounts. They are mutually exclusive. If no parameters are specified, the default policy is used.
AWS Key Parameters
| Parameter | Type | Description |
|---|---|---|
| Alias | string | Alias of the key. |
| BypassPolicyLockoutSafetyCheck | boolean | Flag to bypass the key policy lockout safety check. |
| CustomerMasterKeySpec | string | Type of the key. Supported types are: • SYMMETRIC_DEFAULT (Default) • RSA_2048 (Asymmetric) • RSA_3072 (Asymmetric) • RSA_4096 (Asymmetric) • ECC_NIST_P256 (secp256r1) (Asymmetric) • ECC_NIST_P384 (secp384r1) (Asymmetric) • ECC_NIST_P521 (secp521r1) (Asymmetric) • ECC_SECG_P256K1 (secp256k1) (Asymmetric) • HMAC_224 • HMAC_256 • HMAC_384 • HMAC_512 |
| Description | string | Description of the key. |
| KeyUsage | string | Cryptographic operations performed by the key. Supported operations are: • ENCRYPT_DECRYPT • SIGN_VERIFY • GENERATE_VERIFY_MAC |
| MultiRegion | boolean | Whether the key can be replicated in multiple AWS regions. The base key will be referred to as the multi-region primary key. Set to true to allow key replication in multiple regions. |
| Origin | string | Source of the AWS customer master key (CMK) key material. The key origin cannot be changed. The origin of the key can be: • AWS_KMS • EXTERNAL |
| Policy | JSON | Key policy to attach to the CMK. |
| Tags | array of JSONs | An optional parameter to add additional information to the key. The value must be specified as the key-value pair. CCKM allows the following characters in tag values: • Alphanumeric characters • Special characters ** _ . / = + - @ ** |
Note
Specify Policy, policytemplate, or one of key_admins, key_admins_roles, key_users, key_users_roles, and external_accounts. They are mutually exclusive. If no parameters are specified, the default policy is used.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImU5YWUwYTI3LWVlYjQtNGNhZi04YjE4LTdhNzIzMDBkOTA0MCIsImlhdCI6MTYwNDU1ODEzOCwiZXhwIjoxNjA0NTU4NDM4fQ.MIMArFeC4cpPNTYOd39mu6_-yihdN0CDl_917eH8-kY' -H 'Content-Type: application/json' --data-binary $'{\n "kms": "kms",\n "region": "ap-south-1",\n "aws_param": {\n "Alias": "aws-test-key",\n "MultiRegion": true,\n "Tags": [\n {\n "TagKey": "key",\n "TagValue": "value"\n }\n ]\n }\n}' --compressed
Example Response
{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457335Z",
"updatedAt": "2020-11-05T06:35:42.441821548Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:35:42.438073546Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:35:29Z",
"Policy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
},
"Alias": [
"alias/aws-test-key"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false,
"MultiRegion": true
}
}
The sample output shows that an AWS key (with alias aws-test-key) is created in the AWS region "ap-south-1" on the AWS KMS. A unique ID (baf58871-2503-4d13-a84a-339aeb8fdfaf) for the key is returned.
In the output, "MultiRegion": true shows that the key is a multi-region primary key. This key can be replicated in multiple AWS regions. Refer to Replicating Multi-Region AWS Keys for replication details.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
