Importing Key Material to AWS KMS
Use the post /v1/cckm/aws/keys/{id}/import-material
API to import the key material to the AWS KMS.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/import-material' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "source_key_tier": "<source_key_tier>",\n "source_key_identifier": "<source_key_identifier>",\n "key_expiration": <boolean>,\n "valid_to": "<key validity>"\n}' --compressed
Here, {id}
represents the key material ID.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
key_expiration | boolean | Flag to disable encryption on the key which is getting rotated. |
source_key_tier | string | Tier of the source. Possible options are: • local for CipherTrust Manager (default)• dsm for Data Security Manager • external-cm for external CipherTrust Manager• hsm-luna for Luna HSM (FM-enabled Luna HSM is not supported as a key source). |
source_key_identifier | string | Name or ID of the key to be imported to the AWS KMS. • If source_key_tier is local , this is the ID of the CipherTrust Manager key to be uploaded. By default, a new CipherTrust Manager key is generated automatically.• If source_key_tier is dsm , this is the ID of the DSM key to be uploaded. source_key_identifier is a mandatory parameter.If the key material is reimported, AWS allows reimporting the same key material only. It is mandatory to provide the source_key_identifier of the same CipherTrust Manager or DSM key which was imported previously. |
valid_to | string | Key expiration time of the newly rotated key, must be formatted as per RFC3339 . |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/40387a72-6e24-4cdd-8840-b586757c44bf/import-material' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjkxZGNhYjVkLWJmNDktNDk1Yi1iM2YyLWQ5ZjlkOGU5MDQ5MyIsImlhdCI6MTYwNDU1OTY0OCwiZXhwIjoxNjA0NTU5OTQ4fQ.j_7biN5YJm188ZzU-IMDsTxJ3X57GbzkOxunP4XE6J0' -H 'Content-Type: application/json' --data-binary $'{\n "source_key_identifier": "test-key",\n "key_expiration": true,\n "valid_to": "2020-12-04T06:51:18.505860192Z"\n}' --compressed
Example Response
{
"id": "40387a72-6e24-4cdd-8840-b586757c44bf",
"uri": "kylo:kylo:cckm:aws-key:40387a72-6e24-4cdd-8840-b586757c44bf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T07:01:48.965088Z",
"updatedAt": "2020-11-05T07:02:26.388806901Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T07:01:48.959221Z",
"rotation_status": "",
"local_key_id": "361d928ac7e340d093e7d231c80ca934acc62528601647ce86a219c9a82f4f93",
"local_key_name": "test-key",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "cckm",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/031c5703-aaf7-425e-a141-7e0c6f5886ab",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "031c5703-aaf7-425e-a141-7e0c6f5886ab",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "EXTERNAL",
"CreationDate": "2020-11-05T07:01:36Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key-External"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"ValidTo": "2020-12-04T06:51:18.505860192Z",
"KeyRotationEnabled": false,
"ExpirationModel": "KEY_MATERIAL_EXPIRES"
}
}
The sample output shows that the key material is imported to the AWS KMS. As the key is not created on the AWS KMS, its origin is EXTERNAL
. A unique ID (40387a72-6e24-4cdd-8840-b586757c44bf
) for the imported key is returned.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.