Replicating Multi-Region AWS Keys
Use the post /v1/cckm/aws/keys/{id}/replicate-key API to replicate a multi-region AWS key to different AWS regions. When replicating the key, specify the desired AWS region.
When you replicate a multi-region primary key with imported key material (that is uploaded from CCKM), instead of returning a replica key with the same key material as the primary key, the replicate process returns a replica key with no key material and a key state of PendingImport. To enable the replica key, you must import the same key material into the replica key that you imported into its primary key.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/replicate-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "replica_region": "<replication-region>",\n "aws_param": {<aws parameters>}}' --compressed
Here, {id} represents the resource ID of the primary multi-region AWS key.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| replica_region | string | Name of the region where the key is to be replicated. |
| aws_param | JSON | Key parameters such as alias, description, and usage. Refer to AWS Key Parameters for details. |
| external_accounts | array of strings | AWS accounts that can use this key. |
| key_admins | array of strings | IAM users who can administer this key using the KMS API. |
| key_admins_roles | array of strings | IAM roles that can administer this key using the KMS API. |
| key_users | array of strings | IAM users who can use this key in cryptographic operations. |
| key_users_roles | array of strings | IAM roles that can use the CMK in cryptographic operations. |
| policytemplate | string | ID of the policy template to apply. Note: When a policy template is applied to an AWS key, CCKM adds the template tag ( cckm_policy_template_id) to the key. Do not modify or delete this tag on the AWS cloud. |
Note
Specify Policy, policytemplate, or one of key_admins, key_admins_roles, key_users, key_users_roles, and external_accounts. They are mutually exclusive. If no parameters are specified, the default policy is used.
AWS Key Parameters
| Parameter | Type | Description |
|---|---|---|
| Alias | string | Alias of the key. |
| BypassPolicyLockoutSafetyCheck | boolean | Flag to bypass the key policy lockout safety check. |
| Description | string | Description of the key. |
| Origin | string | Source of the AWS customer master key (CMK) key material. The key origin cannot be changed. The origin of the key can be: • AWS_KMS • EXTERNAL |
| Policy | JSON | Key policy to attach to the CMK. |
| Tags | array of JSONs | An optional parameter to add additional information to the key. The value must be specified as the key-value pair. CCKM allows the following characters in tag values: • Alphanumeric characters • Special characters ** _ . / = + - @ ** |
Note
Specify Policy, policytemplate, or one of key_admins, key_admins_roles, key_users, key_users_roles, and external_accounts. They are mutually exclusive. If no parameters are specified, the default policy is used.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/replicate-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImU5YWUwYTI3LWVlYjQtNGNhZi04YjE4LTdhNzIzMDBkOTA0MCIsImlhdCI6MTYwNDU1ODEzOCwiZXhwIjoxNjA0NTU4NDM4fQ.MIMArFeC4cpPNTYOd39mu6_-yihdN0CDl_917eH8-kY' -H 'Content-Type: application/json' --data-binary $'{\n "ReplicaRegion": "ap-south-1",\n "aws_param": {\n "Description": "Replicated key",\n "Tags": [\n {\n "TagKey": "key",\n "TagValue": "value"\n }\n ]\n }\n}' --compressed
Example Response
{
"id": "a152ad26-df3f-4116-abae-b93a914e76ac",
"uri": "kylo:kylo:cckm:aws-replica-key:a152ad26-df3f-4116-abae-b93a914e76ac",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-08-10T05:55:49.010163222Z",
"updatedAt": "2021-08-10T05:55:49.008870847Z",
"kms_id": "10fa8bf3-3070-4bdc-8f19-f7cbed593f40",
"kms": "kms",
"synced_at": "2021-08-10T05:55:48.907773918Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "556782317223",
"Arn": "arn:aws:kms:ap-south-1:556782317223:key/mrk-6ad3ab90026044a2a24fef020c5d02dc",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "Replicated key",
"Enabled": false,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "mrk-6ad3ab90026044a2a24fef020c5d02dc",
"KeyManager": "CUSTOMER",
"KeyState": "Creating",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2021-08-10T05:55:48.542Z",
"Alias": [
"alias/ab-mr-key"
],
"KeyRotationEnabled": false,
"MultiRegion": true,
"MultiRegionConfiguration": {
"MultiRegionKeyType": "REPLICA",
"PrimaryKey": {
"Arn": "arn:aws:kms:ap-south-1:556782317223:key/mrk-6ad3ab90026044a2a24fef020c5d02dc",
"Region": "ap-south-1"
},
"ReplicaKeys": [
{
"Arn": "arn:aws:kms:ap-southeast-1:556782317223:key/mrk-6ad3ab90026044a2a24fef020c5d02dc",
"Region": "ap-southeast-1"
}
]
},
"ReplicaPolicy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::556782317223:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
},
"ReplicaTags": [
{
"TagKey": "key",
"TagValue": "value"
}
]
}
}
The sample output shows that the AWS key (with the unique ID baf58871-2503-4d13-a84a-339aeb8fdfaf of the AWS region ap-south-1) is replicated to the AWS region "ap-southeast-1". The unique ID of the replica key is a152ad26-df3f-4116-abae-b93a914e76ac.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
