Policy Template Management APIs
A default policy template is attached to AWS keys. With CCKM, you can create and attach custom policy templates to AWS keys. This section describes the CCKM policy template management APIs for AWS.
Creating Policy Templates
Use the post /v1/cckm/aws/templates API to create an AWS key policy template on CCKM. When creating a key policy template, you can specify policy parameters according to your requirements.
Syntax
curl -k '<IP>/api/v1/cckm/aws/templates' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "kms": "<kms-name>",\n "key_users": ["<key-user>"]\n}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| kms | string | Name or ID of the KMS. |
| policy | JSON | Key policy attached to the key. Refer to Using key policies in AWS KMS for details. |
| external_accounts | array of strings | AWS accounts that can use this key. |
| key_admins | array of strings | IAM users who can administer this key using the KMS API. |
| key_users | array of strings | IAM users who can use this key in cryptographic operations. |
Note
policy and external_accounts, key_admins, and key_users are mutually exclusive. Specify either policy or any one of external_accounts, key_admins, or key_users. If no parameters are specified, the default policy is used.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/templates' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiMzUwZGQzOS1lNmEzLTQzNmItYjcyNi05YjlmNmNkMzVjZjciLCJzdWIiOiJsb2NhbHw4YTQ1MGNjZS02MGY4LTQxZTYtYTZkNS0xMTVkNDYzNDk5ZjUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDk0NGUzZjctYzcyNi00YTQ1LThjY2YtMDk5ZTg0Zjg1NzU2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNjMmFlMjA1LTYzZjMtNDgxNS1iYWVjLWU1NDBmOTE2ZTU1YSIsImlhdCI6MTYyMjE4NzgyMywiZXhwIjoxNjIyMTg4MTIzfQ.d2rAAQI-VP_xObiBDLCUh8A7M1LUxZhVfnIk87_3fIU' -H 'Content-Type: application/json' --data-binary $'{\n "kms": "kms",\n "key_users": ["cckm-user"]\n}' --compressed
Example Response
{
"id": "d16c6b36-3894-40f5-9387-44e0cfe26d65",
"uri": "kylo:kylo:cckm:aws-template:d16c6b36-3894-40f5-9387-44e0cfe26d65",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-28T07:45:27.466789159Z",
"updatedAt": "2021-05-28T07:45:27.464931181Z",
"key_users": [
"cckm-user"
],
"policy": {
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM UserName Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::556782317223:root"
]
},
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::556782317223:user/cckm-user"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::556782317223:user/cckm-user"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
},
"kms": "kms"
}
The sample output shows that an AWS key policy template with a unique ID (d16c6b36-3894-40f5-9387-44e0cfe26d65) is created on the AWS KMS.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Viewing the Policy Templates
Use the get /v1/cckm/aws/templates API to get the list of AWS key policy templates. The results can be filtered using the query parameters.
Syntax
curl -k '<IP>/api/v1/cckm/aws/templates?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Request Query Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | ID of the policy template. |
| kms | string | Name or ID of the KMS. |
| skip | integer | Number of records to skip. For example, if "skip":5 is specified, the first five records will not be displayed in the output. |
| limit | integer | Numbers of records to display. For example, if "limit":10 is specified, then the next 10 records (after skipping the number of records specified in the skip parameter ) will be displayed in the output. |
| sort | string | Comma-delimited list of properties to sort the results. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/templates?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiMzUwZGQzOS1lNmEzLTQzNmItYjcyNi05YjlmNmNkMzVjZjciLCJzdWIiOiJsb2NhbHw4YTQ1MGNjZS02MGY4LTQxZTYtYTZkNS0xMTVkNDYzNDk5ZjUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDk0NGUzZjctYzcyNi00YTQ1LThjY2YtMDk5ZTg0Zjg1NzU2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNjMmFlMjA1LTYzZjMtNDgxNS1iYWVjLWU1NDBmOTE2ZTU1YSIsImlhdCI6MTYyMjE4NzgyMywiZXhwIjoxNjIyMTg4MTIzfQ.d2rAAQI-VP_xObiBDLCUh8A7M1LUxZhVfnIk87_3fIU' --compressed
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "d16c6b36-3894-40f5-9387-44e0cfe26d65",
"uri": "kylo:kylo:cckm:aws-template:d16c6b36-3894-40f5-9387-44e0cfe26d65",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-28T07:45:27.466789Z",
"updatedAt": "2021-05-28T07:45:27.464931Z",
"key_users": [
"cckm-user"
],
"policy": {
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM UserName Permissions",
"Action": [
"kms:*"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::556782317223:root"
]
}
},
{
"Sid": "Allow use of the key",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::556782317223:user/cckm-user"
]
}
},
{
"Sid": "Allow attachment of persistent resources",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
},
"Principal": {
"AWS": [
"arn:aws:iam::556782317223:user/cckm-user"
]
}
}
]
},
"kms": "kms"
}
]
}
The sample output shows an AWS key policy template with the ID d16c6b36-3894-40f5-9387-44e0cfe26d65.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Viewing Details of a Policy Template
Use the get /v1/cckm/aws/templates/{id} API to view the details of an AWS key policy template.
Syntax
curl -k '<IP>/api/v1/cckm/aws/templates/{id}' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id} represents the ID of the policy template.
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/templates/d16c6b36-3894-40f5-9387-44e0cfe26d65' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiMzUwZGQzOS1lNmEzLTQzNmItYjcyNi05YjlmNmNkMzVjZjciLCJzdWIiOiJsb2NhbHw4YTQ1MGNjZS02MGY4LTQxZTYtYTZkNS0xMTVkNDYzNDk5ZjUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDk0NGUzZjctYzcyNi00YTQ1LThjY2YtMDk5ZTg0Zjg1NzU2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNjMmFlMjA1LTYzZjMtNDgxNS1iYWVjLWU1NDBmOTE2ZTU1YSIsImlhdCI6MTYyMjE4NzgyMywiZXhwIjoxNjIyMTg4MTIzfQ.d2rAAQI-VP_xObiBDLCUh8A7M1LUxZhVfnIk87_3fIU' --compressed
Example Response
{
"id": "d16c6b36-3894-40f5-9387-44e0cfe26d65",
"uri": "kylo:kylo:cckm:aws-template:d16c6b36-3894-40f5-9387-44e0cfe26d65",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-28T07:45:27.466789Z",
"updatedAt": "2021-05-28T07:45:27.464931Z",
"key_users": [
"cckm-user"
],
"policy": {
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM UserName Permissions",
"Action": [
"kms:*"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::556782317223:root"
]
}
},
{
"Sid": "Allow use of the key",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::556782317223:user/cckm-user"
]
}
},
{
"Sid": "Allow attachment of persistent resources",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
},
"Principal": {
"AWS": [
"arn:aws:iam::556782317223:user/cckm-user"
]
}
}
]
},
"kms": "kms"
}
The sample output shows details of the policy template with the ID d16c6b36-3894-40f5-9387-44e0cfe26d65.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Deleting a Policy Template
Use the delete /v1/cckm/aws/templates/{id} API to delete an AWS key policy template.
Syntax
curl -k '<IP>/api/v1/cckm/aws/templates/{id}' -X DELETE -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id} represents the ID of the policy template.
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/templates/d16c6b36-3894-40f5-9387-44e0cfe26d65' -X DELETE -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiMzUwZGQzOS1lNmEzLTQzNmItYjcyNi05YjlmNmNkMzVjZjciLCJzdWIiOiJsb2NhbHw4YTQ1MGNjZS02MGY4LTQxZTYtYTZkNS0xMTVkNDYzNDk5ZjUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDk0NGUzZjctYzcyNi00YTQ1LThjY2YtMDk5ZTg0Zjg1NzU2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNjMmFlMjA1LTYzZjMtNDgxNS1iYWVjLWU1NDBmOTE2ZTU1YSIsImlhdCI6MTYyMjE4NzgyMywiZXhwIjoxNjIyMTg4MTIzfQ.d2rAAQI-VP_xObiBDLCUh8A7M1LUxZhVfnIk87_3fIU' --compressed
Example Response
{
"status": 204
}
The policy template with the ID d16c6b36-3894-40f5-9387-44e0cfe26d65 is deleted.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
