Policy Template Management APIs
A default policy template is attached to AWS keys. With CCKM, you can create and attach custom policy templates to AWS keys. This section describes the CCKM policy template management APIs for AWS.
Creating Policy Templates
Use the post /v1/cckm/aws/templates API to create an AWS key policy template on CCKM. When creating a key policy template, you can specify policy parameters according to your requirements.
When a policy template is created, its status is unverified. A policy template can only be verified when it is applied to a key (during its creation). If the policy template is incorrect, the key creation fails.
Syntax
curl -k '<IP>/api/v1/cckm/aws/templates' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "kms": "<kms-name>",\n "key_users": ["<key-user>"]\n}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| kms | string | Name or ID of the KMS. |
| policy | JSON | Key policy attached to the key. Refer to Using key policies in AWS KMS for details. |
| external_accounts | array of strings | AWS accounts that can use this key. |
| key_admins | array of strings | IAM users who can administer this key using the KMS API. |
| key_users | array of strings | IAM users who can use this key in cryptographic operations. |
Note
policy and external_accounts, key_admins, and key_users are mutually exclusive. Specify either policy or any one of external_accounts, key_admins, or key_users. If no parameters are specified, the default policy is used.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/templates' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiMzUwZGQzOS1lNmEzLTQzNmItYjcyNi05YjlmNmNkMzVjZjciLCJzdWIiOiJsb2NhbHw4YTQ1MGNjZS02MGY4LTQxZTYtYTZkNS0xMTVkNDYzNDk5ZjUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDk0NGUzZjctYzcyNi00YTQ1LThjY2YtMDk5ZTg0Zjg1NzU2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNjMmFlMjA1LTYzZjMtNDgxNS1iYWVjLWU1NDBmOTE2ZTU1YSIsImlhdCI6MTYyMjE4NzgyMywiZXhwIjoxNjIyMTg4MTIzfQ.d2rAAQI-VP_xObiBDLCUh8A7M1LUxZhVfnIk87_3fIU' -H 'Content-Type: application/json' --data-binary $'{\n "kms": "kms",\n "key_users": ["cckm-user"]\n}' --compressed
Example Response
{
"id": "d16c6b36-3894-40f5-9387-44e0cfe26d65",
"uri": "kylo:kylo:cckm:aws-template:d16c6b36-3894-40f5-9387-44e0cfe26d65",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-28T07:45:27.466789159Z",
"updatedAt": "2021-05-28T07:45:27.464931181Z",
"key_users": [
"cckm-user"
],
"policy": {
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM UserName Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::556782317223:root"
]
},
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::556782317223:user/cckm-user"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::556782317223:user/cckm-user"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
},
"kms": "kms",
"is_verified": false
}
The sample output shows that an AWS key policy template with a unique ID (d16c6b36-3894-40f5-9387-44e0cfe26d65) is created on the AWS KMS.
In the output, "is_verified": false shows that the template is not yet used by a key and its status is unverified.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Viewing the Policy Templates
Use the get /v1/cckm/aws/templates API to get the list of AWS key policy templates. The results can be filtered using the query parameters.
Syntax
curl -k '<IP>/api/v1/cckm/aws/templates?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Request Query Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | ID of the policy template. |
| kms | string | Name or ID of the KMS. |
| skip | integer | Number of records to skip. For example, if "skip":5 is specified, the first five records will not be displayed in the output. |
| limit | integer | Numbers of records to display. For example, if "limit":10 is specified, then the next 10 records (after skipping the number of records specified in the skip parameter ) will be displayed in the output. |
| sort | string | Comma-delimited list of properties to sort the results. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/templates?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiMzUwZGQzOS1lNmEzLTQzNmItYjcyNi05YjlmNmNkMzVjZjciLCJzdWIiOiJsb2NhbHw4YTQ1MGNjZS02MGY4LTQxZTYtYTZkNS0xMTVkNDYzNDk5ZjUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDk0NGUzZjctYzcyNi00YTQ1LThjY2YtMDk5ZTg0Zjg1NzU2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNjMmFlMjA1LTYzZjMtNDgxNS1iYWVjLWU1NDBmOTE2ZTU1YSIsImlhdCI6MTYyMjE4NzgyMywiZXhwIjoxNjIyMTg4MTIzfQ.d2rAAQI-VP_xObiBDLCUh8A7M1LUxZhVfnIk87_3fIU' --compressed
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "d16c6b36-3894-40f5-9387-44e0cfe26d65",
"uri": "kylo:kylo:cckm:aws-template:d16c6b36-3894-40f5-9387-44e0cfe26d65",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-28T07:45:27.466789Z",
"updatedAt": "2021-05-28T07:45:27.464931Z",
"key_users": [
"cckm-user"
],
"policy": {
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM UserName Permissions",
"Action": [
"kms:*"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::556782317223:root"
]
}
},
{
"Sid": "Allow use of the key",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::556782317223:user/cckm-user"
]
}
},
{
"Sid": "Allow attachment of persistent resources",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
},
"Principal": {
"AWS": [
"arn:aws:iam::556782317223:user/cckm-user"
]
}
}
]
},
"kms": "kms",
"is_verified": false
}
]
}
The sample output shows an AWS key policy template with the ID d16c6b36-3894-40f5-9387-44e0cfe26d65.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Viewing Details of a Policy Template
Use the get /v1/cckm/aws/templates/{id} API to view the details of an AWS key policy template. When a template is created, the API shows "is_verified": false.
When you apply a template while creating an AWS key:
If the key is created or uploaded successfully, the template status changes to verified, and the template cannot be modified. It is indicated by
"is_verified": true.If the key creation fails, the template status remains
"is_verified": false.
Syntax
curl -k '<IP>/api/v1/cckm/aws/templates/{id}' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id} represents the ID of the policy template.
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/templates/d16c6b36-3894-40f5-9387-44e0cfe26d65' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiMzUwZGQzOS1lNmEzLTQzNmItYjcyNi05YjlmNmNkMzVjZjciLCJzdWIiOiJsb2NhbHw4YTQ1MGNjZS02MGY4LTQxZTYtYTZkNS0xMTVkNDYzNDk5ZjUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDk0NGUzZjctYzcyNi00YTQ1LThjY2YtMDk5ZTg0Zjg1NzU2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNjMmFlMjA1LTYzZjMtNDgxNS1iYWVjLWU1NDBmOTE2ZTU1YSIsImlhdCI6MTYyMjE4NzgyMywiZXhwIjoxNjIyMTg4MTIzfQ.d2rAAQI-VP_xObiBDLCUh8A7M1LUxZhVfnIk87_3fIU' --compressed
Example Response
{
"id": "d16c6b36-3894-40f5-9387-44e0cfe26d65",
"uri": "kylo:kylo:cckm:aws-template:d16c6b36-3894-40f5-9387-44e0cfe26d65",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-28T07:45:27.466789Z",
"updatedAt": "2021-05-28T07:45:27.464931Z",
"key_users": [
"cckm-user"
],
"policy": {
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM UserName Permissions",
"Action": [
"kms:*"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::556782317223:root"
]
}
},
{
"Sid": "Allow use of the key",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::556782317223:user/cckm-user"
]
}
},
{
"Sid": "Allow attachment of persistent resources",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
},
"Principal": {
"AWS": [
"arn:aws:iam::556782317223:user/cckm-user"
]
}
}
]
},
"kms": "kms",
"is_verified": "true"
}
The sample output shows details of the policy template with the ID d16c6b36-3894-40f5-9387-44e0cfe26d65. In the output, "is_verified": "true" shows that the template has been used by an AWS key.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Deleting a Policy Template
Use the delete /v1/cckm/aws/templates/{id} API to delete an AWS key policy template.
Syntax
curl -k '<IP>/api/v1/cckm/aws/templates/{id}' -X DELETE -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id} represents the ID of the policy template.
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/templates/d16c6b36-3894-40f5-9387-44e0cfe26d65' -X DELETE -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiMzUwZGQzOS1lNmEzLTQzNmItYjcyNi05YjlmNmNkMzVjZjciLCJzdWIiOiJsb2NhbHw4YTQ1MGNjZS02MGY4LTQxZTYtYTZkNS0xMTVkNDYzNDk5ZjUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDk0NGUzZjctYzcyNi00YTQ1LThjY2YtMDk5ZTg0Zjg1NzU2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNjMmFlMjA1LTYzZjMtNDgxNS1iYWVjLWU1NDBmOTE2ZTU1YSIsImlhdCI6MTYyMjE4NzgyMywiZXhwIjoxNjIyMTg4MTIzfQ.d2rAAQI-VP_xObiBDLCUh8A7M1LUxZhVfnIk87_3fIU' --compressed
Example Response
{
"status": 204
}
The policy template with the ID d16c6b36-3894-40f5-9387-44e0cfe26d65 is deleted.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
