Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Key Life Cycle Management APIs

Importing Key Material to AWS KMS

search

Please Note:

Importing Key Material to AWS KMS

Use the post /v1/cckm/aws/keys/{id}/import-material API to import the key material to the AWS KMS.

Syntax

curl -k '<IP>/api/v1/cckm/aws/keys/{id}/import-material' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n  "source_key_tier": "<source_key_tier>",\n  "source_key_identifier": "<source_key_identifier>",\n  "key_expiration": <boolean>,\n  "valid_to": "<key validity>"\n}' --compressed

Here, {id} represents the key material ID.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization token.
key_expirationbooleanFlag to disable encryption on the key which is getting rotated.
source_key_tierstringTier of the source. Possible options are:
local for CipherTrust Manager (default)
dsm for Data Security Manager
external-cm for external CipherTrust Manager
hsm-luna for Luna HSM (FM-enabled Luna HSM is not supported as a key source)
source_key_identifierstringName or ID of the key to be imported to the AWS KMS.
• If source_key_tier is local, this is the ID of the CipherTrust Manager key to be uploaded. By default, a new CipherTrust Manager key is generated automatically.
• If source_key_tier is dsm, this is the ID of the DSM key to be uploaded. source_key_identifier is a mandatory parameter.
If the key material is reimported, AWS allows reimporting the same key material only. It is mandatory to provide the source_key_identifier of the same CipherTrust Manager or DSM key which was imported previously.
valid_tostringKey expiration time of the newly rotated key, must be formatted as per RFC3339.

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/40387a72-6e24-4cdd-8840-b586757c44bf/import-material' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjkxZGNhYjVkLWJmNDktNDk1Yi1iM2YyLWQ5ZjlkOGU5MDQ5MyIsImlhdCI6MTYwNDU1OTY0OCwiZXhwIjoxNjA0NTU5OTQ4fQ.j_7biN5YJm188ZzU-IMDsTxJ3X57GbzkOxunP4XE6J0' -H 'Content-Type: application/json' --data-binary $'{\n  "source_key_identifier": "test-key",\n  "key_expiration": true,\n  "valid_to": "2020-12-04T06:51:18.505860192Z"\n}' --compressed

Example Response

{
"id": "40387a72-6e24-4cdd-8840-b586757c44bf",
"uri": "kylo:kylo:cckm:aws-key:40387a72-6e24-4cdd-8840-b586757c44bf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T07:01:48.965088Z",
"updatedAt": "2020-11-05T07:02:26.388806901Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T07:01:48.959221Z",
"rotation_status": "",
"local_key_id": "361d928ac7e340d093e7d231c80ca934acc62528601647ce86a219c9a82f4f93",
"local_key_name": "test-key",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "cckm",
"aws_param": {
    "AWSAccountId": "123456789012",
    "Arn": "arn:aws:kms:ap-south-1:123456789012:key/031c5703-aaf7-425e-a141-7e0c6f5886ab",
    "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
    "Enabled": true,
    "EncryptionAlgorithms": [
        "SYMMETRIC_DEFAULT"
    ],
    "KeyID": "031c5703-aaf7-425e-a141-7e0c6f5886ab",
    "KeyManager": "CUSTOMER",
    "KeyState": "Enabled",
    "KeyUsage": "ENCRYPT_DECRYPT",
    "Origin": "EXTERNAL",
    "CreationDate": "2020-11-05T07:01:36Z",
    "Policy": {
        "Id": "key-default-1",
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Enable IAM User Permissions",
                "Action": "kms:*",
                "Effect": "Allow",
                "Resource": "*",
                "Principal": {
                    "AWS": "arn:aws:iam::123456789012:root"
                }
            }
        ]
    },
    "Alias": [
        "alias/aws-test-key-External"
    ],
    "Tags": [
        {
            "TagKey": "key",
            "TagValue": "value"
        }
    ],
    "ValidTo": "2020-12-04T06:51:18.505860192Z",
    "KeyRotationEnabled": false,
    "ExpirationModel": "KEY_MATERIAL_EXPIRES"
}
}

The sample output shows that the key material is imported to the AWS KMS. As the key is not created on the AWS KMS, its origin is EXTERNAL. A unique ID (40387a72-6e24-4cdd-8840-b586757c44bf) for the imported key is returned.

To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

On this page