Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Google Cloud Key APIs

Uploading a New Key to Google Cloud

search

Please Note:

Uploading a New Key to Google Cloud

Use the post /v1/cckm/google/upload-key API to create a new key on a key source (CipherTrust Manager, DSM, or Luna HSM) and upload it to Google Cloud.

Syntax

curl -k '<IP>/api/v1/cckm/google/upload-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n  "key_ring": "<key_ring>",\n  "source_key_id": "<source_key_id>",\n  "source_key_tier": "<source_key_tier>",\n  "gcp_key_params": {\n    "key_name": "<key_name>",\n    "purpose": "<purpose>",\n    "protection_level": "<protection_level>",\n    "algorithm": "<algorithm>",\n    "labels": {\n      "<key>": "<value>"\n    }\n  }\n}' --compressed

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization token.
gcp_key_paramsJSONParameters to specify properties of the Google Cloud key. Refer to Google Cloud Key Parameters for details.
key_ringstringID or resource URL of the Google Cloud key ring where the key is to be created.
source_key_idstringID of the key that will be uploaded from a key source.
source_key_tierstringKey source from where the key will be uploaded. The key source can be:
• local: CipherTrust Manager
• dsm: Data Security Manager (DSM)
• hsm-luna: Luna HSM

Google Key Parameters

ParameterTypeDescription
algorithmstringAlgorithm for the Google Cloud key. The supported algorithms are:
• RSA_SIGN_PSS_2048_SHA256
• RSA_SIGN_PSS_3072_SHA256
• RSA_SIGN_PSS_4096_SHA256
• RSA_SIGN_PSS_4096_SHA512
• RSA_SIGN_PKCS1_2048_SHA256
• RSA_SIGN_PKCS1_3072_SHA256
• RSA_SIGN_PKCS1_4096_SHA256
• RSA_SIGN_PKCS1_4096_SHA512
• RSA_DECRYPT_OAEP_2048_SHA256
• RSA_DECRYPT_OAEP_3072_SHA256
• RSA_DECRYPT_OAEP_4096_SHA256
• RSA_DECRYPT_OAEP_4096_SHA512
• EC_SIGN_P256_SHA256
• EC_SIGN_P384_SHA384
• GOOGLE_SYMMETRIC_ENCRYPTION
key_namestringName for the Google Cloud key.
protection_levelstringProtection level for the Google Cloud key. The options are:
• SOFTWARE
• HSM
purposestringPurpose of the Google Cloud key. The options are:
• ENCRYPT_DECRYPT
• ASYMMETRIC_SIGN
• ASYMMETRIC_DECRYPT

Note

labels|string of JSON|Labels (tags) attached to the Google Cloud key in the form of key-value JSON pairs, for example, "isakey": "yes". For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.

next_rotation_time|string|Time when the Google Cloud key will be automatically rotated by Google Cloud KMS (symmetric key only). The time must be in the RFC3339 format, for example, "2022-07-31T17:18:37.085Z". rotation_period|string| (Symmetric keys only) Frequency at which the Google Cloud key will be automatically rotated by Google Cloud KMS. The frequency must be in the format "<duration>s", that is, duration in seconds terminated by s, for example, "360000s".

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/google/upload-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhOGY3N2IxZS1lOTY2LTQwMjEtODRjMC01YjZiNjAzMTBmOWEiLCJzdWIiOiJsb2NhbHwzM2Y5ZDFmNi04MjJiLTQ0NTItOGM4MC1mYzM0ZGYyZTI3OGQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNjcyMjMzMDAtYjU2ZC00ZmVmLTkwMDEtZGE1NGY2ZDdiMzY4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImFlZWY5ZmY4LThhYjctNDUyZS04YTE4LTQ3YTYxZDg0MzAwZSIsImlhdCI6MTYyMDIwMzYxMCwiZXhwIjoxNjIwMjAzOTEwfQ.eGWVMC1yUBYbUSxr22aBPdP2Tg257k7D_5galuus2qg' -H 'Content-Type: application/json' --data-binary $'{\n  "key_ring": "projects/gemalto-kyloeng/locations/global/keyRings/demo-key-ring",\n  "source_key_id": "test",\n  "source_key_tier": "local",\n  "gcp_key_params": {\n    "key_name": "test-doc-KeyUpload",\n    "purpose": "ENCRYPT_DECRYPT",\n    "protection_level": "SOFTWARE",\n    "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",\n    "labels": {\n      "isakey": "yesabel"\n    }\n  }\n}' --compressed

Example Response

{
    "id": "673c28bf-0b71-4473-bf90-a431e019df20",
    "uri": "kylo:kylo:cckm:gcp-keys:673c28bf-0b71-4473-bf90-a431e019df20",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2021-05-05T08:34:35.791980333Z",
    "updatedAt": "2021-05-05T08:34:35.790034216Z",
    "cloud_name": "",
    "key_id": "",
    "project_id": "",
    "location_id": "",
    "key_ring_id": "",
    "key_ring_name": "projects/gemalto-kyloeng/locations/global/keyRings/demo-key-ring",
    "gone": false,
    "auto_rotate": false,
    "status": "IN_PROGRESS",
    "gcp_params": {
        "name": "",
        "primary": "",
        "createTime": null,
        "purpose": "",
        "next_rotation_time": null,
        "protectionLevel": "",
        "algorithm": ""
    }
}

The sample output displays that a new Google Cloud key with the ID 673c28bf-0b71-4473-bf90-a431e019df20 is created and its upload is in "IN_PROGRESS".

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

On this page