Policy Template Management APIs
A default policy template is attached to AWS keys. With CCKM, you can create and attach custom policy templates to AWS keys. This section describes the CCKM policy template management APIs for AWS.
Creating Policy Templates
Use the post /v1/cckm/aws/templates
API to create an AWS key policy template on CCKM. When creating a key policy template, you can specify policy parameters according to your requirements.
When a policy template is created, its status is unverified. A policy template can only be verified when it is applied to a key (during its creation). If the policy template is incorrect, the key creation fails.
Note
To create a policy template, you must have the keycreate
, keyupload
, hyokkeycreate
, or cloudhsmkeycreate
permission.
Syntax
curl -k '<IP>/api/v1/cckm/aws/templates' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "kms": "<kms-name>",\n "name": "<name>",\n "key_users": ["<key-user>"]\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
kms | string | Name or ID of the KMS. |
name | string | Name for the policy template. |
policy | JSON | Key policy attached to the key. Refer to Using key policies in AWS KMS for details. |
external_accounts | array of strings | AWS accounts that can use this key. |
key_admins | array of strings | IAM users who can administer this key using the KMS API. |
key_admins_roles | array of strings | IAM roles that can administer this key using the KMS API. |
key_users | array of strings | IAM users who can use this key in cryptographic operations. |
key_users_roles | array of strings | IAM roles that can use the CMK in cryptographic operations. |
account_id | string | ID of the AWS account used to create the key policy. |
Note
-
Specify
policy
or one ofkey_admins
,key_admins_roles
,key_users
,key_users_roles
, andexternal_accounts
. They are mutually exclusive. If no parameters are specified, the default policy is used. -
If
account_id
is provided, the keys of thekms
, which belongs to the account linked with the specifiedaccount_id
, can use the created policy template. -
If the
kms
is provided, the keys of the providedkms
can use the created policy template. -
kms
andaccount_id
are mutually exclusive - specify either. If neither is specified, the created policy template cannot be applied. If neither kms nor account_id is specified, you need to specify policy.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/templates' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiMzUwZGQzOS1lNmEzLTQzNmItYjcyNi05YjlmNmNkMzVjZjciLCJzdWIiOiJsb2NhbHw4YTQ1MGNjZS02MGY4LTQxZTYtYTZkNS0xMTVkNDYzNDk5ZjUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDk0NGUzZjctYzcyNi00YTQ1LThjY2YtMDk5ZTg0Zjg1NzU2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNjMmFlMjA1LTYzZjMtNDgxNS1iYWVjLWU1NDBmOTE2ZTU1YSIsImlhdCI6MTYyMjE4NzgyMywiZXhwIjoxNjIyMTg4MTIzfQ.d2rAAQI-VP_xObiBDLCUh8A7M1LUxZhVfnIk87_3fIU' -H 'Content-Type: application/json' --data-binary $'{\n "kms": "kms",\n "key_users": ["aws-user"]\n}' --compressed
Example Response
{
"id": "6b9f2043-0a99-4041-a62d-4f6eaa408fb5",
"name": "demo-policy-template",
"uri": "kylo:kylo:cckm:aws-template:642aafda",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-17T11:01:08.226051365Z",
"updatedAt": "2021-05-17T11:01:08.218122217Z",
"key_users": [
"aws-user"
],
"key_users_roles": [
"iam-role"
],
"key_admins": [
"aws-user"
],
"key_admins_roles": [
"iam-role"
],
"external_accounts": null,
"policy": {
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement":
[
{
"Sid": "Enable IAM UserName Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:root"
]
},
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user",
"arn:aws:iam::123456789012:role/iam-role"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user",
"arn:aws:iam::123456789012:role/iam-role"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user",
"arn:aws:iam::123456789012:role/iam-role"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
},
"kms_name": "aws-kms",
"kms": "3ed28894-b9f8-4c5e-bc26-daed0c3bda26",
"account_id": 123456789012,
"cloud": "aws",
"is_verified": false
}
The sample output shows that an AWS key policy template with a unique ID (6b9f2043-0a99-4041-a62d-4f6eaa408fb5
) is created on the AWS KMS.
In the output, "is_verified": false
shows that the template is not yet used by a key and its status is unverified.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Viewing the Policy Templates
Use the get /v1/cckm/aws/templates
API to get the list of AWS key policy templates. The results can be filtered using the query parameters.
Note
To view policy templates, you must have the view
, viewnative
, viewbyok
, or viewhyokkey
permission.
Syntax
curl -k '<IP>/api/v1/cckm/aws/templates?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Request Query Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the policy template. |
name | string | Name of the policy template. |
kms_name | string | Name or ID of the KMS. |
account_id | string | ID of the AWS KMS account. |
policy_type | string | Type of the policy. |
cloud | string | Name of the AWS cloud. |
is_verified | string | Whether the template is verified. |
skip | integer | Number of records to skip. For example, if "skip":5 is specified, the first five records will not be displayed in the output. |
limit | integer | Numbers of records to display. For example, if "limit":10 is specified, then the next 10 records (after skipping the number of records specified in the skip parameter ) will be displayed in the output. |
sort | string | Comma-delimited list of properties to sort the results. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/templates?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiMzUwZGQzOS1lNmEzLTQzNmItYjcyNi05YjlmNmNkMzVjZjciLCJzdWIiOiJsb2NhbHw4YTQ1MGNjZS02MGY4LTQxZTYtYTZkNS0xMTVkNDYzNDk5ZjUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDk0NGUzZjctYzcyNi00YTQ1LThjY2YtMDk5ZTg0Zjg1NzU2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNjMmFlMjA1LTYzZjMtNDgxNS1iYWVjLWU1NDBmOTE2ZTU1YSIsImlhdCI6MTYyMjE4NzgyMywiZXhwIjoxNjIyMTg4MTIzfQ.d2rAAQI-VP_xObiBDLCUh8A7M1LUxZhVfnIk87_3fIU' --compressed
Example Response
{
"skip": 0,
"limit": 10,
"total": 2,
"resources": [
{
"id": "6b9f2043-0a99-4041-a62d-4f6eaa408fb5",
"name": "demo-policy-template-1",
"uri": "kylo:kylo:cckm:aws-template:8e104422",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-20T03:22:06.715624Z",
"updatedAt": "2021-05-20T03:22:06.714583Z",
"key_users": [
"aws-user"
],
"key-admins": [
"aws-user"
],
"policy": {
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM UserName Permissions",
"Action": [
"kms:*"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:root"
]
}
},
{
"Sid": "Allow access for Key Administrators",
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user"
]
}
},
{
"Sid": "Allow use of the key",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user"
]
}
},
{
"Sid": "Allow attachment of persistent resources",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
},
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user"
]
}
}
]
},
"kms_name": "aws-kms",
"kms": "3ed28894-b9f8-4c5e-bc26-daed0c3bda26",
"account_id": 123456789012,
"cloud": "aws",
"is_verified": false
},
{
"id": "6b9f2043-0a99-4041-a62d-4f6eaa408fb6",
"name": "demo-policy-template-2",
"uri": "kylo:kylo:cckm:aws-template:e53f41eb",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-20T03:19:15.369859Z",
"updatedAt": "2021-05-20T03:19:15.364818Z",
"key_admins": [
"aws-user"
],
"key_admins_roles": [
"iam-role"
],
"key_users": [
"aws-user"
],
"key_users_roles": [
"iam-role"
],
"policy": {
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM UserName Permissions",
"Action": [
"kms:*"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:root"
]
}
},
{
"Sid": "Allow access for Key Administrators",
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user",
"arn:aws:iam::123456789012:role/iam-role"
]
}
},
{
"Sid": "Allow use of the key",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user",
"arn:aws:iam::123456789012:role/iam-role"
]
}
},
{
"Sid": "Allow attachment of persistent resources",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
},
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user",
"arn:aws:iam::123456789012:role/iam-role"
]
}
}
]
},
"kms_name": "aws-kms",
"kms": "3ed28894-b9f8-4c5e-bc26-daed0c3bda26",
"account_id": 123456789012,
"cloud": "aws",
"is_verified": false
}
]
}
The sample output shows two AWS key policy templates.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Viewing Details of a Policy Template
Use the get /v1/cckm/aws/templates/{id}
API to view the details of an AWS key policy template.
Note
To view policy templates, you must have the view
, viewnative
, viewbyok
, or viewhyokkey
permission.
Syntax
curl -k '<IP>/api/v1/cckm/aws/templates/{id}' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the ID of the policy template.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/templates/6b9f2043-0a99-4041-a62d-4f6eaa408fb5' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiMzUwZGQzOS1lNmEzLTQzNmItYjcyNi05YjlmNmNkMzVjZjciLCJzdWIiOiJsb2NhbHw4YTQ1MGNjZS02MGY4LTQxZTYtYTZkNS0xMTVkNDYzNDk5ZjUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDk0NGUzZjctYzcyNi00YTQ1LThjY2YtMDk5ZTg0Zjg1NzU2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNjMmFlMjA1LTYzZjMtNDgxNS1iYWVjLWU1NDBmOTE2ZTU1YSIsImlhdCI6MTYyMjE4NzgyMywiZXhwIjoxNjIyMTg4MTIzfQ.d2rAAQI-VP_xObiBDLCUh8A7M1LUxZhVfnIk87_3fIU' --compressed
Example Response
{
"id": "6b9f2043-0a99-4041-a62d-4f6eaa408fb5",
"name": "demo-policy-template",
"uri": "kylo:kylo:cckm:aws-template:642aafda",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-17T11:01:08.226051365Z",
"updatedAt": "2021-05-17T11:01:08.218122217Z",
"key_users": [
"aws-user"
],
"key-admins": [
"aws-user"
],
"external_accounts": null,
"policy": {
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM UserName Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:root"
]
},
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user",
"arn:aws:iam::123456789012:role/iam-role"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user",
"arn:aws:iam::123456789012:role/iam-role"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
],
"kms_name": "aws-kms",
"kms": "3ed28894-b9f8-4c5e-bc26-daed0c3bda26",
"account_id": 123456789012,
"cloud": "aws",
"is_verified": true
}
}
The sample output shows details of the policy template with the ID 6b9f2043-0a99-4041-a62d-4f6eaa408fb5
. In the output, "is_verified": "true" shows that the template has been used by an AWS key.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Updating Policy Templates
Use the patch /v1/cckm/aws/templates/{id}
API to update an AWS key policy template on CCKM. When updating a key policy template, you can modify policy parameters according to your requirements.
-
An unverified template remains unverified after update.
-
A verified but not in-use template turns unverified after update.
-
When you try to update a verified and in-use template, changes are pushed to all the associated keys and the template remains verified. To ensure the changes are pushed, the
auto_push
parameter must be set totrue
.
Note
To update a policy template, you must have the keyupdate
permission.
Syntax
curl -k '<IP>/api/v1/cckm/aws/templates/{id}' -X PATCH -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "kms": "<kms-name>",\n "external_accounts": ["<external-account>"],\n "key_admins": ["<key-admin>"],\n "key_admins_roles": ["<key-admin-role>"],\n "key_users": ["<key-user>"],\n "key_users_roles": ["<key-user-role>"],\n "policy": {<key-policy>},\n "auto_push": <false|true>\n}' --compressed
Here, {id}
represents the ID of the policy template.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
external_accounts | array of strings | AWS accounts that can use this policy template. |
key_admins | array of strings | IAM users who can administer this policy template using the KMS API. |
key_admins_roles | array of strings | IAM roles that can administer this policy template using the KMS API. |
key_users | array of strings | IAM users who can use this policy template in cryptographic operations. |
key_users_roles | array of strings | IAM roles that can use the CMK in cryptographic operations. |
policy | JSON | Policy to be attached to the template. |
auto_push | boolean | Pushes the verified policy template to all the associated keys. When updating a 'verified' policy template, auto_push must be set to true .Note: When a policy template is applied to an AWS key, CCKM adds the template tag ( cckm_policy_template_id ) to the key. Do not modify or delete this tag on the AWS cloud. |
Note
Specify policy
or one of key_admins
, key_admins_roles
, key_users
, key_users_roles
, and external_accounts
. They are mutually exclusive. If no parameters are specified, the default policy is used.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/templates/6b9f2043-0a99-4041-a62d-4f6eaa408fb5' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiMzUwZGQzOS1lNmEzLTQzNmItYjcyNi05YjlmNmNkMzVjZjciLCJzdWIiOiJsb2NhbHw4YTQ1MGNjZS02MGY4LTQxZTYtYTZkNS0xMTVkNDYzNDk5ZjUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDk0NGUzZjctYzcyNi00YTQ1LThjY2YtMDk5ZTg0Zjg1NzU2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNjMmFlMjA1LTYzZjMtNDgxNS1iYWVjLWU1NDBmOTE2ZTU1YSIsImlhdCI6MTYyMjE4NzgyMywiZXhwIjoxNjIyMTg4MTIzfQ.d2rAAQI-VP_xObiBDLCUh8A7M1LUxZhVfnIk87_3fIU' -H 'Content-Type: application/json' --data-binary $'{\n "kms": "kms",\n "policy": {<key-policy>}\n}' --compressed
Example Response
{
"id": "6b9f2043-0a99-4041-a62d-4f6eaa408fb5",
"name": "demo-policy-template",
"uri": "kylo:kylo:cckm:aws-template:8e104422",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-20T03:22:06.715624Z",
"updatedAt": "2021-05-20T03:22:06.714583Z",
"key_users": [
"aws-user"
],
"key-admins": [
"aws-user"
],
"policy": {
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM UserName Permissions",
"Action": [
"kms:*"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:root"
]
}
},
{
"Sid": "Allow access for Key Administrators",
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user"
]
}
},
{
"Sid": "Allow use of the key",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user"
]
}
},
{
"Sid": "Allow attachment of persistent resources",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
},
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user"
]
}
}
]
},
"kms_name": "aws-kms",
"kms": "3ed28894-b9f8-4c5e-bc26-daed0c3bda26",
"account_id": 123456789012,
"cloud": "aws",
"is_verified": true,
"job_id": "8e2c8400-be19-4da7-80b9-9beb51e03650",
"job_status": "in_progress"
}
The sample output shows that an AWS key policy template with a unique ID (6b9f2043-0a99-4041-a62d-4f6eaa408fb5
) is created on the AWS KMS.
In the output, "is_verified": true
shows whether the template is verified. When a verified template is updated, a new scheduler job with the ("job_id") is created. You can view the job status using its "job_id".
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Deleting a Policy Template
Use the delete /v1/cckm/aws/templates/{id}
API to delete an AWS key policy template.
An unverified policy template can be deleted directly. However, if a template is verified and in use by a key (applied to a key), it cannot be deleted.
Note
To delete a policy template, you must have the keydelete
, hyokkeydelete
, or cloudhsmkeydelete
permission.
Syntax
curl -k '<IP>/api/v1/cckm/aws/templates/{id}' -X DELETE -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id}
represents the ID of the policy template.
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/templates/6b9f2043-0a99-4041-a62d-4f6eaa408fb5' -X DELETE -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiMzUwZGQzOS1lNmEzLTQzNmItYjcyNi05YjlmNmNkMzVjZjciLCJzdWIiOiJsb2NhbHw4YTQ1MGNjZS02MGY4LTQxZTYtYTZkNS0xMTVkNDYzNDk5ZjUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDk0NGUzZjctYzcyNi00YTQ1LThjY2YtMDk5ZTg0Zjg1NzU2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNjMmFlMjA1LTYzZjMtNDgxNS1iYWVjLWU1NDBmOTE2ZTU1YSIsImlhdCI6MTYyMjE4NzgyMywiZXhwIjoxNjIyMTg4MTIzfQ.d2rAAQI-VP_xObiBDLCUh8A7M1LUxZhVfnIk87_3fIU' --compressed
Example Response
{
"status": 204
}
The policy template with the ID 6b9f2043-0a99-4041-a62d-4f6eaa408fb5
is deleted.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.