Vault Management APIs
This chapter describes how CCKM manages Azure vaults.
Prerequisites
An Azure connection must already exist on the CipherTrust Manager. Refer to the CipherTrust Manager Administrator Guide for details on adding an Azure connection to the CipherTrust Manager.
Use the Azure vault management APIs to perform the following tasks:
Fetching List of Vaults from Azure
Use the post /v1/cckm/azure/get-vaults API to fetch the list of vaults from Azure.
Syntax
curl -k '<IP>/api/v1/cckm/azure/get-vaults' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "subscription_id":"<subscription_id>",\n "connection": "<connection identifier>",\n "limit":<limit>\n}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| connection | string | Name or ID of the connection. Connection name must be associated with the key vault to which it belongs. |
| subscription_id | string | Subscription ID of the vault. |
| limit | integer | Number of vaults to view. The default value is 10 and maximum value is 1000. |
| nextLink | string | Displays the remaining vaults left in the list. The limit to view the vaults is same as you set for the first time. For example, if there are 20 vaults and you set the limit to 11, then to view the remaining 9 vaults, you need to use nextLink. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/get-vaults' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIwMGY0MGI0Mi0xODIwLTQwYzEtYTEzZS1kN2YxYjZlY2MxYzIiLCJzdWIiOiJsb2NhbHxkZmM2ZTJlYS0yYTE2LTRlYTMtOGRhNC05ZWM0ZGNhYjA1YmMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjcwODY3MTktNWUyYy00NWQxLWJlYmEtOWM3ZjU5YTdlNWMwIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjRlMWE4YjQ0LWM1ZGYtNGNhOS05OWU5LTkxOTE3MmU5MDI5MSIsImlhdCI6MTYwNDkxMzExNywiZXhwIjoxNjA0OTEzNDE3fQ.7q2fF3PQyP9AMNL62pBRE2bBg_yWO57wjWTY6m1y5a8' -H 'Content-Type: application/json' --data-binary $'{\n "subscription_id": "f716c603-f206-43ed-bb39-758d9d3aa052",\n "connection": "azure-connection",\n "limit": 2\n}' --compressed
Example Response
{
"vaults": [
{
"name": "vault-v1",
"azure_vault_id": "/subscriptions/f716c603-f206-43ed-bb39-758d9d3aa052/resourceGroups/key-vault/providers/Microsoft.KeyVault/vaults/vault-v1",
"type": "Microsoft.KeyVault/vaults",
"location": "westus",
"properties": {
"tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"sku": {
"family": "A",
"name": "standard"
},
"vaultUri": "https://vault-v1.vault.azure.net/",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true
}
},
{
"name": "vault-v10-has-long-name",
"azure_vault_id": "/subscriptions/f716c603-f206-43ed-bb39-758d9d3aa052/resourceGroups/key-vault/providers/Microsoft.KeyVault/vaults/vault-v10-has-long-name",
"type": "Microsoft.KeyVault/vaults",
"location": "westus",
"properties": {
"tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"sku": {
"family": "A",
"name": "standard"
},
"vaultUri": "https://vault-v10-has-long-name.vault.azure.net/",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true
}
}
],
"connection": "azure-connection",
"subscription_id": "f716c603-f206-43ed-bb39-758d9d3aa052",
"nextLink": "https://management.azure.com/subscriptions/f716c603-f206-43ed-bb39-758d9d3aa052/resources?%24filter=resourceType+eq+%27Microsoft.KeyVault%2fvaults%27&%24top=2&api-version=2015-11-01&%24skiptoken=eyJuZXh0UGFydGl0aW9uS2V5IjoiMSE4IU5VSTRNelUtIiwibmV4dFJvd0tleSI6IjEhMTMyIU1qWXdSVU5DUlRjM056ZENORVF6UXpnMFJVRTRPRGMyTWpBME9UZzROak5mVkVkT1RDMU5TVU5TVDFOUFJsUTZNa1ZMUlZsV1FWVk1WRG95UmxaQlZVeFVVeTFCUVVSV1FVdzZNa1JTUnkxQlFVUldRVXc2TWtSV01pMVhSVk5VVlZNLSJ9"
}
The sample output displays the list of Azure vaults associated with the Subscription ID (f716c603-f206-43ed-bb39-758d9d3aa052).
To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Fetching List of Vaults from Managed HSM Pools from Azure
Use the post /v1/cckm/azure/get-managed-vaults API to fetch the list of vaults from Azure Managed HSM pools from Azure.
Syntax
curl -k '<IP>/api/v1/cckm/azure/get-managed-hsms' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "subscription_id":"<subscription_id>",\n "connection": "<connection identifier>",\n "limit":<limit>\n}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| connection | string | Name or ID of the connection. Connection name must be associated with the key vault to which it belongs. |
| subscription_id | string | Subscription ID of the vault stored inside an Azure Managed HSM pool. |
| limit | integer | Number of vaults to view. The default value is 10 and maximum value is 1000. |
| nextLink | string | Displays the remaining vaults left in the list. The limit to view the vaults is same as you set for the first time. For example, if there are 20 vaults and you set the limit to 11, then to view the remaining 9 vaults, you need to use nextLink. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/get-vaults' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIwMGY0MGI0Mi0xODIwLTQwYzEtYTEzZS1kN2YxYjZlY2MxYzIiLCJzdWIiOiJsb2NhbHxkZmM2ZTJlYS0yYTE2LTRlYTMtOGRhNC05ZWM0ZGNhYjA1YmMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjcwODY3MTktNWUyYy00NWQxLWJlYmEtOWM3ZjU5YTdlNWMwIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjRlMWE4YjQ0LWM1ZGYtNGNhOS05OWU5LTkxOTE3MmU5MDI5MSIsImlhdCI6MTYwNDkxMzExNywiZXhwIjoxNjA0OTEzNDE3fQ.7q2fF3PQyP9AMNL62pBRE2bBg_yWO57wjWTY6m1y5a8' -H 'Content-Type: application/json' --data-binary $'{\n "subscription_id": "bb03157e-7aff-421b-a01d-267f9613f462",\n "connection": "azure-connection",\n "limit": 2\n}' --compressed
Example Response
{
"vaults": [
{
"name": "vault-name",
"azure_vault_id": "/subscriptions/bb03157e-7aff-421b-a01d-267f9613f462/resourceGroups/CCKM-resource/providers/Microsoft.KeyVault/managedHSMs/vault-name",
"type": "Microsoft.KeyVault/managedHSMs",
"location": "eastus2",
"properties": {
"tenantId": "2b0913e6-2c7b-45b8-8c56-c5e2e4ed27bf",
"sku": {
"family": "B",
"name": "Standard_B1"
},
"vaultUri": "https://vault-name.managedhsm.azure.net/",
"enableSoftDelete": true,
"softDeleteRetentionInDays": 7
}
}
],
"connection": "azure-connection",
"subscription_id": "bb03157e-7aff-421b-a01d-267f9613f462",
}
Adding Azure Vaults
Use the post /v1/cckm/azure/add-vaults API to add an Azure vault to the CCKM. After the vault is added, the CCKM can access and manage it.
Syntax
curl -k '<IP>/api/v1/cckm/azure/add-vaults' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "subscription_id": "<subscription_id>",\n "connection": "<connection_identifier>",\n "vaults": [\n "name": "<vault_name>",\n"azure_vault_id": "<vault_id>",\n"type": "<vault_type>",\n"location": "<location>",\n "properties": {\n"tenantId": "<tenant_id>",\n"sku": {\n"family": "<family>",\n"name": "<name>"\n},\n"vaultUri": "<vault_uri>",\n"enabledForDeployment": <boolean>,\n"enabledForDiskEncryption": <boolean>,\n"enabledForTemplateDeployment": <boolean>\n}\n ]\n}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| connection | string | Name or ID of the connection. |
| subscription_id | string | Azure subscription ID. |
| vaults | array of JSONs | Azure vault parameters. Refer to Azure Vault Parameters for details. |
Azure Vault Parameters
| Parameter | Type | Description |
|---|---|---|
| azure_vault_id | string | ID of the Azure vault. |
| location | string | Location of the Azure vault. |
| name | string | Name for the vault. |
| properties | JSON | Properties of the Azure vault. Refer to Vault Properties for details. |
| type | string | Type of the Azure vault - non-managed and managed HSM. Vaults stored in Azure Managed HSM pools only support HSM-protected keys. |
| tags | JSON | Tags for the Azure vault. |
Vault Properties
| Parameter | Type | Description |
|---|---|---|
| createMode | string | The vault's create mode to indicate whether the vault need to be recovered or not. Possible values are: • CreateModeRecover • CreateModeDefault |
| enablePurgeProtection | boolean | Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value. |
| enableRbacAuthorization | boolean | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions. |
| enableSoftDelete | boolean | Property to specify whether the soft delete functionality is enabled for this key vault. It does not accept the value false. |
| enabledForDeployment | boolean | Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. |
| enabledForDiskEncryption | boolean | Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. |
| enabledForTemplateDeployment | boolean | Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. |
| sku | JSON | sku details of the Azure vault. Refer to SKU Details for details. |
| softDeleteRetentionInDays | integer | Soft delete data retention days. It accepts value >=7 and <=90. |
| tenantId | string | The Azure Active Directory tenant ID that is used for authenticating requests to the key vault. |
| vaultUri | string | The URI of the Azure vault for performing operations on keys and secrets. |
SKU Details
| Parameter | Type | Description |
|---|---|---|
| family | string | SKU family name of the Azure vault. |
| name | string | SKU name to specify whether the key vault is a standard vault or a premium vault. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/add-vaults' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIwMGY0MGI0Mi0xODIwLTQwYzEtYTEzZS1kN2YxYjZlY2MxYzIiLCJzdWIiOiJsb2NhbHxkZmM2ZTJlYS0yYTE2LTRlYTMtOGRhNC05ZWM0ZGNhYjA1YmMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjcwODY3MTktNWUyYy00NWQxLWJlYmEtOWM3ZjU5YTdlNWMwIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjRlMWE4YjQ0LWM1ZGYtNGNhOS05OWU5LTkxOTE3MmU5MDI5MSIsImlhdCI6MTYwNDkxMzExNywiZXhwIjoxNjA0OTEzNDE3fQ.7q2fF3PQyP9AMNL62pBRE2bBg_yWO57wjWTY6m1y5a8' -H 'Content-Type: application/json' --data-binary $'{\n "subscription_id": "f716c603-f206-43ed-bb39-758d9d3aa052",\n "connection": "azure-connection",\n "vaults": [\n {\n"name": "vault-v1",\n"azure_vault_id": "/subscriptions/f716c603-f206-43ed-bb39-758d9d3aa052/resourceGroups/key-vault/providers/Microsoft.KeyVault/vaults/vault-v1",\n"type": "Microsoft.KeyVault/vaults",\n"location": "westus",\n"properties": {\n"tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",\n"sku": {\n"family": "A",\n"name": "standard"\n},\n"vaultUri": "https://vault-v1.vault.azure.net/",\n"enabledForDeployment": true,\n"enabledForDiskEncryption": true,\n"enabledForTemplateDeployment": true\n}\n}\n ]\n}' --compressed
Example Response
{
"id": "75e916da-1f31-4c9d-b3d8-04f52c268a0a",
"uri": "kylo:kylo:cckm:subscription:75e916da-1f31-4c9d-b3d8-04f52c268a0a",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-09T09:00:43.167607Z",
"updatedAt": "2020-11-09T09:13:19.116352114Z",
"subscription_id": "f716c603-f206-43ed-bb39-758d9d3aa052",
"subscription_uri": "/subscriptions/f716c603-f206-43ed-bb39-758d9d3aa052",
"displayName": "Pay-As-You-Go",
"state": "Enabled",
"subscriptionPolicies": {
"quotaId": "PayAsYouGo_2014-09-01",
"spendingLimit": "Off",
"locationPlacementId": "Public_2014-09-01"
},
"authorizationSource": "RoleBased",
"connection": "azure-connection",
"vaults": [
{
"name": "vault-v1::f716c603-f206-43ed-bb39-758d9d3aa052",
"azure_vault_id": "/subscriptions/f716c603-f206-43ed-bb39-758d9d3aa052/resourceGroups/key-vault/providers/Microsoft.KeyVault/vaults/vault-v1",
"type": "Microsoft.KeyVault/vaults",
"location": "westus",
"properties": {
"tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"sku": {
"family": "A",
"name": "standard"
},
"vaultUri": "https://vault-v1.vault.azure.net/",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true
}
}
]
}
The sample output shows that the vault named vault-v1 is added to CCKM.
To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Removing Azure Vaults
Use the delete /v1/cckm/azure/vaults/{id}/remove-vault API to delete an Azure vault from the CCKM.
Syntax
curl -k '<IP>/api/v1/cckm/azure/vaults/{id}/remove-vault' -X POST -H 'Authorization:
Bearer AUTHTOKEN' --compressed
Here, {id} represents the vault ID.
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/vaults/543e3f50-aac1-4e07-8499-
e5de03a22528/remove-vault' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc 3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4 iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImExMTZkZWEwLTk0YWUtNDgyNi05M jI4LWI4ZjgwNWM3YjYxYyIsImlhdCI6MTYwMTQ1OTk0OCwiZXhwIjoxNjAxNDYwMjQ4fQ.s1obwpA_ZgDbd8wCO2CXyvbUlZ8AvZ9cgipyfOmksuI' --compressed
Example Response
{
"status": 204
}
The sample output shows that the vault (with ID 543e3f50-aac1-4e07-8499-e5de03a22528) is deleted successfully from the CCKM and "status": 204 is returned in response.
To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Fetching List of Azure Vaults from CCKM
Use the get /v1/cckm/azure/vaults API to fetch the list of Azure vaults that are already exists on the CCKM. The results can be filtered using the query parameters.
Syntax
curl -k '<IP>/api/v1/cckm/azure/vaults?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Request Query Parameters
| Parameter | Type | Description |
|---|---|---|
| name | string | Name of the Azure vault. |
| location | string | Location of the Azure vault. |
| id | string | ID of the key vault. |
| subscription_id | string | ID of the Azure vault subscription. |
| cloud_name | string | Name of the cloud. |
| subscription_id | string | ID of the Azure vault subscription. |
| subscription_name | string | Name of the Azure subscription. |
| type | string | Type of the Azure vault - non-managed and managed HSM. |
| skip | integer | Number of records to skip. For example, if "skip":5 is specified, the first five records will not be displayed in the output. |
| limit | integer | Numbers of records to display. For example, if "limit":10 is specified, then the next 10 records (after skipping the number of records specified in skip parameter) will be displayed in the output. |
| sort | string | Comma-delimited list of properties to sort the results. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/vaults?skip=0&limit=10&sort=updatedAt' -
H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3 MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb2 1haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAw MDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImExMTZkZWEwLTk0YWUtNDgyNi05MjI4LWI4ZjgwNWM3YjYxYyIsImlhdCI6MTYwMTQ1OTk0OCwiZXhwIjoxNjAxNDYwMjQ4fQ.s1obwpA_ZgDbd8wCO2CXyvbUlZ8AvZ9cgipyfOmksuI' --compressed
Example Response
{
"id": "543e3f50-aac1-4e07-8499-e5de03a22528",
"uri": "kylo:kylo:cckm:azure-vault:keyvault-premium::12e533dd-b5c2-
4e58-a264-0cd812dc5a34",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T09:59:12.030403Z",
"name": "keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"updatedAt": "2020-09-30T09:59:12.030403Z",
"azure_vault_id": "/subscriptions/12e533dd-b5c2-4e58-a264-0cd812dc5a34/
resourceGroups/CCKM-resource/providers/Microsoft.KeyVault/vaults/
keyvault-premium",
"type": "Microsoft.KeyVault/vaults",
"location": "northcentralus",
"connection": "azure-connection",
"cloud_name": "AzureCloud",
"subscription_id": "12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"azure_name": "keyvault-premium",
"synced_at": "2020-09-30T09:59:11.991824Z",
"subscription_name": "Pay-As-You-Go",
"properties": {
"tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"sku": {
"family": "A",
"name": "premium"
},
"vaultUri": "https://keyvault-premium.vault.azure.net/"
}
},
{
"id": "bedb82b9-582c-402d-9874-f3368722cf46",
"uri": "kylo:kylo:cckm:azure-vault:keyvault-softkeys::12e533dd-b5c2-4e58-
a264-0cd812dc5a34",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T09:59:12.034062Z",
"name": "keyvault-softkeys::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"updatedAt": "2020-09-30T09:59:12.034062Z",
"azure_vault_id": "/subscriptions/12e533dd-b5c2-4e58-a264-0cd812dc5a34/
resourceGroups/CCKM-resource/providers/Microsoft.KeyVault/vaults/
keyvault-softkeys",
"type": "Microsoft.KeyVault/vaults",
"location": "northcentralus",
"connection": "azure-connection",
"cloud_name": "AzureCloud",
"subscription_id": "12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"azure_name": "keyvault-softkeys",
"azure_name": "keyvault-softkeys",
"synced_at": "2020-09-30T09:59:11.991883Z",
"subscription_name": "Pay-As-You-Go",
"properties": {
"tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"sku": {
"family": "A",
"name": "Standard"
},
"vaultUri": "https://keyvault-softkeys.vault.azure.net/",
"enableSoftDelete": true
}
}
]
}
The sample output shows the list of vaults.
To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Viewing Details of Azure Vaults
Use the get /v1/cckm/azure/vaults/{id} API to view details of an Azure vault.
Syntax
curl -k '<IP>/api/v1/cckm/azure/vaults/{id}' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id} is the vault ID.
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/vaults/543e3f50-aac1-4e07-8499-
e5de03a22528' -H 'Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3
MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc
3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb2
1haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4
iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAw
MDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjlmYzczODkyLWEyNDItNGVjMS1hZ
TQ4LWJkMTY4MzY0MTExZCIsImlhdCI6MTYwMTQ2MDI0MywiZXhwIjoxNjAxNDYwNTQzfQ.OkGRkc0O1U6-
geWnhgKISWn0cZeY2gFvnWnzWms5JmQ' --compressed
Example Response
{
"id": "543e3f50-aac1-4e07-8499-e5de03a22528",
"uri": "kylo:kylo:cckm:azure-vault:keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T09:59:12.030403Z",
"name": "keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"updatedAt": "2020-09-30T09:59:12.030403Z",
"azure_vault_id": "/subscriptions/12e533dd-b5c2-4e58-a264-0cd812dc5a34/resourceGroups/
CCKM-resource/providers/Microsoft.KeyVault/vaults/keyvault-premium",
"type": "Microsoft.KeyVault/vaults",
"location": "northcentralus",
"connection": "azure-connection",
"cloud_name": "AzureCloud",
"subscription_id": "12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"azure_name": "keyvault-premium",
"synced_at": "2020-09-30T09:59:11.991824Z",
"subscription_name": "Pay-As-You-Go",
"properties": {
"tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"sku": {
"family": "A",
"name": "premium"
},
"vaultUri": "https://keyvault-premium.vault.azure.net/"
}
}
The sample output shows the details corresponding to the vault (with ID 543e3f50-aac1-4e07-8499-e5de03a22528).
To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Updating Azure Vaults
Use the patch /v1/cckm/azure/vaults/{id} API to update details of an Azure vault.
Note
You can only update the connection parameter for an Azure vault.
Syntax
curl -k '<IP>/api/v1/cckm/azure/vaults/5{id}' -X PATCH -H 'Authorization: Bearer
AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "connection":
"<connection_name>"\n}' --compressed
Here, {id} is the vault ID.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| connection | string | Name or ID of the connection. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/vaults/543e3f50-aac1-4e07-8499-
e5de03a22528' -X PATCH -H 'Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0NjE0MWIyYi04MGVkLTQyMmEtYTY4Yy1jZmMw
MWIzNTQ5NzciLCJzdWIiOiJsb2NhbHxhNjg4YjAwNC0zNTc1LTQzM2EtODYzOC0wMTNiYTJhYzFmNjQiLCJpc
3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb2
1haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4
iXSwic2lkIjoiY2I2NjkwM2EtOTgyMy00NTExLTgyYmYtYzJmMzAzZmU5OTJlIiwiem9uZV9pZCI6IjAwMDAw
MDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjM0NjBhNTYzLTlmMTAtNDkyYS05N
jEwLWRhNmI3YWRlMWU2NCIsImlhdCI6MTYwMTg4NjYxOSwiZXhwIjoxNjAxODg2OTE5fQ.I4n_NBNmd-
61o59ULm8g9Hyh1dSMQow_UaQQgqtqgiA' -H 'Content-Type: application/json' --data-binary
$'{\n "connection": "azure-connection2"\n}' --compressed
Example Response
{
"id": "543e3f50-aac1-4e07-8499-e5de03a22528",
"uri": "kylo:kylo:cckm:azure-vault:keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T09:59:12.030403Z",
"name": "keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"updatedAt": "2020-09-30T09:59:12.030403Z",
"azure_vault_id": "/subscriptions/12e533dd-b5c2-4e58-a264-0cd812dc5a34/resourceGroups/
CCKM-resource/providers/Microsoft.KeyVault/vaults/keyvault-premium",
"type": "Microsoft.KeyVault/vaults",
"location": "northcentralus",
"connection": "azure-connection2",
"cloud_name": "AzureCloud",
"subscription_id": "12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"azure_name": "keyvault-premium",
"synced_at": "2020-09-30T09:59:11.991824Z",
"subscription_name": "Pay-As-You-Go",
"properties": {
"tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"sku": {
"family": "A",
"name": "premium"
},
"vaultUri": "https://keyvault-premium.vault.azure.net/"
}
}
The sample output shows that connection parameter for the vault (with ID 543e3f50-aac1-4e07-8499-e5de03a22528) is updated to azure-connection2.
To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Managing User Permissions on Azure Vaults
Use the post /v1/cckm/azure/vaults/{id}/update-acls API to grant permissions to users to perform specific actions on the Azure vaults.
For the first time users, actions are permitted as configured by the CCKM administrator. However, if the permissions of a user need to be modified later, for example, a new action is to be permitted or an existing action is to be revoked, the CCKM administrator needs to set that particular action to true or false.
For example, a user or group is permitted actions, keycreate, keyupdate, and keypurge. Now, to permit one more action keydelete to the user or group, set "permit":true and "actions": "keydelete" and run the API. Similarly, now to deny permission to the action keycreate, set "permit":false, "actions": "keycreate", and run the API.
Syntax
curl -k '<IP>/api/v1/cckm/azure/vaults/{id}/update-acls' -H 'Authorization: Bearer
AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n\n "group":
"<group>",\n "permit": <boolean>,\n "actions": [actions]\n}' --compressed
Here, {id} represents the vault ID.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| actions | array of strings | Permitted actions on the Azure vault. Refer to APIs and Action Mapping for the supported actions and details. |
| group | string | Name of the group to be granted permissions. |
| permit | boolean | Flag to permit users to perform specific actions on the Azure vault. Set to true to permit, false to deny. |
| user_id | string | ID of the user to be granted permissions. |
Note
User ID and group are mutually exclusive – specify either of the two.
APIs and Action Mapping
The following table lists the mapping of APIs and actions required to call these APIs.
| APIs | Actions Required | Description |
|---|---|---|
| Create | keycreate | Permission to create an Azure key. |
| Recover | keyrecover | Permission to recover a soft-deleted Azure key. |
| Purge | keypurge | Permission to permanently delete the Azure key. |
| Soft Delete | keydelete | Permission to soft delete an Azure key from the vault. |
| Upload | keyupload | Permission to upload the CipherTrust Manager key to Azure. |
| Synchronize | keysynchronize | Permission to synchronize Azure keys. |
| Cancel | keysynchronize | Permission to cancel the synchronization job. |
| Restore | keyrestore | Permission to restore a backed up key to a vault. |
| Update | keyupdate | Permission to updates the key attributes, tags and key operations. |
| List | view | Permission to view vaults and its keys. |
| Get (Azure Keys) | view | Permission to get the details of an Azure key with the given id. |
| List Vaults | view | Permission to view vaults and its keys. |
| Get (Azure Vaults) | view | Permission to get the details of the Azure vault with the given id. |
| Delete Backup | deletebackup | Permission to deletes an Azure key and its versions from the CCKM. |
| Create Secret | secretcreate | Permission to create an Azure secret. |
| Recover Secret | secretrecover | Permission to recover a soft-deleted Azure secret. |
| Purge Secret | secretpurge | Permission to permanently delete the Azure secret. |
| Soft Delete Secret | secretdelete | Permission to soft delete an Azure secret from the vault. |
| Synchronize Secret | secretsynchronize | Permission to synchronize Azure secrets. |
| Cancel Synchronize Secret | secretsynchronize | Permission to cancel the synchronization job. |
| Restore Secret | secretrestore | Permission to restore a backed up secret to a vault. |
| Update Secret | secretupdate | Permission to updates the Certificate attributes, and tags. |
| Delete Backup | secretdeletebackup | Permission to deletes an Azure secret and its versions from the CCKM. |
| Get (Azure Secrets) | secretview | Permission to get the details of an Azure secret with the given id. |
| List | secretview | Permission to view secrets of a vault. |
| Create Certificate | certificatecreate | Permission to create an Azure Certificate. |
| Recover Certificate | certificaterecover | Permission to recover a soft-deleted Azure Certificate. |
| Purge Certificate | certificatepurge | Permission to permanently delete the Azure Certificate. |
| Soft Delete Certificate | certificatedelete | Permission to soft delete an Azure Certificates from the vault. |
| Synchronize Certificate | certificatesynchronize | Permission to synchronize Azure Certificates. |
| Cancel Synchronize Certificate | certificatesynchronize | Permission to cancel the Certificates synchronization job. |
| Restore Certificate | certificaterestore | Permission to restore a backed up Certificate to a vault. |
| Update Certificate | certificateupdate | Permission to updates the Certificate attributes, and tags. |
| Delete Backup | certificatedeletebackup | Permission to deletes an Azure Certificate and its versions from the CCKM. |
| Get (Azure Certificates) | certificateview | Permission to get the details of an Azure Certificate with the given id. |
| List | certificateview | Permission to view Certificates of a vault. |
| Upload (Azure Certificates) | certificateupload | Permission to upload the CipherTrust Manager certificate to Azure. |
| Create Report | reportcreate | Permission to create a report. |
| Delete Report | reportdelete | Permission to delete a report. |
| Download Report | reportdownload | Permission to download a report. |
| View Report | reportview | Permission to view the content of a report. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/vaults/543e3f50-aac1-4e07-8499-
e5de03a22528/update-acls' -H 'Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0NjE0MWIyYi04MGVkLTQyMmEtYTY4Yy1jZmMw
MWIzNTQ5NzciLCJzdWIiOiJsb2NhbHxhNjg4YjAwNC0zNTc1LTQzM2EtODYzOC0wMTNiYTJhYzFmNjQiLCJpc
3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb2
1haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4
iXSwic2lkIjoiY2I2NjkwM2EtOTgyMy00NTExLTgyYmYtYzJmMzAzZmU5OTJlIiwiem9uZV9pZCI6IjAwMDAw
MDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjFlYTQxOTMxLWVjNDUtNGIyZS1hN
TM1LTcyMWIyZWM0NjcwYyIsImlhdCI6MTYwMTg5MDI0MywiZXhwIjoxNjAxODkwNTQzfQ._r1U5EsgJu1kSs_
JFbjjZp-Tb7eEMqHkWP6bf98DQto' -H 'Content-Type: application/json' --data-binary $'
{\n\n "group": "CCKM Users",\n "permit": true,\n "actions":
["view","keycreate"]\n}' --compressed
Example Response
{
"id": "543e3f50-aac1-4e07-8499-e5de03a22528",
"uri": "kylo:kylo:cckm:azure-vault:keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-30T09:59:12.030403Z",
"name": "keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"updatedAt": "2020-09-30T10:09:08.492827686Z",
"azure_vault_id": "/subscriptions/12e533dd-b5c2-4e58-a264-0cd812dc5a34/resourceGroups/
CCKM-resource/providers/Microsoft.KeyVault/vaults/keyvault-premium",
"type": "Microsoft.KeyVault/vaults",
"location": "northcentralus",
"connection": "azure-connection",
"acls": [
{
"group": "CCKM Users",
"actions": [
"view",
"keycreate"
]
}
],
"cloud_name": "AzureCloud",
"subscription_id": "12e533dd-b5c2-4e58-a264-0cd812dc5a34",
"azure_name": "keyvault-premium",
"synced_at": "2020-09-30T09:59:11.991824Z",
"subscription_name": "Pay-As-You-Go",
"properties": {
"tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
"sku": {
"family": "A",
"name": "premium"
},
"vaultUri": "https://keyvault-premium.vault.azure.net/"
}
}
The sample output shows that the group (CCKM Users) is granted permissions to perform the view and keycreateoperations on the Azure vault.
To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
After the permissions are configured on the Azure vault, use the get /v1/cckm/azure/vaults/{id} API to view the details of the Azure vault with the list of actions a user or group can perform on the Azure vault.
