Key Life Cycle Management APIs
This section describes the CCKM Key Life Cycle Management APIs for AWS.
Creating AWS Keys on CCKM
Use the post /v1/cckm/aws/keys
API to create an AWS key on the CCKM. When creating an AWS key, you can specify whether the key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. However, any replica of the multi-region key can be set as the primary key later.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "kms": "<kms id>",\n "region": "<region>",\n "aws_param": {<aws parameters>}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
kms | string | Name or ID of the KMS. |
region | string | Name of the region. |
aws_param | JSON | Key parameters such as alias, description, and usage. Refer to AWS Key Parameters for details. |
external_accounts | array of strings | AWS accounts that can use this key. |
key_admins | array of strings | IAM users who can administer this key using the KMS API. |
key_users | array of strings | IAM users who can use this key in cryptographic operations. |
policytemplate | string | ID of the policy template to apply. |
Note
Specify Policy
, policytemplate
, or one of key_admins
, key_users
, and external_accounts
. They are mutually exclusive. If no parameters are specified, the default policy is used.
AWS Key Parameters
Parameter | Type | Description |
---|---|---|
Alias | string | Alias of the key. |
BypassPolicyLockoutSafetyCheck | boolean | Flag to bypass the key policy lockout safety check. |
CustomerMasterKeySpec | string | Type of the key. Supported types are: • SYMMETRIC_DEFAULT (Default) • RSA_2048 (Asymmetric) • RSA_3072 (Asymmetric) • RSA_4096 (Asymmetric) • ECC_NIST_P256 (secp256r1) (Asymmetric) • ECC_NIST_P384 (secp384r1) (Asymmetric) • ECC_NIST_P521 (secp521r1) (Asymmetric) • ECC_SECG_P256K1 (secp256k1) (Asymmetric) |
Description | string | Description of the key. |
KeyUsage | string | Cryptographic operations performed by the key. Supported operations are: • ENCRYPT_DECRYPT • SIGN_VERIFY |
MultiRegion | boolean | Whether the key can be replicated in multiple AWS regions. The base key will be referred to as the multi-region primary key. Set to true to allow key replication in multiple regions. |
Origin | string | Source of the AWS customer master key (CMK) key material. The key origin cannot be changed. The origin of the key can be: • AWS_KMS • EXTERNAL |
Policy | JSON | Key policy to attach to the CMK. |
Tags | array of JSONs | An optional parameter to add additional information to the key. The value must be specified as the key-value pair. CCKM allows the following characters in tag values: • Alphanumeric characters • Special characters ** _ . / = + - @ ** |
Note
Specify Policy
, policytemplate
, or one of key_admins
, key_users
, and external_accounts
. They are mutually exclusive. If no parameters are specified, the default policy is used.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImU5YWUwYTI3LWVlYjQtNGNhZi04YjE4LTdhNzIzMDBkOTA0MCIsImlhdCI6MTYwNDU1ODEzOCwiZXhwIjoxNjA0NTU4NDM4fQ.MIMArFeC4cpPNTYOd39mu6_-yihdN0CDl_917eH8-kY' -H 'Content-Type: application/json' --data-binary $'{\n "kms": "kms",\n "region": "ap-south-1",\n "aws_param": {\n "Alias": "aws-test-key",\n "MultiRegion": true,\n "Tags": [\n {\n "TagKey": "key",\n "TagValue": "value"\n }\n ]\n }\n}' --compressed
Example Response
{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457335Z",
"updatedAt": "2020-11-05T06:35:42.441821548Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:35:42.438073546Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:35:29Z",
"Policy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
},
"Alias": [
"alias/aws-test-key"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false,
"MultiRegion": true
}
}
The sample output shows that an AWS key (with alias aws-test-key
) is created in the AWS region "ap-south-1"
on the AWS KMS. A unique ID (baf58871-2503-4d13-a84a-339aeb8fdfaf
) for the key is returned.
In the output, "MultiRegion": true
shows that the key is a multi-region primary key. This key can be replicated in multiple AWS regions. Refer to Replicating Multi-Region AWS Keys for replication details.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Fetching List of AWS Keys
Use the get /v1/cckm/aws/keys
API to view the list of the AWS keys. The results can be filtered using the query parameters.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Request Query Parameters
Parameter | Type | Description |
---|---|---|
id | string | Internal ID of the AWS key. |
keyid | string | ID of the AWS key. |
alias | string | Alias of the key. |
kms | string | Name of the AWS KMS. |
kms_id | string | ID of the AWS KMS. |
region | string | Region name. |
cloud_name | string | Cloud name. |
origin | string | Source of the AWS customer master key (CMK) key material. The key origin cannot be changed. The origin of the key can be: • AWS_KMS • EXTERNAL |
job_config_id | string | ID of the scheduler configuration job. |
enabled | boolean | Fetches the enabled keys. |
gone | boolean | Fetches keys based on their existence in the cloud. |
tags | string | Fetches the keys based on valid tag values. |
keystate | string | State of the AWS key. |
rotation_job_enabled | boolean | Fetches the key based on the rotation job status. |
CustomerMasterKeySpec | string | Fetches keys based on CustomerMasterKeySpec. |
key_material_origin | string | Source of the key material. The origin of the key can be: • cckm: Key material is created on CCKM. • native: Key material is created on the AWS cloud. • unknown: Source of the key material is unknown. It is different than CCKM and the native cloud. |
multi_region | boolean | Whether the key is a multi-region key. Specify true for a multi-region key, false for a single-region key. |
multi_region_key_type | string | Type of the multi-region key, PRIMARY or REPLICA. |
skip | integer | Number of records to skip. For example, if "skip":5 is specified, the first five records will not be displayed in the output. |
limit | integer | Numbers of records to display. For example, if "limit":10 is specified, then the next 10 records (after skipping the number of records specified in the skip parameter ) will be displayed in the output. |
sort | string | Comma-delimited list of properties to sort the results. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImU5YWUwYTI3LWVlYjQtNGNhZi04YjE4LTdhNzIzMDBkOTA0MCIsImlhdCI6MTYwNDU1ODEzOCwiZXhwIjoxNjA0NTU4NDM4fQ.MIMArFeC4cpPNTYOd39mu6_-yihdN0CDl_917eH8-kY' --compressed
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457Z",
"updatedAt": "2020-11-05T06:35:42.441822Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:35:42.438074Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:35:29Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false
}
}
]
}
The sample output shows the list of the AWS keys.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Viewing Details of AWS Keys
Use the get /v1/cckm/aws/keys/{id}
API to view the details of an AWS key with a specific id.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the key ID.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImU5YWUwYTI3LWVlYjQtNGNhZi04YjE4LTdhNzIzMDBkOTA0MCIsImlhdCI6MTYwNDU1ODEzOCwiZXhwIjoxNjA0NTU4NDM4fQ.MIMArFeC4cpPNTYOd39mu6_-yihdN0CDl_917eH8-kY' --compressed
Example Response
{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457Z",
"updatedAt": "2020-11-05T06:35:42.441822Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:35:42.438074Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:35:29Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false
}
}
The sample output shows the details corresponding to the key (with ID baf58871-2503-4d13-a84a-339aeb8fdfaf
).
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Deleting AWS Keys from CCKM
Use the delete /v1/cckm/aws/keys/{id}
API to delete an AWS key from the CCKM.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}' -X DELETE -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the key ID.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf' -X DELETE -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImU5YWUwYTI3LWVlYjQtNGNhZi04YjE4LTdhNzIzMDBkOTA0MCIsImlhdCI6MTYwNDU1ODEzOCwiZXhwIjoxNjA0NTU4NDM4fQ.MIMArFeC4cpPNTYOd39mu6_-yihdN0CDl_917eH8-kY' --compressed
Example Response
{
"status": 204
}
The sample output shows that the key (with ID baf58871-2503-4d13-a84a-339aeb8fdfaf
) is deleted successfully from the CCKM and "status": 204
is returned in response.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Downloading Keys Created on AWS to CCKM
Use the post /v1/cckm/aws/synchronization-jobs
API to download the keys created on the AWS KMS to the CCKM based on the KMS name and regions. If any region is not specified, then the AWS keys from all the regions will be synchronized.
Syntax
curl -k '<IP>/api/v1/cckm/aws/synchronization-jobs' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "kms": ["<kms_identifier>"],\n "regions": ["<region>"]\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
kms | array of strings | Name or ID of the KMS from which the AWS keys will be synchronized. |
regions | array of strings | Regions from which the AWS keys will be synchronized. |
synchronize_all | boolean | Set to true to synchronize all keys from all KMS and regions. |
Note
The synchronize_all
and kms
, regions
parameters are mutually exclusive. Specify either synchronize_all
or kms
and regions
.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/synchronization-jobs' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImU5YWUwYTI3LWVlYjQtNGNhZi04YjE4LTdhNzIzMDBkOTA0MCIsImlhdCI6MTYwNDU1ODEzOCwiZXhwIjoxNjA0NTU4NDM4fQ.MIMArFeC4cpPNTYOd39mu6_-yihdN0CDl_917eH8-kY' -H 'Content-Type: application/json' --data-binary $'{\n "kms": ["kms"],\n "synchronize_all": false,\n "regions": ["ap-south-1"]\n}' --compressed
Example Response
{
"id": "afef70ff-311e-46c1-8ead-e1999e8c6d46",
"uri": "kylo:kylo:cckm:synchronize:afef70ff-311e-46c1-8ead-e1999e8c6d46",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:38:25.308834396Z",
"updatedAt": "2020-11-05T06:38:25.310835309Z",
"overall_status": "in_progress",
"cloud": "aws",
"regions": [
"ap-south-1"
],
"kms": [
"kms"
],
"abort": false
}
The sample output shows that the synchronization-jobs
API has started downloading the keys from the region (ap-southeast-1
) of the KMS (kms
) to the CCKM. The status of synchronization process is in progress. A unique ID (afef70ff-311e-46c1-8ead-e1999e8c6d46
) for the synchronization process is returned.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Note
You can also schedule synchronization of the AWS keys when needed using the scheduler API. Refer to Scheduling Synchronization for details.
Viewing Synchronization Status
Use the get /v1/cckm/aws/synchronization-jobs
API to view the status of the synchronization job. The results can be filtered using the query parameters.
Syntax
curl -k '<IP>/api/v1/cckm/aws/synchronization-jobs?skip=0&limit=10' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Request Query Parameters
Parameter | Type | Description |
---|---|---|
id | string | Internal ID of the synchronization. |
overall_status | string | Overall synchronization status. |
kms | array | Name of the KMS. |
skip | integer | Number of records to skip. For example, if "skip":5 is specified, the first five records will not be displayed in the output. |
limit | integer | Numbers of records to display. For example, if "limit":10 is specified, then the next 10 records (after skipping the number of records specified in the skip parameter) will be displayed in the output. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/synchronization-jobs?skip=0&limit=10' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImYyYjVlZmIxLTkyMmEtNGFiNC04NGVmLTJlMGU4NDlmZDEyYiIsImlhdCI6MTYwNDU1ODQyNiwiZXhwIjoxNjA0NTU4NzI2fQ.SWwAyD4uOEMNxkwvJBH9jFGlVwgKzKM6aDWeR_JUXdc' --compressed
Example Response
{
"skip": 0,
"limit": 10,
"total": 2,
"resources": [
{
"id": "0ea5d52e-387c-44fa-b079-21c8b768f77b",
"uri": "kylo:kylo:cckm:synchronize:0ea5d52e-387c-44fa-b079-21c8b768f77b",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:39:45.726289Z",
"updatedAt": "2020-11-05T06:39:57.973309Z",
"completed_at": "2020-11-05T06:39:57.973157Z",
"overall_status": "aborted",
"detailed_status": {
"123456789012/us-east-1": "in_progress"
},
"cloud": "aws",
"kms": [
"kms"
],
"abort": true
},
{
"id": "afef70ff-311e-46c1-8ead-e1999e8c6d46",
"uri": "kylo:kylo:cckm:synchronize:afef70ff-311e-46c1-8ead-e1999e8c6d46",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:38:25.308834Z",
"updatedAt": "2020-11-05T06:38:29.248338Z",
"completed_at": "2020-11-05T06:38:29.248173Z",
"overall_status": "completed",
"detailed_status": {
"123456789012/ap-south-1": "region synchronized successfully"
},
"cloud": "aws",
"regions": [
"ap-south-1"
],
"kms": [
"kms"
],
"abort": false
}
]
}
The sample output shows the status of the synchronization processes.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Aborting Synchronization Jobs
Use the post /v1/cckm/aws/synchronization-jobs/{id}/cancel
API to cancel a specific synchronization job.
Syntax
curl -k '<IP>/api/v1/cckm/aws/synchronization-jobs/{id}/cancel' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the synchronization job ID.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/synchronization-jobs/0ea5d52e-387c-44fa-b079-21c8b768f77b/cancel' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImYyYjVlZmIxLTkyMmEtNGFiNC04NGVmLTJlMGU4NDlmZDEyYiIsImlhdCI6MTYwNDU1ODQyNiwiZXhwIjoxNjA0NTU4NzI2fQ.SWwAyD4uOEMNxkwvJBH9jFGlVwgKzKM6aDWeR_JUXdc' --compressed
Example Response
{
"id": "0ea5d52e-387c-44fa-b079-21c8b768f77b",
"uri": "kylo:kylo:cckm:synchronize:0ea5d52e-387c-44fa-b079-21c8b768f77b",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:39:45.726289Z",
"updatedAt": "2020-11-05T06:39:57.876865221Z",
"overall_status": "in_progress",
"detailed_status": {
"123456789012/us-east-1": "in_progress"
},
"cloud": "aws",
"kms": [
"kms"
],
"abort": true
}
The sample output shows that the abort
parameter is set to true
. This indicates that the synchronization job (with ID (0ea5d52e-387c-44fa-b079-21c8b768f77b
) is canceled.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Viewing Details of Synchronization Jobs
Use the get /v1/cckm/aws/synchronization-jobs/{id} API to view the details of a synchronization job with a specific ID.
Syntax
curl -k '<IP>/api/v1/cckm/aws/synchronization-jobs/{id}' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the synchronization job ID.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/synchronization-jobs/afef70ff-311e-46c1-8ead-e1999e8c6d46' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImU5YWUwYTI3LWVlYjQtNGNhZi04YjE4LTdhNzIzMDBkOTA0MCIsImlhdCI6MTYwNDU1ODEzOCwiZXhwIjoxNjA0NTU4NDM4fQ.MIMArFeC4cpPNTYOd39mu6_-yihdN0CDl_917eH8-kY' --compressed
Example Response
{
"id": "afef70ff-311e-46c1-8ead-e1999e8c6d46",
"uri": "kylo:kylo:cckm:synchronize:afef70ff-311e-46c1-8ead-e1999e8c6d46",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:38:25.308834Z",
"updatedAt": "2020-11-05T06:38:29.248338Z",
"completed_at": "2020-11-05T06:38:29.248173Z",
"overall_status": "completed",
"detailed_status": {
"123456789012/ap-south-1": "region synchronized successfully"
},
"cloud": "aws",
"regions": [
"ap-south-1"
],
"kms": [
"kms"
],
"abort": false
}
The sample output shows the details corresponding to the synchronization job ( with ID afef70ff-311e-46c1-8ead-e1999e8c6d46
).
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Uploading Keys to AWS KMS
Use the post /v1/cckm/aws/upload-key
API to upload a key created on the CipherTrust Manager to the AWS KMS.
Syntax
curl -k '<IP>/api/v1/cckm/aws/upload-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "source_key_tier": "<source_key_tier>",\n "source_key_identifier": "<source_key_identifier>",\n "region": "<region>",\n "kms": "<kms_identifier>",\n "KeyExpiration": <boolean>,\n "aws_param": {<aws parameters>}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
kms | string | Name or ID of the KMS where the key will be uploaded. |
region | string | Name of the region. |
source_key_tier | string | Tier of the source. Possible options are: • local (default) • dsm |
source_key_identifier | string | Name or ID of the key to be uploaded. • If source_key_tier is local , this is the ID of the CipherTrust Manager key to be uploaded.• If source_key_tier is dsm , this parameter is the ID of the DSM key to be uploaded. |
aws_param | JSON | AWS key parameters such as alias, description, and usage. Refer to AWS Key Parameters for details. |
external_accounts | array of strings | AWS accounts that can use this key. |
key_admins | array of strings | IAM users who can administer this key using the KMS API. |
key_expiration | boolean | Flag to enable key expiration. |
key_users | array of strings | IAM users who can use this key in cryptographic operations. |
policytemplate | string | ID of the policy template to apply. |
Note
Specify Policy
, policytemplate
, or one of key_admins
, key_users
, and external_accounts
. They are mutually exclusive. If no parameters are specified, the default policy is used.
AWS Key Parameters
Parameter | Type | Description |
---|---|---|
Alias | string | Alias of the key. |
BypassPolicyLockoutSafetyCheck | boolean | Flag to bypass the key policy lockout safety check. |
Description | string | Description of the key. |
MultiRegion | boolean | Whether the key can be replicated in multiple AWS regions. The base key will be referred to as the multi-region primary key. Set to true to allow key replication in multiple regions. |
Policy | string | Key policy to attach to the CMK. |
Tags | array of JSONs | An optional parameter to add additional information to the key. The value must be specified as the key-value pair. CCKM allows the following characters in tag values: • Alphanumeric characters • Special characters ** _ . / = + - @ ** |
ValidTo | string | Key expiration time, must be formatted as per RFC3339. |
Note
Specify Policy
, policytemplate
, or one of key_admins
, key_users
, and external_accounts
. They are mutually exclusive. If no parameters are specified, the default policy is used.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/upload-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjZlZWE0NWJlLTc5NTMtNGUzZS1iNWJjLWZlZDEwMmZhNGNiYSIsImlhdCI6MTYwNDU1OTMxOSwiZXhwIjoxNjA0NTU5NjE5fQ.8BNfjt82PmwBoIzFsUk2eh4AvWwrjZxRiewK9Hyp67A' -H 'Content-Type: application/json' --data-binary $'{\n "source_key_identifier": "test-key",\n "region": "ap-south-1",\n "kms": "kms",\n "aws_param": {\n "Alias": "test-upload-key-1",\n "Tags": [\n {\n "TagKey": "key",\n "TagValue": "value"\n }\n ]\n }\n}' --compressed
Example Response
{
"id": "02c40491-f5bd-4204-93f3-5f9077740116",
"uri": "kylo:kylo:cckm:aws-key:02c40491-f5bd-4204-93f3-5f9077740116",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T07:00:53.99845058Z",
"updatedAt": "2020-11-05T07:00:54.504758124Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T07:00:53.990295894Z",
"rotation_status": "",
"local_key_id": "361d928ac7e340d093e7d231c80ca934acc62528601647ce86a219c9a82f4f93",
"local_key_name": "test-key",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "cckm",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/a3d6b6ab-e953-45f7-8275-e915277f5ee2",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "a3d6b6ab-e953-45f7-8275-e915277f5ee2",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "EXTERNAL",
"CreationDate": "2020-11-05T07:00:41Z",
"Policy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
},
"Alias": [
"alias/test-upload-key-1"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false,
"ExpirationModel": "KEY_MATERIAL_DOES_NOT_EXPIRE"
}
}
The sample output shows that a key (with alias test-upload-key-1
) is uploaded to the AWS KMS. As the key is not created on the AWS KMS, its origin is EXTERNAL
. A unique ID (02c40491-f5bd-4204-93f3-5f9077740116
) for the uploaded key is returned.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Importing Key Material to AWS KMS
Use the post /v1/cckm/aws/keys/{id}/import-material
API to import the key material to the AWS KMS.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/import-material' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "source_key_tier": "<source_key_tier>",\n "source_key_identifier": "<source_key_identifier>",\n "key_expiration": <boolean>,\n "valid_to": "<key validity>"\n}' --compressed
Here, {id}
represents the key material ID.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
key_expiration | boolean | Flag to disable encryption on the key which is getting rotated. |
source_key_tier | string | Tier of the source. Possible options are: • local (default) • dsm |
source_key_identifier | string | Name or ID of the key to be imported to the AWS KMS. • If source_key_tier is local , this is the ID of the CipherTrust Manager key to be uploaded. By default, a new CipherTrust Manager key is generated automatically.• If source_key_tier is dsm , this is the ID of the DSM key to be uploaded. source_key_identifier is a mandatory parameter.If the key material is reimported, AWS allows reimporting the same key material only. It is mandatory to provide the source_key_identifier of the same CipherTrust Manager or DSM key which was imported previously. |
valid_to | string | Key expiration time of the newly rotated key, must be formatted as per RFC3339 . |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/40387a72-6e24-4cdd-8840-b586757c44bf/import-material' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjkxZGNhYjVkLWJmNDktNDk1Yi1iM2YyLWQ5ZjlkOGU5MDQ5MyIsImlhdCI6MTYwNDU1OTY0OCwiZXhwIjoxNjA0NTU5OTQ4fQ.j_7biN5YJm188ZzU-IMDsTxJ3X57GbzkOxunP4XE6J0' -H 'Content-Type: application/json' --data-binary $'{\n "source_key_identifier": "test-key",\n "key_expiration": true,\n "valid_to": "2020-12-04T06:51:18.505860192Z"\n}' --compressed
Example Response
{
"id": "40387a72-6e24-4cdd-8840-b586757c44bf",
"uri": "kylo:kylo:cckm:aws-key:40387a72-6e24-4cdd-8840-b586757c44bf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T07:01:48.965088Z",
"updatedAt": "2020-11-05T07:02:26.388806901Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T07:01:48.959221Z",
"rotation_status": "",
"local_key_id": "361d928ac7e340d093e7d231c80ca934acc62528601647ce86a219c9a82f4f93",
"local_key_name": "test-key",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "cckm",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/031c5703-aaf7-425e-a141-7e0c6f5886ab",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "031c5703-aaf7-425e-a141-7e0c6f5886ab",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "EXTERNAL",
"CreationDate": "2020-11-05T07:01:36Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key-External"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"ValidTo": "2020-12-04T06:51:18.505860192Z",
"KeyRotationEnabled": false,
"ExpirationModel": "KEY_MATERIAL_EXPIRES"
}
}
The sample output shows that the key material is imported to the AWS KMS. As the key is not created on the AWS KMS, its origin is EXTERNAL
. A unique ID (40387a72-6e24-4cdd-8840-b586757c44bf
) for the imported key is returned.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Deleting Imported Key Material
Use the post /v1/cckm/aws/keys/{id}/delete-material
API to delete an imported key material from the AWS KMS.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/delete-material' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the key material ID.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/40387a72-6e24-4cdd-8840-b586757c44bf/delete-material' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjkxZGNhYjVkLWJmNDktNDk1Yi1iM2YyLWQ5ZjlkOGU5MDQ5MyIsImlhdCI6MTYwNDU1OTY0OCwiZXhwIjoxNjA0NTU5OTQ4fQ.j_7biN5YJm188ZzU-IMDsTxJ3X57GbzkOxunP4XE6J0' --compressed
Example Response
{
"id": "40387a72-6e24-4cdd-8840-b586757c44bf",
"uri": "kylo:kylo:cckm:aws-key:40387a72-6e24-4cdd-8840-b586757c44bf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T07:01:48.965088Z",
"updatedAt": "2020-11-05T07:03:24.400322315Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T07:01:48.959221Z",
"rotation_status": "",
"local_key_id": "361d928ac7e340d093e7d231c80ca934acc62528601647ce86a219c9a82f4f93",
"local_key_name": "test-key",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "cckm",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/031c5703-aaf7-425e-a141-7e0c6f5886ab",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Enabled": false,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "031c5703-aaf7-425e-a141-7e0c6f5886ab",
"KeyManager": "CUSTOMER",
"KeyState": "PendingImport",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "EXTERNAL",
"CreationDate": "2020-11-05T07:01:36Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key-External"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false,
"ExpirationModel": "KEY_MATERIAL_EXPIRES"
}
}
The sample output shows that the imported key material (with ID 40387a72-6e24-4cdd-8840-b586757c44bf
) is deleted from the AWS KMS.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Scheduling Key Deletion
Use the post /v1/cckm/aws/keys/{id}/schedule-deletion
API to schedule deletion of a key.
Note
You can schedule the deletion of a multi-Region primary key at any time. However, AWS KMS will not delete a multi-Region primary key that has replica keys, even if they are scheduled for deletion.
Tip
• To delete a multi-region primary key, you must schedule the deletion of all of its replica keys, and then wait for the replica keys to be deleted. The required waiting period for deleting a primary key begins when the last of its replica keys is deleted. If you must delete a primary key from a particular Region without deleting its replica keys, change the primary key to a replica key by updating the primary Region.
• If any replica keys still exist, the key state of the primary key changes to Pending replica deletion (PendingReplicaDeletion
). Otherwise, it changes to Pending deletion (PendingDeletion
). In either case, you cannot use the primary key in cryptographic operations and you cannot replicate it.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/schedule-deletion' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "days": <days>\n}' --compressed
Here, {id}
represents the key ID.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
days | integer | Number of days after which the key will be deleted. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/schedule-deletion' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjJhN2Y2MWM0LTAyZDYtNDcyOC1hNjE2LTNiNGE1NWMzMzFiNSIsImlhdCI6MTYwNDU1ODY5NSwiZXhwIjoxNjA0NTU4OTk1fQ.j7dg_wOMie9RoTy_i3EbAx_yQGyrw4_4n5kaHp0EmN0' -H 'Content-Type: application/json' --data-binary $'{\n "days": 7\n}' --compressed
Example Response
{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457Z",
"updatedAt": "2020-11-05T06:48:43.972188229Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:38:27.581643Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "key-description",
"Enabled": false,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
"KeyManager": "CUSTOMER",
"KeyState": "PendingDeletion",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:35:29Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"DeletionDate": "2020-11-12T06:48:43.971985424Z",
"KeyRotationEnabled": false
}
}
The sample output shows that the key will be deleted after 7 days. When key deletion is scheduled, the state of the key changes from enabled to pending deletion.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Canceling Deletion of Keys
Use the post /v1/cckm/aws/keys/{id}/cancel-deletion
API to cancel deletion of a key.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/cancel-deletion' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the key ID.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/cancel-deletion' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjJhN2Y2MWM0LTAyZDYtNDcyOC1hNjE2LTNiNGE1NWMzMzFiNSIsImlhdCI6MTYwNDU1ODY5NSwiZXhwIjoxNjA0NTU4OTk1fQ.j7dg_wOMie9RoTy_i3EbAx_yQGyrw4_4n5kaHp0EmN0' --compressed
Example Response
{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457Z",
"updatedAt": "2020-11-05T06:49:27.754975314Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:38:27.581643Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "key-description",
"Enabled": false,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
"KeyManager": "CUSTOMER",
"KeyState": "Disabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:35:29Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false
}
}
The sample output shows that the key deletion is canceled and the state of the key changes to disable. To use this key again, enable the key using the post /v1/cckm/aws/keys/{id}/enable
API.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Updating Key Policy
Use the post /v1/cckm/aws/keys/{id}/policy
API to update the policy of an AWS key.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/policy' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "key_users": ["key_user"],\n "key_admins": ["key_admin"],\n "external_accounts": ["external_account"]\n\n}'--compressed
Here, {id}
represents the key ID.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
external_accounts | array of strings | AWS accounts that can use this key. |
key_admins | array of strings | IAM users who can administer this key using the KMS API. |
key_users | array of strings | IAM users who can use this key in cryptographic operations. |
policy | JSON | Key policy mapped to the key. |
Note
Policy and key administrators, key users, and AWS accounts are mutually exclusive. Specify either the policy or any one user at a time. If no parameters are specified, the default policy is used.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/policy' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImIyZjQxZTFiLTc0MmQtNDA1Mi04NTA5LWRlZDE1NjNjNjRmNCIsImlhdCI6MTYwNDU1OTAyMywiZXhwIjoxNjA0NTU5MzIzfQ.R9TjeIn5d9N7-V_8FGcl-90aRarpQayXfBL2OJ50AKk' -H 'Content-Type: application/json' --data-binary $'{\n "key_users": ["user2"]\n}' --compressed
Example Response
{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457Z",
"updatedAt": "2020-11-05T06:54:46.590542851Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:38:27.581643Z",
"rotation_status": "",
"cloud_name": "aws",
"key_users": [
"arn:aws:iam::123456789012:user/user2"
],
"key_type": "symmetric",
"basic_view_enabled": true,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "key-description",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:35:29Z",
"Policy": {
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM UserName Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:root"
]
},
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/user2"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/user2"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
},
"Alias": [
"alias/aws-test-key"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": true
}
}
The sample output shows that Key User (user2
) is added and based on the assigned permissions, the Key User(user2
) can perform cryptographic operations on the AWS KMS.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Updating Key Description
Use the post /v1/cckm/aws/keys/{id}/update-description
API to update the description of an AWS key.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/update-description' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "description": "<description>"\n}' --compressed
Here, {id}
represents the key ID.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
description | string | Updated description for the key. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/update-description' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImIyZjQxZTFiLTc0MmQtNDA1Mi04NTA5LWRlZDE1NjNjNjRmNCIsImlhdCI6MTYwNDU1OTAyMywiZXhwIjoxNjA0NTU5MzIzfQ.R9TjeIn5d9N7-V_8FGcl-90aRarpQayXfBL2OJ50AKk' -H 'Content-Type: application/json' --data-binary $'{\n "description": "key-description"\n}' --compressed
Example Response
{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457Z",
"updatedAt": "2020-11-05T06:43:12.957738975Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:38:27.581643Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "key-description",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:35:29Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false
}
}
The sample output reflects the updated description (key-description
) for the key (with ID baf58871-2503-4d13-a84a-339aeb8fdfaf
).
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Enabling AWS Keys
Use the post /v1/cckm/aws/keys/{id}/enable
API to enable an AWS key.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/enable' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the key ID.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/enable' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjJhN2Y2MWM0LTAyZDYtNDcyOC1hNjE2LTNiNGE1NWMzMzFiNSIsImlhdCI6MTYwNDU1ODY5NSwiZXhwIjoxNjA0NTU4OTk1fQ.j7dg_wOMie9RoTy_i3EbAx_yQGyrw4_4n5kaHp0EmN0' --compressed
Example Response
{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457Z",
"updatedAt": "2020-11-05T06:44:52.474098561Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:38:27.581643Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "key-description",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:35:29Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false
}
}
The sample output shows that the key (with ID baf58871-2503-4d13-a84a-339aeb8fdfaf
) is enabled and the KeyState
parameter of the key becomes Enabled
.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Disabling AWS Keys
Use the post /v1/cckm/aws/keys/{id}/disable
API to disable an AWS key.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/disable' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the key ID.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/disable' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImYyYjVlZmIxLTkyMmEtNGFiNC04NGVmLTJlMGU4NDlmZDEyYiIsImlhdCI6MTYwNDU1ODQyNiwiZXhwIjoxNjA0NTU4NzI2fQ.SWwAyD4uOEMNxkwvJBH9jFGlVwgKzKM6aDWeR_JUXdc' --compressed
Example Response
{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457Z",
"updatedAt": "2020-11-05T06:44:25.530680156Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:38:27.581643Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "key-description",
"Enabled": false,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
"KeyManager": "CUSTOMER",
"KeyState": "Disabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:35:29Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false
}
}
The sample output shows that the key (with ID baf58871-2503-4d13-a84a-339aeb8fdfaf
) is disabled and the KeyState
parameter becomes Disabled
.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Adding Tags to AWS Keys
Use the post /v1/cckm/aws/keys/{id}/add-tags
API to add tags to an AWS key. The tags must be specified in the following format:
"tags": [
{
"tag_key": "<key>",
"tag_value": "<value>"
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** _ . / = + - @ **
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/add-tags' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "tags": [<key-value pair> ]\n}' --compressed
Here, {id}
represents the key ID.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
tags | array of JSONs | Additional information to be added to the key. CCKM allows the following characters in tag values: • Alphanumeric characters • Special characters ** _ . / = + - @ ** |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/add-tags' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjJhN2Y2MWM0LTAyZDYtNDcyOC1hNjE2LTNiNGE1NWMzMzFiNSIsImlhdCI6MTYwNDU1ODY5NSwiZXhwIjoxNjA0NTU4OTk1fQ.j7dg_wOMie9RoTy_i3EbAx_yQGyrw4_4n5kaHp0EmN0' -H 'Content-Type: application/json' --data-binary $'{\n "tags": [\n {\n "tag_key": "key-new",\n "tag_value": "value-new"\n }\n ]\n}' --compressed
Example Response
{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457Z",
"updatedAt": "2020-11-05T06:45:33.517480305Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:38:27.581643Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "key-description",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:35:29Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
},
{
"TagKey": "key-new",
"TagValue": "value-new"
}
],
"KeyRotationEnabled": false
}
}
The sample output shows that the tag key and its value (TagKey": "key-new"
, "TagValue": "value-new"
) are added to the key (with ID baf58871-2503-4d13-a84a-339aeb8fdfaf
).
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Removing Tags from AWS Keys
Use the post /v1/cckm/aws/keys/{id}/remove-tags
API to remove the tags from an AWS key.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/remove-tags' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "tags": [<tags>]\n}' --compressed
Here, {id}
represents the key ID.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
tags | array | Tags to be removed from the AWS key. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/remove-tags' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjJhN2Y2MWM0LTAyZDYtNDcyOC1hNjE2LTNiNGE1NWMzMzFiNSIsImlhdCI6MTYwNDU1ODY5NSwiZXhwIjoxNjA0NTU4OTk1fQ.j7dg_wOMie9RoTy_i3EbAx_yQGyrw4_4n5kaHp0EmN0' -H 'Content-Type: application/json' --data-binary $'{\n "tags": ["key-new"]\n}' --compressed
Example Response
{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457Z",
"updatedAt": "2020-11-05T06:45:47.176081751Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:38:27.581643Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "key-description",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:35:29Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false
}
}
The sample output shows that the tag and its value (TagKey": "key-new"
, "TagValue": "value-new"
) are removed from the key.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Adding Alias to AWS Keys
Use the post /v1/cckm/aws/keys/{id}/add-alias
API to add an alias to an AWS key.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/add-alias' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "alias": "<alias>"\n}' --compressed
Here, {id}
represents the key ID.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
alias | string | Alias to be added to the AWS key. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/add-alias' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjJhN2Y2MWM0LTAyZDYtNDcyOC1hNjE2LTNiNGE1NWMzMzFiNSIsImlhdCI6MTYwNDU1ODY5NSwiZXhwIjoxNjA0NTU4OTk1fQ.j7dg_wOMie9RoTy_i3EbAx_yQGyrw4_4n5kaHp0EmN0' -H 'Content-Type: application/json' --data-binary $'{\n "alias": "new-test-key-alias"\n}' --compressed
Example Response
{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457Z",
"updatedAt": "2020-11-05T06:47:15.075451498Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:38:27.581643Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "key-description",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:35:29Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key",
"alias/new-test-key-alias"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false
}
}
The sample output shows that the alias (new-test-key-alias
) is appended to the key.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Deleting Alias from AWS Keys
Use the post /v1/cckm/aws/keys/{id}/delete-alias
API to delete an alias from an AWS key.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/delete-alias' -H 'Authorization: Bearer AUTHTOKEN 'Content-Type: application/json' --data-binary $'{\n "alias": "<alias>"\n}' --compressed
Here, {id}
represents the key ID.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
alias | string | Alias to be deleted from the AWS key. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/delete-alias' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjJhN2Y2MWM0LTAyZDYtNDcyOC1hNjE2LTNiNGE1NWMzMzFiNSIsImlhdCI6MTYwNDU1ODY5NSwiZXhwIjoxNjA0NTU4OTk1fQ.j7dg_wOMie9RoTy_i3EbAx_yQGyrw4_4n5kaHp0EmN0' -H 'Content-Type: application/json' --data-binary $'{\n "alias": "new-test-key-alias"\n}' --compressed
Example Response
{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457Z",
"updatedAt": "2020-11-05T06:47:48.735612202Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:38:27.581643Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "key-description",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:35:29Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false
}
}
The sample output shows that the alias (new-test-key-alias
) is removed from the key.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Verifying Alias on AWS KMS
Use the post /v1/cckm/aws/alias/verify
API to check the availability of an alias on the AWS KMS.
Syntax
curl -k '<IP>/api/v1/cckm/aws/alias/verify' -H 'Authorization: Bearer AUTHTOKEN 'Content-Type: application/json' --data-binary $'{\n "alias": "<alias>",\n "region": "<region>",\n "kms": "<kms name>"\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
alias | string | Key alias to be verified. |
kms | string | ID or name of the KMS. |
region | string | Region in which the alias is to be verified. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/alias/verify' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIxYmQ5ZjA4ZS01ZTQyLTQ1MjUtYWJjZi1hMThhMDI5NjdmMjciLCJzdWIiOiJsb2NhbHw2MzViNzZjNS00ZjQyLTQ3OTMtYmMwNy03ZjdmOTQ3ZWM3MGYiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZTQyMjE3NjYtMzE3NS00ODBmLWIzY2EtMGU0NzYzMzM1ZmI4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjMxOTJmZjNjLWQzZWYtNDNiNC1hZjY5LTEzYTMwMDQxNmJmMyIsImlhdCI6MTU5NjYxMjIwMSwiZXhwIjoxNTk2NjEyNTAxfQ.Vx_Jd7z9c_M2LUGT9SJ38bcPfF7wQNTvxvl65--pwSQ' -H 'Content-Type: application/json' --data-binary $'{\n "alias": "newalias",\n "region": "ap-southeast-1",\n "kms": "kms-name"\n}' --compressed
Example Response
"Alias available"
The sample output shows that the alias (newalias
) is available on the KMS (kms-name
) and the "Alias available"
message is returned in response.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Enabling Key for Rotation Job
Use the post /v1/cckm/aws/keys/{id}/enable-rotation-job
API to enable an AWS key for scheduled rotation job. To use this API, first create a new rotation job configuration, the job_config_id
is required to call this API. Refer to Scheduling Key Rotation for details.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/enable-rotation-job' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "job_config_id": "<job config id>",\n "auto_rotate_disable_encrypt": <boolean>\n}' --compressed
Here, {id}
represents the key ID.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
auto_rotate_domain_id | string | ID of the domain in which the DSM key will be created. |
auto_rotate_key_source | string | Source of the key material. Possible options are: • dsm • ciphertrust. The default key source is ciphertrust . |
job_config_id | string | ID of the scheduler configuration job that will schedule the key rotation. |
auto_rotate_disable_encrypt | boolean | Flag to disable encryption on the old key. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/f36e8dbb-0259-4c61-a35f-d74b6d39effc/enable-rotation-job' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjZlZWE0NWJlLTc5NTMtNGUzZS1iNWJjLWZlZDEwMmZhNGNiYSIsImlhdCI6MTYwNDU1OTMxOSwiZXhwIjoxNjA0NTU5NjE5fQ.8BNfjt82PmwBoIzFsUk2eh4AvWwrjZxRiewK9Hyp67A' -H 'Content-Type: application/json' --data-binary $'{\n "job_config_id": "b080efd5-946f-4d59-b6e4-11ba362d9c98",\n "auto_rotate_disable_encrypt": true\n}' --compressed
Example Response
{
"id": "f36e8dbb-0259-4c61-a35f-d74b6d39effc",
"uri": "kylo:kylo:cckm:aws-key:f36e8dbb-0259-4c61-a35f-d74b6d39effc",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:57:55.533058Z",
"updatedAt": "2020-11-05T06:58:08.450289264Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"labels": {
"disable_encrypt_on_auto_rotate": "true",
"job_config_id": "b080efd5-946f-4d59-b6e4-11ba362d9c98"
},
"synced_at": "2020-11-05T06:57:55.527352Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/9905c8da-2a0f-4666-a9c9-555c2567a242",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "9905c8da-2a0f-4666-a9c9-555c2567a242",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:57:42Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key-1"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false
}
}
The sample output shows that the key (with ID a22742b4-2ad9-4f4a-9103-3507bed1420e
) is enabled for the scheduled key rotation.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Disabling Key for Rotation Job
Use the post /v1/cckm/aws/keys/{id}/disable-rotation-job
API to disable the scheduled rotation job for an AWS key.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/disable-rotation-job' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the key ID.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/f36e8dbb-0259-4c61-a35f-d74b6d39effc/disable-rotation-job' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjZlZWE0NWJlLTc5NTMtNGUzZS1iNWJjLWZlZDEwMmZhNGNiYSIsImlhdCI6MTYwNDU1OTMxOSwiZXhwIjoxNjA0NTU5NjE5fQ.8BNfjt82PmwBoIzFsUk2eh4AvWwrjZxRiewK9Hyp67A' --compressed
Example Response
{
"id": "f36e8dbb-0259-4c61-a35f-d74b6d39effc",
"uri": "kylo:kylo:cckm:aws-key:f36e8dbb-0259-4c61-a35f-d74b6d39effc",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:57:55.533058Z",
"updatedAt": "2020-11-05T06:59:07.861489326Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:57:55.527352Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/9905c8da-2a0f-4666-a9c9-555c2567a242",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "9905c8da-2a0f-4666-a9c9-555c2567a242",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:57:42Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key-1"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false
}
}
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Enabling Automatic Key Rotation
Use the post /v1/cckm/aws/keys/{id}/enable-auto-rotation
API to enable automatic rotation for the AWS native keys. The AWS KMS will generate a new key material for the keys every year.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/enable-auto-rotation' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the key ID.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/enable-auto-rotation' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImIyZjQxZTFiLTc0MmQtNDA1Mi04NTA5LWRlZDE1NjNjNjRmNCIsImlhdCI6MTYwNDU1OTAyMywiZXhwIjoxNjA0NTU5MzIzfQ.R9TjeIn5d9N7-V_8FGcl-90aRarpQayXfBL2OJ50AKk' --compressed
Example Response
{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457Z",
"updatedAt": "2020-11-05T06:53:53.800412319Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:38:27.581643Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "key-description",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:35:29Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": true
}
}
The sample output shows that the KeyRotationEnabled
parameter is set to true
. This indicates that the key (with ID baf58871-2503-4d13-a84a-339aeb8fdfaf
) is ready for automatic key rotation.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Disabling Automatic Key Rotation
Use the post /v1/cckm/aws/keys/{id}/disable-auto-rotation
API to disable automatic rotation of the AWS native keys.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/disable-auto-rotation' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the key ID.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/disable-auto-rotation' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImIyZjQxZTFiLTc0MmQtNDA1Mi04NTA5LWRlZDE1NjNjNjRmNCIsImlhdCI6MTYwNDU1OTAyMywiZXhwIjoxNjA0NTU5MzIzfQ.R9TjeIn5d9N7-V_8FGcl-90aRarpQayXfBL2OJ50AKk' --compressed
Example Response
{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457Z",
"updatedAt": "2020-11-05T06:53:37.533835653Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:38:27.581643Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "key-description",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:35:29Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false
}
}
The sample output shows that the KeyRotationEnabled parameter is set to false
. This indicates that the key (with ID baf58871-2503-4d13-a84a-339aeb8fdfaf
) will not be automatically rotated.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Rotating Keys on AWS KMS
Use the post /v1/cckm/aws/keys/{id}/rotate
API to rotate a key on the AWS KMS.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/rotate' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "source_key_tier": "<source key tier>",\n "source_key_id": "<source key>",\n "disable_encrypt": <boolean>,\n "description": "<description>",\n "key_expiration": <boolean>,\n "valid_to": "<key validity>"\n "retain_alias": <true|false>\n}' --compressed
Here, {id}
represents the key ID.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
description | string | Description for the newly rotated key. |
disable_encrypt | boolean | Flag to disable encryption on key which is getting rotated. |
key_expiration | boolean | Flag to enable key expiration of the newly rotated key. |
source_key_tier | string | Tier of the source. Possible options are: • local (default) • dsm |
source_key_id | string | Name or ID of the key created on the CipherTrust Manager. • If source_key_tier is dsm , this is the ID of the DSM key to be uploaded. source_key_id is a mandatory parameter.• If source_key_tier is local , this is the ID the CipherTrust Manager key to be uploaded. By default, a new CipherTrust Manager key would be generated automatically. |
valid_to | string | Key expiration time of the newly rotated key, must be formatted as per RFC3339. |
retain_alias | boolean | Whether to retain the key alias with timestamp on the archived key after rotation. Set "retain_alias": true to retain the alias. If set to false , the alias is not retained after rotation. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/rotate' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjZlZWE0NWJlLTc5NTMtNGUzZS1iNWJjLWZlZDEwMmZhNGNiYSIsImlhdCI6MTYwNDU1OTMxOSwiZXhwIjoxNjA0NTU5NjE5fQ.8BNfjt82PmwBoIzFsUk2eh4AvWwrjZxRiewK9Hyp67A' -H 'Content-Type: application/json' --data-binary $'{\n "source_key_id": "test-key",\n "disable_encrypt": false,\n "description": "rotate",\n "key_expiration": true,\n "valid_to": "2020-12-04T06:51:18.505860192Z"\n}' --compressed
Example Response
{
"id": "9c91d0b3-0da7-4580-b21c-f4dce82e8d0d",
"uri": "kylo:kylo:cckm:aws-key:9c91d0b3-0da7-4580-b21c-f4dce82e8d0d",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:56:47.698148721Z",
"updatedAt": "2020-11-05T06:56:48.683047459Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"rotated_at": "2020-11-05T06:56:48.681156311Z",
"rotated_from": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"synced_at": "2020-11-05T06:56:47.692074257Z",
"rotation_status": "ACTIVE",
"local_key_id": "361d928ac7e340d093e7d231c80ca934acc62528601647ce86a219c9a82f4f93",
"local_key_name": "test-key",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": true,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "cckm",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/d60940e6-5c78-46e5-9905-c14aa9543b40",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "rotate",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "d60940e6-5c78-46e5-9905-c14aa9543b40",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "EXTERNAL",
"CreationDate": "2020-11-05T06:56:35Z",
"Policy": {
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM UserName Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
},
"Alias": [
"alias/aws-test-key"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"ValidTo": "2020-12-04T06:51:18.505860192Z",
"KeyRotationEnabled": false,
"ExpirationModel": "KEY_MATERIAL_EXPIRES"
}
}
The sample output shows that the key on the AWS KMS is rotated successfully.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Replicating Multi-Region AWS Keys
Use the post /v1/cckm/aws/keys/{id}/replicate-key
API to replicate a multi-region AWS key to different AWS regions. When replicating the key, specify the desired AWS region.
When you replicate a multi-region primary key with imported key material (that is uploaded from CCKM), instead of returning a replica key with the same key material as the primary key, the replicate process returns a replica key with no key material and a key state of PendingImport
. To enable the replica key, you must import the same key material into the replica key that you imported into its primary key.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/replicate-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "ReplicaRegion": "<replication-region>",\n "aws_param": {<aws parameters>}}' --compressed
Here, {id}
represents the resource ID of the primary multi-region AWS key.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
ReplicaRegion | string | Name of the region where the key is to be replicated. |
aws_param | JSON | Key parameters such as alias, description, and usage. Refer to AWS Key Parameters for details. |
external_accounts | array of strings | AWS accounts that can use this key. |
key_admins | array of strings | IAM users who can administer this key using the KMS API. |
key_users | array of strings | IAM users who can use this key in cryptographic operations. |
policytemplate | string | ID of the policy template to apply. |
Note
Specify Policy
, policytemplate
, or one of key_admins
, key_users
, and external_accounts
. They are mutually exclusive. If no parameters are specified, the default policy is used.
AWS Key Parameters
Parameter | Type | Description |
---|---|---|
Alias | string | Alias of the key. |
BypassPolicyLockoutSafetyCheck | boolean | Flag to bypass the key policy lockout safety check. |
Description | string | Description of the key. |
Origin | string | Source of the AWS customer master key (CMK) key material. The key origin cannot be changed. The origin of the key can be: • AWS_KMS • EXTERNAL |
Policy | JSON | Key policy to attach to the CMK. |
Tags | array of JSONs | An optional parameter to add additional information to the key. The value must be specified as the key-value pair. CCKM allows the following characters in tag values: • Alphanumeric characters • Special characters ** _ . / = + - @ ** |
Note
Specify Policy
, policytemplate
, or one of key_admins
, key_users
, and external_accounts
. They are mutually exclusive. If no parameters are specified, the default policy is used.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/replicate-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImU5YWUwYTI3LWVlYjQtNGNhZi04YjE4LTdhNzIzMDBkOTA0MCIsImlhdCI6MTYwNDU1ODEzOCwiZXhwIjoxNjA0NTU4NDM4fQ.MIMArFeC4cpPNTYOd39mu6_-yihdN0CDl_917eH8-kY' -H 'Content-Type: application/json' --data-binary $'{\n "ReplicaRegion": "ap-south-1",\n "aws_param": {\n "Description": "Replicated key",\n "Tags": [\n {\n "TagKey": "key",\n "TagValue": "value"\n }\n ]\n }\n}' --compressed
Example Response
{
"id": "a152ad26-df3f-4116-abae-b93a914e76ac",
"uri": "kylo:kylo:cckm:aws-replica-key:a152ad26-df3f-4116-abae-b93a914e76ac",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-08-10T05:55:49.010163222Z",
"updatedAt": "2021-08-10T05:55:49.008870847Z",
"kms_id": "10fa8bf3-3070-4bdc-8f19-f7cbed593f40",
"kms": "kms",
"synced_at": "2021-08-10T05:55:48.907773918Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "556782317223",
"Arn": "arn:aws:kms:ap-south-1:556782317223:key/mrk-6ad3ab90026044a2a24fef020c5d02dc",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "Replicated key",
"Enabled": false,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "mrk-6ad3ab90026044a2a24fef020c5d02dc",
"KeyManager": "CUSTOMER",
"KeyState": "Creating",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2021-08-10T05:55:48.542Z",
"Alias": [
"alias/ab-mr-key"
],
"KeyRotationEnabled": false,
"MultiRegion": true,
"MultiRegionConfiguration": {
"MultiRegionKeyType": "REPLICA",
"PrimaryKey": {
"Arn": "arn:aws:kms:ap-south-1:556782317223:key/mrk-6ad3ab90026044a2a24fef020c5d02dc",
"Region": "ap-south-1"
},
"ReplicaKeys": [
{
"Arn": "arn:aws:kms:ap-southeast-1:556782317223:key/mrk-6ad3ab90026044a2a24fef020c5d02dc",
"Region": "ap-southeast-1"
}
]
},
"ReplicaPolicy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::556782317223:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
},
"ReplicaTags": [
{
"TagKey": "key",
"TagValue": "value"
}
]
}
}
The sample output shows that the AWS key (with the unique ID baf58871-2503-4d13-a84a-339aeb8fdfaf
of the AWS region ap-south-1
) is replicated to the AWS region "ap-southeast-1"
. The unique ID of the replica key is a152ad26-df3f-4116-abae-b93a914e76ac
.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Changing the Primary Key of a Multi-Region AWS Key
Use the post /v1/cckm/aws/keys/{id}/update-primary-region
API to set a replica key as the primary key of a multi-region AWS key. The original primary key becomes the replica key.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/a152ad26-df3f-4116-abae-b93a914e76ac/update-primary-region' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "PrimaryRegion": "<primary-region>"\n}' --compressed
Here, {id}
represents the resource ID of the replica key that you want to set as the primary key for the multi-region AWS key.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
PrimaryRegion | string | Region ID (for example, us-east-1 or ap-southeast-2 ) of the new primary key. The replica with the specified resource ID must exist in the PrimaryRegion region. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/a152ad26-df3f-4116-abae-b93a914e76ac/update-primary-region' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIzMjhkNDU4YS1jZjk3LTQwZWMtYTgyNS1kN2E2OTBmZjE1MTUiLCJzdWIiOiJsb2NhbHw3NmU2NGY5Zi1hNTU2LTQ5Y2UtOWRmZC0xNmI1YzU4ZDEyZTMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiYzExMzFiMzktNzlmZC00YzNhLTlkZTgtYjg5ZWM4ZDZkNmIwIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjdmNTU0NzMwLTQ4OGYtNDU5MS1hMjdmLWM3NDBlOTQwMGQ5ZiIsImlhdCI6MTYyODU3ODAzMiwiZXhwIjoxNjI4NTc4MzMyfQ.tTrel3vmidVb3tG46Kz3eHoCHDUhJR08l93o258uLPg' -H 'Content-Type: application/json' --data-binary $'{\n "PrimaryRegion": "ap-southeast-1"\n}' --compressed
Example Response
{
"id": "a152ad26-df3f-4116-abae-b93a914e76ac",
"uri": "kylo:kylo:cckm:aws-replica-key:a152ad26-df3f-4116-abae-b93a914e76ac",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-08-10T05:55:49.010163Z",
"updatedAt": "2021-08-10T06:47:37.856490404Z",
"kms_id": "10fa8bf3-3070-4bdc-8f19-f7cbed593f40",
"kms": "kms",
"synced_at": "2021-08-10T05:55:48.907774Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "556782317223",
"Arn": "arn:aws:kms:ap-south-1:556782317223:key/mrk-6ad3ab90026044a2a24fef020c5d02dc",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "Replicated key",
"Enabled": false,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "mrk-6ad3ab90026044a2a24fef020c5d02dc",
"KeyManager": "CUSTOMER",
"KeyState": "Updating",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2021-08-10T05:55:48.542Z",
"Alias": [
"alias/ab-mr-key"
],
"KeyRotationEnabled": false,
"MultiRegion": true,
"MultiRegionConfiguration": {
"PrimaryKey": {
"Arn": "arn:aws:kms:ap-southeast-1:556782317223:key/mrk-6ad3ab90026044a2a24fef020c5d02dc",
"Region": "ap-southeast-1"
},
"ReplicaKeys": [
{
"Arn": "arn:aws:kms:ap-south-1:556782317223:key/mrk-6ad3ab90026044a2a24fef020c5d02dc",
"Region": "ap-south-1"
}
],
"MultiRegionKeyType": "REPLICA"
},
"ReplicaPolicy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::556782317223:root"
}
}
]
},
"ReplicaTags": [
{
"TagKey": "key",
"TagValue": "value"
}
]
}
}
The sample output shows that the replica key (with the unique ID a152ad26-df3f-4116-abae-b93a914e76ac
) is set as the new primary key in the AWS region "ap-southeast-1"
.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.