Creating a Google Cloud Key
Use the post /v1/cckm/google/keys API to create a new Google Cloud key.
Syntax
curl -k '<IP>/api/v1/cckm/google/keys' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "key_ring": "<key-ring-name>",\n "gcp_key_params": {\n "gcp_key_params"\n }\n}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| gcp_key_params | JSON | Parameters to specify properties of the Google Cloud key. Refer to Google Cloud Key Parameters for details. |
| key_ring | string | ID or resource URL of the Google Cloud key ring where the key is to be created. |
Google Cloud Key Parameters
| Parameter | Type | Description |
|---|---|---|
| algorithm | string | Algorithm for the Google Cloud key. The supported algorithms are: • RSA_SIGN_PSS_2048_SHA256 • RSA_SIGN_PSS_3072_SHA256 • RSA_SIGN_PSS_4096_SHA256 • RSA_SIGN_PSS_4096_SHA512 • RSA_SIGN_PKCS1_2048_SHA256 • RSA_SIGN_PKCS1_3072_SHA256 • RSA_SIGN_PKCS1_4096_SHA256 • RSA_SIGN_PKCS1_4096_SHA512 • RSA_DECRYPT_OAEP_2048_SHA256 • RSA_DECRYPT_OAEP_3072_SHA256 • RSA_DECRYPT_OAEP_4096_SHA256 • RSA_DECRYPT_OAEP_4096_SHA512 • EC_SIGN_P256_SHA256 • EC_SIGN_P384_SHA384 • EC_SIGN_SECP256K1_SHA256 (Only for protection level, HSM) • GOOGLE_SYMMETRIC_ENCRYPTION • HMAC_SHA256 |
| key_name | string | Name for the Google Cloud key. |
| protection_level | string | Protection level for the Google Cloud key. The options are: • SOFTWARE • HSM |
| purpose | string | Purpose of the Google Cloud key. A key purpose specifies the operation that the key can be used to perform. The options are: • ASYMMETRIC_SIGN (for asymmetric keys) • ASYMMETRIC_DECRYPT (for asymmetric keys) • ENCRYPT_DECRYPT (for symmetric keys) • MAC (for symmetric keys) Refer to Key purposes and algorithms for details. |
| labels | string of JSON | Labels (tags) attached to the Google Cloud key in the form of key-value JSON pairs, for example, "isakey": "yes". For Google label requirements, refer to Google Cloud requirements for labels. |
| next_rotation_time | string | Time when the Google Cloud key will be automatically rotated by Google Cloud KMS (symmetric key only). The time must be in the RFC3339 format, for example, "2022-07-31T17:18:37.085Z". |
| rotation_period | string | (Symmetric keys only) Frequency at which the Google Cloud key will be automatically rotated by Google Cloud KMS. The frequency must be in the format "<duration>s", that is, duration in seconds terminated by s, for example, "360000s". |
| destroy_scheduled_duration | string | The time that a schedule takes to destroy the Google Cloud key. The time must be in the format "<duration>s", that is, duration in seconds terminated by s, for example, "360000s". |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/google/keys' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0MmFmZDExNy02YzllLTRhNGUtOTAwYS1lYjlhNDNjYWE5ZDIiLCJzdWIiOiJsb2NhbHwzMTI5ODdkMS0wOWNiLTQxZTEtOThmNy1jZjRhNzgwNTZiMTMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNDVmOWE3NWUtMzI1NC00NWJkLWE0NzYtOWU2NWUyNjdmNGVkIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjdiYzNkOWM4LWRiYTQtNDVmMy05YWNiLWI3NGM2MzQyYzYyMCIsImlhdCI6MTYxNDc1MTg1MSwiZXhwIjoxNjE0NzUyMTUxfQ.ahdxfM7-WA4u7sotHy6qelc9MkoZytst7oZWsvE7Cr0' -H 'Content-Type: application/json' --data-binary $'{\n "key_ring": "projects/gemalto-kyloeng/locations/global/keyRings/ny-test-ring",\n "gcp_key_params": {\n "key_name": "NewTestKey",\n "purpose": "ENCRYPT_DECRYPT",\n "protection_level": "SOFTWARE",\n "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",\n "labels": {\n "isakey": "yes"\n }\n }\n}' --compressed
Example Response
{
"id": "2f18eade-2fd9-4c48-85f7-550107729299",
"uri": "kylo:kylo:cckm:gcp-keys:2f18eade-2fd9-4c48-85f7-550107729299",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-05-04T11:29:39.90657103Z",
"updatedAt": "2021-05-04T11:29:39.90537929Z",
"cloud_name": "gcp",
"key_id": "NewTestKey",
"project_id": "gemalto-kyloeng",
"location_id": "global",
"key_ring_id": "ny-test-ring",
"key_ring_name": "projects/gemalto-kyloeng/locations/global/keyRings/ny-test-ring",
"gone": false,
"auto_rotate": false,
"status": "AVAILABLE",
"gcp_params": {
"name": "projects/gemalto-kyloeng/locations/global/keyRings/ny-test-ring/cryptoKeys/NewTestKey",
"primary": "projects/gemalto-kyloeng/locations/global/keyRings/ny-test-ring/cryptoKeys/NewTestKey/cryptoKeyVersions/1",
"createTime": "2021-05-04T11:29:40.551270629Z",
"labels": {
"isakey": "yes"
},
"purpose": "ENCRYPT_DECRYPT",
"next_rotation_time": null,
"destroy_scheduled_duration": "2592000s",
"protectionLevel": "SOFTWARE",
"algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION"
}
}
The sample output shows that a new Google Cloud key with the resource ID 2f18eade-2fd9-4c48-85f7-550107729299 is created. This ID is used to view, update, and delete a Google Cloud key and add and view its versions.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
