Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Key Life Cycle Management APIs

Scheduling Key Deletion

search

Please Note:

Scheduling Key Deletion

Use the post /v1/cckm/aws/keys/{id}/schedule-deletion API to schedule deletion of a key.

Note

You can schedule the deletion of a multi-Region primary key at any time. However, AWS KMS will not delete a multi-Region primary key that has replica keys, even if they are scheduled for deletion.

Tip

  • To delete a multi-region primary key, you must schedule the deletion of all of its replica keys, and then wait for the replica keys to be deleted. The required waiting period for deleting a primary key begins when the last of its replica keys is deleted. If you must delete a primary key from a particular Region without deleting its replica keys, change the primary key to a replica key by updating the primary Region.

  • If any replica keys still exist, the key state of the primary key changes to Pending replica deletion (PendingReplicaDeletion). Otherwise, it changes to Pending deletion (PendingDeletion). In either case, you cannot use the primary key in cryptographic operations and you cannot replicate it.

Syntax

curl -k '<IP>/api/v1/cckm/aws/keys/{id}/schedule-deletion' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n  "days": <days>\n}' --compressed

Here, {id} represents the key ID.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization token.
daysintegerNumber of days after which the key will be deleted.

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/schedule-deletion' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjJhN2Y2MWM0LTAyZDYtNDcyOC1hNjE2LTNiNGE1NWMzMzFiNSIsImlhdCI6MTYwNDU1ODY5NSwiZXhwIjoxNjA0NTU4OTk1fQ.j7dg_wOMie9RoTy_i3EbAx_yQGyrw4_4n5kaHp0EmN0' -H 'Content-Type: application/json' --data-binary $'{\n  "days": 7\n}' --compressed

Example Response

{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457Z",
"updatedAt": "2020-11-05T06:48:43.972188229Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:38:27.581643Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
    "AWSAccountId": "123456789012",
    "Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
    "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
    "Description": "key-description",
    "Enabled": false,
    "EncryptionAlgorithms": [
        "SYMMETRIC_DEFAULT"
    ],
    "KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
    "KeyManager": "CUSTOMER",
    "KeyState": "PendingDeletion",
    "KeyUsage": "ENCRYPT_DECRYPT",
    "Origin": "AWS_KMS",
    "CreationDate": "2020-11-05T06:35:29Z",
    "Policy": {
        "Id": "key-default-1",
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Enable IAM User Permissions",
                "Action": "kms:*",
                "Effect": "Allow",
                "Resource": "*",
                "Principal": {
                    "AWS": "arn:aws:iam::123456789012:root"
                }
            }
        ]
    },
    "Alias": [
        "alias/aws-test-key"
    ],
    "Tags": [
        {
            "TagKey": "key",
            "TagValue": "value"
        }
    ],
    "DeletionDate": "2020-11-12T06:48:43.971985424Z",
    "KeyRotationEnabled": false
}
}

The sample output shows that the key will be deleted after 7 days. When key deletion is scheduled, the state of the key changes from enabled to pending deletion.

To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

On this page