Key Policies
A key policy consists of all the permissions that are applied to a given label. It is a mapping of labels to their corresponding permissions. Clients, users, and groups can have access to these permissions. It outlines which clients, users, or organizations are permitted to use, read, sign, or interact with the key. Therefore, all labels associated with a key are retrieved anytime an action on that key is performed. The client, user, or group is then determined to be permitted to operate by computing all important policies connected to these labels.
This feature allows the Key Admins and Admins to perform the following operations on Key Policies:
- Create
- Update
- Delete
- List
Permission Set
A permission set is a collection of permissions that grants you access to different operations that can be performed on the keys. For example, 'UseKey', 'ReadKey', 'SignWithKey', and so on.
The permission_set specifies which clients, users, or groups have permission to use a key, read a key, sign a key, and other operations.
{
"clients": {
"UseKey": [],
"ReadKey": ["ClientID"],
"SignWithKey": [],
"DecryptWithKey": [],
"EncryptWithKey": [],
"SignVerifyWithKey": [],
"ExportKey" :[],
"UploadKey" :[]
},
"groups": {
"UseKey": [],
"ReadKey": ["Application Data Protection Admins"],
"SignWithKey": [],
"DecryptWithKey": [],
"EncryptWithKey": [],
"SignVerifyWithKey": [],
"ExportKey" :[],
"UploadKey" :[]
},
"users": {
"UseKey": [],
"ReadKey": ["UserID"],
"SignWithKey": [],
"DecryptWithKey": [],
"EncryptWithKey": [],
"SignVerifyWithKey": [],
"ExportKey" :[],
"UploadKey" :[]
}
}
Managing Key Policies using ksctl
The following operations can be performed on Key Policies using ksctl:
Note
-
The mandatory parameters such as
name
,label-selector
, andpermissions
are required to be provided while creating a Key policy. -
The format of label-selector must be correct -
label-selector env=test
. -
Only the operators '=' and 'in' are supported. Also, multiple conditions can be combined using ','. For example,
env in (test1,test2), test3=test4
.
Creating a Key Policy
To create a Key Policy, run the following command:
Syntax
./ksctl key-policy create --name <name> --description <description> --label-selector <label_selector> --permissions <permission_set>
Example Request
./ksctl key-policy create --name testPolicy --description testing --label-selector env=test1 --permissions '{"groups":{"ReadKey":["group1"]}}'
Example Response
{
"id": "3222a138-28b2-4e4d-9269-d8bf01fe7cfe",
"uri": "kylo:kylo:vault:key_policy:testpolicy-3222a138-28b2-4e4d-9269-d8bf01fe7cfe",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-08-25T12:24:59.52885Z",
"name": "testPolicy",
"description": "testing",
"label_selector": "env=test1",
"permissions": {
"clients": {},
"users": {},
"groups": {
"ReadKey": [
"group1"
]
}
}
}
Updating a Key Policy
Syntax
./ksctl key-policy update --id <id> --description <new_description> --permissions <new_permission_set>
Example Request
./ksctl key-policy update --id 3222a138-28b2-4e4d-9269-d8bf01fe7cfe --permissions '{"groups":{"ReadKey":["test2"]}}'
Example Response
{
"id": "3222a138-28b2-4e4d-9269-d8bf01fe7cfe",
"uri": "kylo:kylo:vault:key_policy:testpolicy-3222a138-28b2-4e4d-9269-d8bf01fe7cfe",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-08-25T12:24:59.52885Z",
"name": "testPolicy",
"description": "testing",
"label_selector": "env=test1",
"permissions": {
"clients": {},
"users": {},
"groups": {
"ReadKey": [
"test2"
]
}
}
}
Getting details of a Key Policy
Syntax
./ksctl key-policy get --id <id>
Example Request
./ksctl key-policy get --id 3222a138-28b2-4e4d-9269-d8bf01fe7cfe
Example Response
{
"id": "3222a138-28b2-4e4d-9269-d8bf01fe7cfe",
"uri": "kylo:kylo:vault:key_policy:testpolicy-3222a138-28b2-4e4d-9269-d8bf01fe7cfe",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-08-25T12:24:59.52885Z",
"name": "testPolicy",
"description": "testing",
"label_selector": "env=test1",
"permissions": {
"clients": {},
"users": {},
"groups": {
"ReadKey": [
"test2"
]
}
}
}
Deleting a Key Policy
Syntax
./ksctl key-policy delete --id <id>
Example Request
./ksctl key-policy delete --id 3222a138-28b2-4e4d-9269-d8bf01fe7cfe
Getting a list of Key Policies
Syntax
./ksctl key-policy list
Example Request
./ksctl key-policy list --labels '[{"env":"test1"}]'
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "3222a138-28b2-4e4d-9269-d8bf01fe7cfe",
"uri": "kylo:kylo:vault:key_policy:testpolicy-3222a138-28b2-4e4d-9269-d8bf01fe7cfe",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-08-25T12:24:59.52885Z",
"name": "testPolicy",
"description": "testing",
"label_selector": "env=test1",
"permissions": {
"clients": {},
"users": {},
"groups": {
"ReadKey": [
"test2"
]
}
}
}
]
}