Scheduling Key Deletion
Use the post /v1/cckm/aws/keys/{id}/schedule-deletion
API to schedule deletion of a key.
Note
You can schedule the deletion of a multi-Region primary key at any time. However, AWS KMS will not delete a multi-Region primary key that has replica keys, even if they are scheduled for deletion.
Tip
-
To delete a multi-region primary key, you must schedule the deletion of all of its replica keys, and then wait for the replica keys to be deleted. The required waiting period for deleting a primary key begins when the last of its replica keys is deleted. If you must delete a primary key from a particular Region without deleting its replica keys, change the primary key to a replica key by updating the primary Region.
-
If any replica keys still exist, the key state of the primary key changes to Pending replica deletion (
PendingReplicaDeletion
). Otherwise, it changes to Pending deletion (PendingDeletion
). In either case, you cannot use the primary key in cryptographic operations and you cannot replicate it.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/schedule-deletion' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "days": <days>\n}' --compressed
Here, {id}
represents the key ID.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
days | integer | Number of days after which the key will be deleted. The days must be between 7 and 30. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/schedule-deletion' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjJhN2Y2MWM0LTAyZDYtNDcyOC1hNjE2LTNiNGE1NWMzMzFiNSIsImlhdCI6MTYwNDU1ODY5NSwiZXhwIjoxNjA0NTU4OTk1fQ.j7dg_wOMie9RoTy_i3EbAx_yQGyrw4_4n5kaHp0EmN0' -H 'Content-Type: application/json' --data-binary $'{\n "days": 7\n}' --compressed
Example Response
{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457Z",
"updatedAt": "2020-11-05T06:48:43.972188229Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:38:27.581643Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "key-description",
"Enabled": false,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
"KeyManager": "CUSTOMER",
"KeyState": "PendingDeletion",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:35:29Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"DeletionDate": "2020-11-12T06:48:43.971985424Z",
"KeyRotationEnabled": false
}
}
The sample output shows that the key will be deleted after 7 days. When key deletion is scheduled, the state of the key changes from enabled to pending deletion.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.