Updating Key Policy
Use the post /v1/cckm/aws/keys/{id}/policy
API to update the policy of an AWS key.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/policy' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "key_users": ["key_user"],\n "key_admins": ["key_admin"],\n "external_accounts": ["external_account"]\n\n}'--compressed
Here, {id}
represents the key ID.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
external_accounts | array of strings | AWS accounts that can use this key. |
key_admins | array of strings | IAM users who can administer this key using the KMS API. |
key_admins_roles | array of strings | IAM roles that can administer this key using the KMS API. |
key_users | array of strings | IAM users who can use this key in cryptographic operations. |
key_users_roles | array of strings | IAM roles that can use the CMK in cryptographic operations. |
policy | JSON | Key policy mapped to the key. |
policytemplate | string | ID of the policy template to apply. Note: When a policy template is applied to an AWS key, CCKM adds the template tag ( cckm_policy_template_id ) to the key. Do not modify or delete this tag on the AWS cloud. |
Note
Specify Policy
, policytemplate
, or one of key_admins
, key_admins_roles
, key_users
, key_users_roles
, and external_accounts
. They are mutually exclusive. If no parameters are specified, the default policy is used.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/policy' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImIyZjQxZTFiLTc0MmQtNDA1Mi04NTA5LWRlZDE1NjNjNjRmNCIsImlhdCI6MTYwNDU1OTAyMywiZXhwIjoxNjA0NTU5MzIzfQ.R9TjeIn5d9N7-V_8FGcl-90aRarpQayXfBL2OJ50AKk' -H 'Content-Type: application/json' --data-binary $'{\n "key_users": ["user2"]\n}' --compressed
Example Response
{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457Z",
"updatedAt": "2020-11-05T06:54:46.590542851Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:38:27.581643Z",
"rotation_status": "",
"cloud_name": "aws",
"key_users": [
"arn:aws:iam::123456789012:user/user2"
],
"key_type": "symmetric",
"basic_view_enabled": true,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "key-description",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:35:29Z",
"Policy": {
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM UserName Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:root"
]
},
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/user2"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/user2"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
},
"Alias": [
"alias/aws-test-key"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": true
}
}
The sample output shows that Key User (user2
) is added and based on the assigned permissions, the Key User(user2
) can perform cryptographic operations on the AWS KMS.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.