Replicating Multi-Region AWS Keys
Use the post /v1/cckm/aws/keys/{id}/replicate-key
API to replicate a multi-region AWS key to different AWS regions. When replicating the key, specify the desired AWS region.
When you replicate a multi-region primary key with imported key material (that is uploaded from CCKM), instead of returning a replica key with the same key material as the primary key, the replicate process returns a replica key with no key material and a key state of PendingImport
. To enable the replica key, you must import the same key material into the replica key that you imported into its primary key.
Syntax
Here, {id}
represents the resource ID of the primary multi-region AWS key.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
replica_region | string | Name of the region where the key is to be replicated. |
aws_param | JSON | Key parameters such as alias, description, and usage. Refer to AWS Key Parameters for details. |
external_accounts | array of strings | AWS accounts that can use this key. |
key_admins | array of strings | IAM users who can administer this key using the KMS API. |
key_admins_roles | array of strings | IAM roles that can administer this key using the KMS API. |
key_users | array of strings | IAM users who can use this key in cryptographic operations. |
key_users_roles | array of strings | IAM roles that can use the CMK in cryptographic operations. |
policytemplate | string | ID of the policy template to apply. Note: When a policy template is applied to an AWS key, CCKM adds the template tag ( cckm_policy_template_id ) to the key. Do not modify or delete this tag on the AWS cloud. |
Note
Specify Policy
, policytemplate
, or one of key_admins
, key_admins_roles
, key_users
, key_users_roles
, and external_accounts
. They are mutually exclusive. If no parameters are specified, the default policy is used.
AWS Key Parameters
Parameter | Type | Description |
---|---|---|
Alias | string | Alias of the key. |
BypassPolicyLockoutSafetyCheck | boolean | Flag to bypass the key policy lockout safety check. |
Description | string | Description of the key. |
Origin | string | Source of the AWS customer master key (CMK) key material. The key origin cannot be changed. The origin of the key can be: • AWS_KMS • EXTERNAL |
Policy | JSON | Key policy to attach to the CMK. |
Tags | array of JSONs | An optional parameter to add additional information to the key. The value must be specified as the key-value pair. CCKM allows the following characters in tag values: • Alphanumeric characters • Special characters ** _ . / = + - @ **. |
Example Request
Example Response
The sample output shows that the AWS key (with the unique ID baf58871-2503-4d13-a84a-339aeb8fdfaf
of the AWS region ap-south-1
) is replicated to the AWS region "ap-southeast-1"
. The unique ID of the replica key is a152ad26-df3f-4116-abae-b93a914e76ac
.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.