Enabling Automatic Key Rotation
Use the post /v1/cckm/aws/keys/{id}/enable-auto-rotation API to enable automatic rotation for the AWS native keys. The AWS KMS will generate a new key material for the keys every year.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/enable-auto-rotation' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id} represents the key ID.
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| rotation_period_in_days (optional) | string | Specify the rotation period in days. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/enable-auto-rotation' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImIyZjQxZTFiLTc0MmQtNDA1Mi04NTA5LWRlZDE1NjNjNjRmNCIsImlhdCI6MTYwNDU1OTAyMywiZXhwIjoxNjA0NTU5MzIzfQ.R9TjeIn5d9N7-V_8FGcl-90aRarpQayXfBL2OJ50AKk' --compressed
Example Response
{
"id": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"uri": "kylo:kylo:cckm:aws-key:677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-07-24T04:10:56.180805743Z",
"updatedAt": "2020-07-24T04:10:56.177874659Z",
"kms_id": "ebdd67ec-a87b-4ae6-ae71-fd4dd3e3a5ad",
"kms": "kms-name",
"rotation_status": "ACTIVE",
"synced_at": "2020-07-24T04:10:56.125474304Z",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-southeast-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-southeast-1:123456789012:key/677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "Description",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-07-24T04:10:55Z",
"Policy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
},
"Alias": [
"alias/Test"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": true,
"RotationPeriodInDays": 90,
"NextRotationDate": "2024-11-26T06:46:18.713Z"
}
}
The sample output shows that the KeyRotationEnabled parameter is set to true. This indicates that the key (with ID baf58871-2503-4d13-a84a-339aeb8fdfaf) is ready for automatic key rotation.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
