Uploading Keys to AWS KMS
Use the post /v1/cckm/aws/upload-key API to upload a key created on the CipherTrust Manager to the AWS KMS.
Syntax
curl -k '<IP>/api/v1/cckm/aws/upload-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "source_key_tier": "<source_key_tier>",\n "source_key_identifier": "<source_key_identifier>",\n "region": "<region>",\n "kms": "<kms_identifier>",\n "KeyExpiration": <boolean>,\n "aws_param": {<aws parameters>}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| kms | string | Name or ID of the KMS where the key will be uploaded. |
| region | string | Name of the region. |
| source_key_tier | string | Tier of the source. Possible options are: • local for CipherTrust Manager (default)• dsm for Data Security Manager• hsm-luna for Luna HSM (FM-enabled Luna HSM is not supported as a key source)• external-cm for external CipherTrust Manager |
| source_key_identifier | string | Name or ID of the key to be uploaded. • If source_key_tier is local, this is the ID of the CipherTrust Manager key to be uploaded.• If source_key_tier is dsm, this parameter is the ID of the DSM key key to be uploaded.• If source_key_tier is hsm-luna, this parameter is the ID of the Luna HSM (AES) key to be uploaded.• If source_key_tier is external-cm, this parameter is the ID of the external CipherTrust Manager key to be uploaded. |
| aws_param | JSON | AWS key parameters such as alias, description, and usage. Refer to AWS Key Parameters for details. |
| external_accounts | array of strings | AWS accounts that can use this key. |
| key_admins | array of strings | IAM users who can administer this key using the KMS API. |
| key_admins_roles | array of strings | IAM roles that can administer this key using the KMS API. |
| key_users | array of strings | IAM users who can use this key in cryptographic operations. |
| key_users_roles | array of strings | IAM roles that can use the CMK in cryptographic operations. |
| policytemplate | string | ID of the policy template to apply. Note: When a policy template is applied to an AWS key, CCKM adds the template tag ( cckm_policy_template_id) to the key. Do not modify or delete this tag on the AWS cloud. |
Note
Specify Policy, policytemplate, or one of key_admins, key_admins_roles, key_users, key_users_roles, and external_accounts. They are mutually exclusive. If no parameters are specified, the default policy is used.
AWS Key Parameters
| Parameter | Type | Description |
|---|---|---|
| Alias | string | Alias of the key. |
| BypassPolicyLockoutSafetyCheck | boolean | Flag to bypass the key policy lockout safety check. |
| Description | string | Description of the key. |
| MultiRegion | boolean | Whether the key can be replicated in multiple AWS regions. The base key will be referred to as the multi-region primary key. Set to true to allow key replication in multiple regions. |
| Policy | string | Key policy to attach to the CMK. |
| Tags | array of JSONs | An optional parameter to add additional information to the key. The value must be specified as the key-value pair. CCKM allows the following characters in tag values: • Alphanumeric characters • Special characters ** _ . / = + - @ ** |
| ValidTo | string | Key expiration time, must be formatted as per RFC3339. |
Note
Specify Policy, policytemplate, or one of key_admins, key_users, and external_accounts. They are mutually exclusive. If no parameters are specified, the default policy is used.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/upload-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjZlZWE0NWJlLTc5NTMtNGUzZS1iNWJjLWZlZDEwMmZhNGNiYSIsImlhdCI6MTYwNDU1OTMxOSwiZXhwIjoxNjA0NTU5NjE5fQ.8BNfjt82PmwBoIzFsUk2eh4AvWwrjZxRiewK9Hyp67A' -H 'Content-Type: application/json' --data-binary $'{\n "source_key_identifier": "test-key",\n "region": "ap-south-1",\n "kms": "kms",\n "aws_param": {\n "Alias": "test-upload-key-1",\n "Tags": [\n {\n "TagKey": "key",\n "TagValue": "value"\n }\n ]\n }\n}' --compressed
Example Response
{
"id": "02c40491-f5bd-4204-93f3-5f9077740116",
"uri": "kylo:kylo:cckm:aws-key:02c40491-f5bd-4204-93f3-5f9077740116",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T07:00:53.99845058Z",
"updatedAt": "2020-11-05T07:00:54.504758124Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T07:00:53.990295894Z",
"rotation_status": "",
"local_key_id": "361d928ac7e340d093e7d231c80ca934acc62528601647ce86a219c9a82f4f93",
"local_key_name": "test-key",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "cckm",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/a3d6b6ab-e953-45f7-8275-e915277f5ee2",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "a3d6b6ab-e953-45f7-8275-e915277f5ee2",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "EXTERNAL",
"CreationDate": "2020-11-05T07:00:41Z",
"Policy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
},
"Alias": [
"alias/test-upload-key-1"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false,
"ExpirationModel": "KEY_MATERIAL_DOES_NOT_EXPIRE"
}
}
The sample output shows that a key (with alias test-upload-key-1) is uploaded to the AWS KMS. As the key is not created on the AWS KMS, its origin is EXTERNAL. A unique ID (02c40491-f5bd-4204-93f3-5f9077740116) for the uploaded key is returned.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
