Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Key Life Cycle Management APIs

Uploading Keys to AWS KMS

search

Please Note:

You are not viewing the most recent version of this page. 2.19 is the latest version available.

print

Uploading Keys to AWS KMS

Use the post /v1/cckm/aws/upload-key API to upload a key created on the CipherTrust Manager to the AWS KMS.

copy link to clipboardSyntax

curl -k '<IP>/api/v1/cckm/aws/upload-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n  "source_key_tier": "<source_key_tier>",\n  "source_key_identifier": "<source_key_identifier>",\n  "region": "<region>",\n  "kms": "<kms_identifier>",\n  "KeyExpiration": <boolean>,\n  "aws_param": {<aws parameters>}' --compressed

copy link to clipboardRequest Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization token.
kmsstringName or ID of the KMS where the key will be uploaded.
regionstringName of the region.
source_key_tierstringTier of the source. Possible options are:
local for CipherTrust Manager (default)
dsm for Data Security Manager
hsm-luna for Luna HSM (FM-enabled Luna HSM is not supported as a key source)
external-cm for external CipherTrust Manager
source_key_identifierstringName or ID of the key to be uploaded.
• If source_key_tier is local, this is the ID of the CipherTrust Manager key to be uploaded.
• If source_key_tier is dsm, this parameter is the ID of the DSM key key to be uploaded.
• If source_key_tier is hsm-luna, this parameter is the ID of the Luna HSM (AES) key to be uploaded.
• If source_key_tier is external-cm, this parameter is the ID of the external CipherTrust Manager key to be uploaded.
aws_paramJSONAWS key parameters such as alias, description, and usage. Refer to AWS Key Parameters for details.
external_accountsarray of stringsAWS accounts that can use this key.
key_adminsarray of stringsIAM users who can administer this key using the KMS API.
key_admins_rolesarray of stringsIAM roles that can administer this key using the KMS API.
key_usersarray of stringsIAM users who can use this key in cryptographic operations.
key_users_rolesarray of stringsIAM roles that can use the CMK in cryptographic operations.
policytemplatestringID of the policy template to apply.
Note: When a policy template is applied to an AWS key, CCKM adds the template tag (cckm_policy_template_id) to the key. Do not modify or delete this tag on the AWS cloud.

Note

Specify Policy, policytemplate, or one of key_admins, key_admins_roles, key_users, key_users_roles, and external_accounts. They are mutually exclusive. If no parameters are specified, the default policy is used.

copy link to clipboardAWS Key Parameters

ParameterTypeDescription
AliasstringAlias of the key.
BypassPolicyLockoutSafetyCheckbooleanFlag to bypass the key policy lockout safety check.
DescriptionstringDescription of the key.
MultiRegionbooleanWhether the key can be replicated in multiple AWS regions. The base key will be referred to as the multi-region primary key. Set to true to allow key replication in multiple regions.
PolicystringKey policy to attach to the CMK.
Tagsarray of JSONsAn optional parameter to add additional information to the key. The value must be specified as the key-value pair. CCKM allows the following characters in tag values:
• Alphanumeric characters
• Special characters ** _ . / = + - @ **
ValidTostringKey expiration time, must be formatted as per RFC3339.

Note

Specify Policy, policytemplate, or one of key_admins, key_users, and external_accounts. They are mutually exclusive. If no parameters are specified, the default policy is used.

copy link to clipboardExample Request

curl -k 'https://127.0.0.1/api/v1/cckm/aws/upload-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjZlZWE0NWJlLTc5NTMtNGUzZS1iNWJjLWZlZDEwMmZhNGNiYSIsImlhdCI6MTYwNDU1OTMxOSwiZXhwIjoxNjA0NTU5NjE5fQ.8BNfjt82PmwBoIzFsUk2eh4AvWwrjZxRiewK9Hyp67A' -H 'Content-Type: application/json' --data-binary $'{\n  "source_key_identifier": "test-key",\n  "region": "ap-south-1",\n  "kms": "kms",\n  "aws_param": {\n    "Alias": "test-upload-key-1",\n    "Tags": [\n   {\n "TagKey": "key",\n "TagValue": "value"\n  }\n ]\n  }\n}' --compressed

copy link to clipboardExample Response

{
"id": "02c40491-f5bd-4204-93f3-5f9077740116",
"uri": "kylo:kylo:cckm:aws-key:02c40491-f5bd-4204-93f3-5f9077740116",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T07:00:53.99845058Z",
"updatedAt": "2020-11-05T07:00:54.504758124Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T07:00:53.990295894Z",
"rotation_status": "",
"local_key_id": "361d928ac7e340d093e7d231c80ca934acc62528601647ce86a219c9a82f4f93",
"local_key_name": "test-key",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "cckm",
"aws_param": {
    "AWSAccountId": "123456789012",
    "Arn": "arn:aws:kms:ap-south-1:123456789012:key/a3d6b6ab-e953-45f7-8275-e915277f5ee2",
    "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
    "Enabled": true,
    "EncryptionAlgorithms": [
        "SYMMETRIC_DEFAULT"
    ],
    "KeyID": "a3d6b6ab-e953-45f7-8275-e915277f5ee2",
    "KeyManager": "CUSTOMER",
    "KeyState": "Enabled",
    "KeyUsage": "ENCRYPT_DECRYPT",
    "Origin": "EXTERNAL",
    "CreationDate": "2020-11-05T07:00:41Z",
    "Policy": {
        "Version": "2012-10-17",
        "Id": "key-default-1",
        "Statement": [
            {
                "Sid": "Enable IAM User Permissions",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::123456789012:root"
                },
                "Action": "kms:*",
                "Resource": "*"
            }
        ]
    },
    "Alias": [
        "alias/test-upload-key-1"
    ],
    "Tags": [
        {
            "TagKey": "key",
            "TagValue": "value"
        }
    ],
    "KeyRotationEnabled": false,
    "ExpirationModel": "KEY_MATERIAL_DOES_NOT_EXPIRE"
}
}

The sample output shows that a key (with alias test-upload-key-1) is uploaded to the AWS KMS. As the key is not created on the AWS KMS, its origin is EXTERNAL. A unique ID (02c40491-f5bd-4204-93f3-5f9077740116) for the uploaded key is returned.

To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.

copy link to clipboardResponse Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

On this page