AWS Custom Key Store APIs
The Custom Key Store APIs for integration with Amazon Web Services Key Management Service (AWS KMS) allow you to manage both locally managed and AWS Cloud HSM key stores.
Custom Key Store of type AWS_CLOUDHSM
would have keys backed by CloudHSM cluster in AWS. Custom Key Store of type EXTERNAL_KEY_STORE
have keys from CipherTrust Data Security Platform Service.
Use the APIs in this section to perform following operations:
-
Operations common to both key store types:
-
Create, list, get, update and delete custom key stores.
-
Connect and disconnect to a custom key stores.
-
Synchronizes AWS custom key stores, get status of synchronization job, cancel a synchronization job.
-
-
Operations exclusive to external key store:
-
Block and unblock access.
-
Rotate credential.
-
Enable and disable schedule rotation of credentials for a custom key store.
-
List and get credentials.
-
Link local external key store with AWS KMS.
-
Enable or disable audit recording.
-
-
Operations exclusive to CloudHSM key store:
- Get list of unused CloudHSM clusters (that are not already associated with a CloudHSM key store).
-
Operations exclusive to HYOK keys:
-
Create an AWS HYOK key in a external key store.
-
Create, list, and get virtual keys and their versions.
-
Link an unlinked HYOK key.
-
List versions of an AWS HYOK key.
-
Block and unblock HYOK key access.
-
-
Operations exclusive to CloudHSM keys:
- Create key in a CloudHSM key store.
External Custom Key Store Overview
Once XKS objects are created, and communication between AWS and CCKM is established, AWS KMS can then make requests for the following operations:
-
GetKeyMetadata
-
Encrypt
-
Decrypt
-
GetHealthStatus
Note
You can exercise the health status independently of KMS for troubleshooting purposes. A sample command is provided below.
AWS KMS communicates these requests through the CCKM external custom key store and the AWS HYOK key, and the CipherTrust Data Security Platform Service carries out encryption and decryption operations using the source key.
The AWS Cloud KMS documentation describes AWS KMS API methods used for the external key store integration.
Troubleshooting External Custom Key Store
To exercise the health status check:
curl --aws-sigv4 "aws:amz:<region>:kms-xks-proxy" --user "<access_key_id>:<secret_access_key_id>" -X POST --data '{"requestMetadata": {"kmsRequestId": "<request_id_string>","kmsOperation": "ConnectCustomKeyStore"}}' -H "Content-Type: application/json" https://<ciphertrust_FQDN>/api/<xks_proxy_uri_path>/health
A successful response returns "healthStatus":"ACTIVE"
, and indicates that the CCKM external key store is accessible and can execute an encryption with the health check key.
If you receive an error, you might need to check that both the AWS KMS key store and the CCKM key store have matching access key credentials, the health check key, and the region. Many of these mismatches can be fixed by updating or re-creating the AWS KMS external key store.
Create a Custom Key Store
Use POST /v1/cckm/aws/custom-key-stores
to create a custom key store on CCKM. The custom key store can be an external key store or a cloud HSM key store.
For an External Custom Key Store, specify the following details:
-
Name
-
Region
-
AWS account. This must be an AWS account registered on CCKM as a container.
-
Linked state (false by default)
-
Blocked (false by default)
-
Audit recording (false by default)
-
Source Key Tier
In addition, you can specify whether the key store is created in a blocked state or not.
Note
Enabling audit recording of successful operations for a custom key store of type EXTERNAL_KEY_STORE significantly impacts the performance of the key store. Enable type of audit recording only for the purpose of troubleshooting or presenting a demo.
For a CKS supported by an AWS CloudHSM, specify the following details:
-
Name
-
Region
-
AWS account
-
CloudHSM cluster ID
-
CloudHSM kmsuser Crypto User (CU) password
-
Trust anchor certificate
-
The
custom_key_store_type
asAWS_CLOUDHSM
.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores' -X POST -H 'Authorization: Bearer AUTHTOKEN -H 'accept: application/json' --data-binary $'{\n "name": "<key_store_name>",\n "kms": "<aws-account-number>",\n "region": "<aws-region>",\n "linked_state": <boolean>,\n "local_hosted_params": {\n "blocked": <boolean>\n "health_check_key_id": "<key_id>",\n "max_credentials": <number_of_credentials>\n },\n "aws_param": {\n "xks_proxy_connectivity": "<network_connectivity_type>",\n "xks_proxy_uri_endpoint": "<DNS_hostname_for_requests>"\n },\n "enable_success_audit_event": <true|false>\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
name | string | Required. Unique name for the custom key store. |
kms | string | Required. Name or ID of the AWS account container on CCKM in which to create the custom key store. |
region | string | Required. Name of the available regions. |
linked state | boolean | Indicates if custom key store is linked with AWS. Applicable for custom key store of type EXTERNAL_KEY_STORE. Default value is false. When false, creating a CKS in CCKM does not trigger AWS KMS to create a new key store, and new CKS will not synchronize with any key stores on AWS KMS until linked. |
enable_success_audit_event | boolean | Indicates whether audit recording of successful operations within an external key store is enabled or disabled. This field is optional. Default value is false. |
local_hosted_params | JSON | Parameters for locally hosted external custom key store on CCKM. |
aws_param | JSON | Required. Parameters related to AWS interaction with CKS. |
Local Hosted Parameters
The local hosted parameters are applicable to EXTERNAL_KEY_STORE
type. The descriptions indicate which values are required for external custom key stores.
Parameter | Type | Description |
---|---|---|
blocked | boolean | Whether the key store is blocked or not. If not specified, this is set to false . |
mtls_enabled | boolean | Whether the key store is enabled for the verification of a TLS client-side certificate where the CipherTrust Data Security Platform Service authenticates the AWS KMS client. If not specified, this is set to false . |
health_check_key_id | string | Required. ID of existing CipherTrust Data Security Platform Service key to use for health-check. |
max_credentials | string | Required. Max number of credentials that can be associated with custom key store (min value 2. max value 20). |
source_key_tier | string | Source for cryptographic keys. Valid value is local . |
AWS Parameters
Parameter | Type | Description |
---|---|---|
cloud_hsm_cluster_id | string | Required field for custom key store of type AWS_CLOUDHSM . ID of CloudHSM cluster for the custom key store. Enter cluster ID of active CloudHSM cluster that is not already associated with a custom key store. |
custom_key_store_type | string | Specifies the type of custom key store. The default value is EXTERNAL_KEY_STORE . For a custom key store backed by an AWS CloudHSM cluster, key store type is AWS_CLOUDHSM . For a custom key store backed by an HSM or key manager outside of AWS, key store type is EXTERNAL_KEY_STORE . |
key_store_password | string | Required field for custom key store of type AWS_CLOUDHSM . The password of the kmsuser crypto user (CU) account configured in the specified CloudHSM cluster. This parameter does not change the password in CloudHSM cluster. User needs to configure the credentials on CloudHSM cluster separately. |
trust_anchor_certificate | string | Required field for custom key store of type AWS_CLOUDHSM . The content of CA certificate or Self signed certificate file created during CloudHSM Cluster initialization. |
xks_proxy_connectivity | string | Required for custom key store of type EXTERNAL_KEY_STORE . Indicates how AWS KMS communicates with the Ciphertrust Manager. Default value is PUBLIC_ENDPOINT. Valid options are VPC_ENDPOINT_SERVICE or PUBLIC_ENDPOINT . |
xks_proxy_uri_endpoint | string | Required for custom key store of type EXTERNAL_KEY_STORE . Specifies the protocol (always HTTPS) and DNS hostname to which KMS will send XKS API requests. The DNS hostname is for either for a load balancer directing to the CipherTrust Manager, or the CipherTrust Manager itself. |
xks_proxy_uri_path | string | Required for custom key store of type EXTERNAL_KEY_STORE .Indicates the base path to the Ciphertrust Manager API's for this external key store. |
xks_proxy_vpc_endpoint_service_name | string | Indicates the VPC endpoint service name used by the custom key store. This field is required when the xks_proxy_connectivity is VPC_ENDPOINT_SERVICE . |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4OWQ5OWYyZS02YThiLTQ3ZDctOWYzMi0xMTY3ZmZiM2Y5MjkiLCJzdWIiOiJsb2NhbHwxNTgwYTA3OS1jMzI4LTRlN2ItYWJjZS0wNTJjNThhYTliOGEiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMmQ3MTg5MGMtMzIyNS00MWJjLWJjNDQtYTE2ODg3ZjVlMzE5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImI4NzIyY2E0LTM1NzAtNDI1OS04NmYzLTIyOGI3ZDM4MmQzMiIsImlhdCI6MTY0ODQ3OTg3OCwiZXhwIjoxNjQ4NDgwMTc4fQ.eQk0b0pwJ67U5oHHWzPnCaJbJ3fJEBudo1Vb6E9Ag6M' -H 'accept: application/json' --data-binary $'{\n "name": "custom_key_store_name",\n "kms": "aws_account_number",\n "region": "ap-south-1", \n "linked_state": true,\n "local_hosted_params": {\n "partition_id": "f707115b-ca27-4f75-b44a-9b6a68788dd5",\n "blocked": false\n "health_check_key_id": "511e1344-ad9f-4ee6-9eb5-df94e3c4a17c",\n "max_credentials": 10\n },\n "aws_param": {\n "xks_proxy_connectivity": "PUBLIC_ENDPOINT",\n "xks_proxy_uri_endpoint": "https://xks.example.com"\n }\n}' --compressed
Example Response
{
"application/json": {
"id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-01-10T03:09:21.716283215Z",
"updatedAt": "2022-01-10T03:09:21.714446273Z",
"name": "cks_name",
"kms": "aws",
"region": "ap-south-1",
"type": "LOCAL",
"credential_version": 1,
"kms_id": "7f13c680-d050-4eb8-9ab9-ed6e76b730e9",
"cloud_name": "aws",
"version_count": 0,
"aws_param": {
"custom_key_store_name": "cks_name",
"xks_proxy_uri_endpoint": "https://xks.example.com",
"xks_proxy_connectivity": "PUBLIC_ENDPOINT",
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/8130b47d-a774-4739-8c71-94e733d6177c/kms/xks/v1",
"custom_key_store_type": "EXTERNAL_KEY_STORE",
"custom_key_store_id": "cks-6479457edc5fd993d",
"connection_state": "DISCONNECTED"
},
"local_hosted_params": {
"blocked": false,
"policy": {
"reserved": true
},
"linked_state": true,
"partition_label": "cckm-1608012946",
"partition_id": "8f6882be-eced-403a-a578-fe8393539b2d",
"source_container_id": "8f6882be-eced-403a-a578-fe8393539b2d",
"source_container_type": "hsm-luna",
"health_check_key_id": "339e786b-c236-495c-925e-87bd8bde82ca",
"health_check_ciphertext": "cf8iW1y5Ks/drIGZMxsgxJ5t27zOn4HAIEB/deQfFETe83RgMGOVCruEqGmXQEOXo338gZD/lRGtG8mYJzQuq+M=",
"max_credentials": 10,
"source_key_tier": "local"
"mtls_enabled": false
},
"access_key_id": "K045XFG9DFXVOCAK5LH904",
"secret_access_key": "08ddafe16d4f80c5b64eeacedde02258fd1cc210bd0cfd6df72d8516da1b4a4f"
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
List Custom Key Stores
Use GET /v1/cckm/aws/custom-key-stores
to return the list of external custom key stores.
Syntax
curl -k 'https:/<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores?<query_parameters>' -H 'AUTHTOKEN' -H 'accept: application/json' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Request Query Parameters
Parameter | Type | Description |
---|---|---|
id | string | Filter the results by internal ID of the AWS custom key store. |
name | string | Filter the results by AWS custom key store ID. |
kms | string | Filter the results by KMS name. |
kms | string | Filter the results by KMS ID. |
region | string | Filter the results by region. |
cloud_name | string | Filter the results by cloud name. |
type | string | Filter the results by type, LOCAL , REMOTE , or CloudHSM . This is the key store's local hosted parameter value. |
blocked | boolean | Filter the resulted by blocked or unblocked state. |
linked_state | boolean | Filter the results by status of link between CCKM and AWS KMS. |
xks_proxy_connectivity | string | Filter the results by XKS proxy connectivity type, VPC_ENDPOINT_SERVICE or PUBLIC_ENDPOINT |
connection_state | string | Filter the results by key store connection state. |
custom_key_store_type | string | Filter the results by type of custom key store, EXTERNAL_KEY_STORE or CLOUD_HSM . |
skip | integer | The index of the first resource to return. Equivalent to 'offset' in SQL. |
limit | integer | The max number of resources to return. Equivalent to 'limit' in SQL. |
sort | string | The fields to sort results by. This should be a comma-delimited list of properties. Multiple properties will result in a multi-column sort. Sort order is ascending by default. To have a descending sort for a field, precede the field name with a minus sign ("-"). For example: name,-createdAt will sort the results first by name , ascending, then by createdAt , descending. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4OWQ5OWYyZS02YThiLTQ3ZDctOWYzMi0xMTY3ZmZiM2Y5MjkiLCJzdWIiOiJsb2NhbHwxNTgwYTA3OS1jMzI4LTRlN2ItYWJjZS0wNTJjNThhYTliOGEiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMmQ3MTg5MGMtMzIyNS00MWJjLWJjNDQtYTE2ODg3ZjVlMzE5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImQzNzIxOGE2LWI3ZWUtNDdkMS1iMGEyLTdlZjBlMTYxMDA1YyIsImlhdCI6MTY0ODQ4MjM3MiwiZXhwIjoxNjQ4NDgyNjcyfQ.Y9ekMDlzrGczHuDkCi3qxZUTw_1uSzWTDQq-D7ILw2Y' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"skip": 0,
"limit": 10,
"total": 2,
"resources": [
{
"id": "033716fc-898d-48a4-b12f-a6f2dd0d718b",
"uri": "kylo:kylo:cckm:aws_cks:033716fc-898d-48a4-b12f-a6f2dd0d718b",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-01-10T03:05:18.788744Z",
"updatedAt": "2022-01-10T03:05:18.786765Z",
"name": "cks_name",
"kms": "aws",
"region": "ap-south-1",
"locally_hosted": true,
"kms_id": "custom_cks_id",
"cloud_name": "aws",
"aws_param": {
"custom_key_store_name": "cks_name2"
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/8c706a48-0e1a-4756-83dd-e46c54b65fb1/kms/xks/v1"
},
"local_hosted_params": {
"partition_label": "123456_name",
"partition_id": "123456",
"blocked": false,
"policy": {
"reserved": false
},
"source_container_id": "123456",
"source_container_type": "container_type",
"linked_state": false
"mtls_enabled": false
}
},
{
"id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-01-10T03:09:21.716283Z",
"updatedAt": "2022-01-10T03:09:21.714446Z",
"name": "cks_name",
"kms": "aws",
"region": "ap-south-1",
"locally_hosted": true,
"kms_id": "custom_cks_id",
"cloud_name": "aws",
"aws_param": {
"custom_key_store_name": "cks_name"
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/7f33443d-4773-41bb-8eec-7e320d511b00/kms/xks/v1"
},
"local_hosted_params": {
"partition_label": "12345_name",
"partition_id": "12345",
"blocked": false,
"policy": {
"reserved": false
},
"source_container_id": "12345",
"source_container_type": "container_type",
"linked_state": false
"mtls_enabled": false
}
}
]
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
View Details of a Custom Key Store
Use GET /v1/cckm/aws/custom-key-stores/{id}
to return the details for a custom key store with the given ID.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>' -H 'AUTHTOKEN' -H 'accept: application/json' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0YjM1MWVmMy0xMDMyLTQ1ZTItOGU3ZC05OGQ2NGMyNTNlNGIiLCJzdWIiOiJsb2NhbHw1M2FjNzc0OS0xZDgwLTQ1NjktYWY4OC03OTA0OTQ3ODFlMTYiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNmVjZGIyMDctNTQzMC00M2EwLWEwZTMtMWI1OGIzZTI1ZjhkIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjUzZmM5MzVjLWQxYmMtNGFmNy04Yjg1LTI1MTNkMzRjZTU0MiIsImlhdCI6MTY0ODQ4ODE2NCwiZXhwIjoxNjQ4NDg4NDY0fQ.YvM-lsOWhniMIr8RiZG3HXMPnnBmA-DEt-JT47olgrs' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-01-10T03:09:21.716283Z",
"updatedAt": "2022-01-10T03:09:21.714446Z",
"name": "cks_name",
"kms": "aws",
"region": "ap-south-1",
"locally_hosted": true,
"kms_id": "custom_cks_id",
"cloud_name": "aws",
"aws_param": {
"custom_key_store_name": "cks_name"
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/8c706a48-0e1a-4756-83dd-e46c54b65fb1/kms/xks/v1"
},
"local_hosted_params": {
"partition_label": "12345_name",
"partition_id": "12345",
"blocked": false,
"policy": {
"reserved": false
},
"source_container_id": "12345",
"source_container_type": "container_type",
"linked_state": false
"mtls_enabled": false
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Remove a Custom Key Store
Use DELETE /v1/cckm/aws/custom-key-stores/{id}
to remove an AWS external custom key store from the CCKM.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id> -X DELETE -H 'AUTHTOKEN' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/' -X DELETE -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiN2NlNzAwZmItMDI5OC00Y2M4LWIxMWUtZTJhODg0OGVkNDg3Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImQzNDgzMTU4LWNlYjAtNGRiMi1hOGFhLTVmYTdkZGE4MzUzOCIsImlhdCI6MTY1MDU2NjI5NywiZXhwIjoxNjUwNTY2NTk3fQ.kabqQJ96FtrkRJGdJK1tkz-pXHGMxYBhUrO5vUl_b4w' -H 'accept: application/json' --compressed
Example Response
{
"status": 204
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Edit a Custom Key Store
Use PATCH /v1/cckm/aws/custom-key-stores/{id}
to edit a custom key store on CCKM.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>' -X PATCH -H 'AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "name": "<new_name>",\n "aws_param": {\n "xks_proxy_uri_endpoint": "<new_xks_proxy_uri_endpoint>",\n "xks_proxy_uri_path": "<new_xks_proxy_uri_path>",\n "access_key_id": "<new_access_key_id>",\n "secret_access_key": "<new_secret_access_key_id>"\n },\n "local_hosted_params": {\n "health_check_key_id": "<new_health_check_key_id>"\n }\n "enable_success_audit_event": <true|false>\n}' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
name | string | New unique name for the custom key store. |
local_hosted_params | JSON | Parameters for locally hosted external custom key store on CCKM. |
aws_param | JSON | Required.Parameters related to AWS interaction with CKS. |
enable_success_audit_event | boolean | Indicates whether audit recording of successful operations within an external key store is enabled or disabled. This field is optional. Default value is false. |
Local Hosted Parameters
The local hosted parameters are applicable to EXTERNAL_KEY_STORE
type.
Parameter | Type | Description |
---|---|---|
health_check_key_id | string | ID of existing CipherTrust Data Security Platform Service key to use for health-check. |
mtls_enabled | boolean | Whether the key store is enabled for the verification of a TLS client-side certificate where the CipherTrust Data Security Platform Service authenticates the AWS KMS client. If not specified, this is set to false . |
AWS Parameters
Parameter | Type | Description |
---|---|---|
access_key_id | string | Access key ID for XKS service hosted at xks_proxy_uri_endpoint . Applicable only for custom key store of type EXTERNAL_KEY_STORE . |
cloud_hsm_cluster_id | string | New CloudHSM cluster ID. This field is applicable only for custom key store of type AWS_CLOUDHSM . |
key_store_password | string | New password of kmsuser CU (crypto user) account in the specified CloudHSM cluster. This parameter does not change the password in CloudHSM cluster. Configure the credentials on CloudHSM cluster separately. Applicable only for custom key store of type AWS_CLOUDHSM. |
secret_access_key | string | Secret access key for XKS service hosted at xks_proxy_uri_endpoint. Applicable only for custom key store of type EXTERNAL_KEY_STORE . |
xks_proxy_connectivity | string | Change how AWS KMS communicates with the Ciphertrust Manager. This field is applicable only for custom key store of type EXTERNAL_KEY_STORE . Valid options are VPC_ENDPOINT_SERVICE or PUBLIC_ENDPOINT . |
xks_proxy_uri_endpoint | string | New XKS proxy URI endpoint. This field is applicable only for custom key store of type EXTERNAL_KEY_STORE . |
xks_proxy_uri_path | string | New base path to the Ciphertrust Manager API's for this custom key store. This field is applicable only for custom key store of type EXTERNAL_KEY_STORE . |
xks_proxy_vpc_endpoint_service_name | string | Indicates the VPC endpoint service name used by the custom key store. This field is required when the xks_proxy_connectivity is VPC_ENDPOINT_SERVICE . |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567' -X PATCH -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIwNjcxNGU4OC03NGE1LTQwNmMtYThmYS1lZWE2N2Q1NjBjYWEiLCJzdWIiOiJsb2NhbHwyNDMwNDRhZi1jZGNlLTQ0NmYtODU2Ni1mYmRlYjk2MWVmZTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiODgzZTFiYTMtNjcxZi00MDQxLTgwZDAtZDdkMjI0ZTliYmE2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjllZDFkOTg5LWZlY2MtNDAzZC1hNDcxLTRlNzY2ZWEzYzBjNyIsImlhdCI6MTY2MTY0MjA2MCwiZXhwIjoxNjYxNjQyMzYwfQ.B0dIWaOLvEFexiTHmUGO0VUg4j77EeJgWUF1anc8B6M' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "name": "new_name_1234",\n "aws_param": {\n "xks_proxy_uri_endpoint": "https://xksproxy.mycompany.com",\n "xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/736d4b20-fe22-4139-b39f-622404dc725e/kms/xks/v1",\n "access_key_id": "KYBZ5TKM7OUXZIWBAPVD",\n "secret_access_key": "e49f198bb94ce8efea6b987ae1aac6885d98ab3087168f8106d6f8c784db2ff4"\n },\n "local_hosted_params": {\n "health_check_key_id": "a9e80f5a-9680-413d-8ec0-c901d3cb04c0"\n },\n "enable_success_audit_event": true\n}' --compressed
Example Response
{
"application/json": {
"id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-01-10T03:09:21.716283Z",
"updatedAt": "2022-01-10T03:09:21.714446Z",
"name": "new_name_1234",
"kms": "aws",
"region": "ap-south-1",
"type": "LOCAL",
"credential_version": 1,
"kms_id": "7f13c680-d050-4eb8-9ab9-ed6e76b730e9",
"cloud_name": "aws",
"version_count": 0,
"aws_param": {
"xks_proxy_connectivity": "PUBLIC_ENDPOINT",
"connection_state": "DISCONNECTED",
"custom_key_store_type": "EXTERNAL_KEY_STORE",
"custom_key_store_id": "cks-6479457edc5fd993d",
"xks_proxy_uri_endpoint": "https://xksproxy.mycompany.com",
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/736d4b20-fe22-4139-b39f-622404dc725e/kms/xks/v1"
},
"local_hosted_params": {
"partition_label": "cckm-1608012946",
"partition_id": "80d88390-78bd-40e2-bbac-b1782ed6e456",
"blocked": false,
"health_check_key_id": "a9e80f5a-9680-413d-8ec0-c901d3cb04c0",
"policy": {
"reserved": false
},
"source_container_id": "",
"source_container_type": "",
"source_key_tier": "hsm-luna",
"linked_state": false,
"max_credentials": 10
"mtls_enabled": false
},
"enable_success_audit_event": false
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Create a KMS key in a CloudHSM Custom Key Store
Use POST /v1/cckm/aws/custom-key-stores/{id}/create-aws-key
to create a KMS key in a CloudHSM-backed custom key store.
Syntax
curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/create-aws-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "aws_param": {\n "Description": "<key_description>",\n "Alias": "<Alias_for_the_key>",\n "Tags": [\n {\n "TagKey": "<key_of_the_tag>",\n "TagValue": "<value_of_the_tag>"\n }\n ]\n },\n "key_admins": [\n "<IAM_user_to_admin_key>"\n ],\n "key_admins_roles": [\n "<IAM_roles_to_admin_key>"\n ],\n "key_users": [\n "<IAM_user_to_use_key>"\n ],\n "key_users_roles": [\n "<IAM_user_to_use_key>"\n ], \n "external_accounts": [\n "<AWS_accounts_to_use_key>"\n ], \n \n}' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
external_accounts | array | AWS accounts that can use this key. External accounts are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used. |
key_admins | array | IAM users who can administer this key using the KMS API. Key admins are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used. |
key_admins_roles | array | IAM roles that can administer this key using the KMS API. Key admins are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used. |
key_users | array | IAM users who can use the KMS key in cryptographic operations. Key users are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used. |
key_users_roles | array | IAM roles that can use the KMS key in cryptographic operations. Key users are mutually exclusive to policy and policy template. If no policy parameters are specified, the default policy is used. |
policytemplate | string | ID of the policy template to apply. Policy template is mutually exclusive to all other policy parameters. If no policy parameters are specified, the default policy is used. |
aws_param | JSON | Required.Parameters related to AWS interaction with CKS. |
AWS Parameters
Parameter | Type | Description |
---|---|---|
Alias | string | Alias for the key. Required. |
Description | string | Description of the key. |
Policy | JSON | Key policy to attach to the KMS Key. Policy is mutually exclusive to all other policy parameters. If no policy parameters are specified the default policy is used. |
Tags | Array | Optional tags |
TagKey | string | Key of the tag. A tag is a key-value pair. |
TagValue | string | Value corresponding to the key of the tag. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/create-aws-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIwNjcxNGU4OC03NGE1LTQwNmMtYThmYS1lZWE2N2Q1NjBjYWEiLCJzdWIiOiJsb2NhbHwyNDMwNDRhZi1jZGNlLTQ0NmYtODU2Ni1mYmRlYjk2MWVmZTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiODgzZTFiYTMtNjcxZi00MDQxLTgwZDAtZDdkMjI0ZTliYmE2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjllZDFkOTg5LWZlY2MtNDAzZC1hNDcxLTRlNzY2ZWEzYzBjNyIsImlhdCI6MTY2MTY0MjA2MCwiZXhwIjoxNjYxNjQyMzYwfQ.B0dIWaOLvEFexiTHmUGO0VUg4j77EeJgWUF1anc8B6M' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "aws_param": {\n "Description": "Test CloudHSM key ",\n "Alias": "cloudhsmkey13",\n "Tags": [\n {\n "TagKey": "tag3",\n "TagValue": "value3"\n }\n ]\n },\n "key_admins": [\n "john.doe"\n ],\n "key_admins_roles": [\n "aws-service-role/elasticfilesystem.amazonaws.com/AWSServiceRoleForAmazonElasticFileSystem"\n ],\n "key_users": [\n "richard-roe"\n ],\n "key_users_roles": [\n "aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport"\n ]\n}' --compressed
Example Response
{
"application/json": {
"id": "0016ea0c-8f37-44ac-ac8f-3b5396130a19",
"uri": "kylo:kylo-81539629-e4b5-4d77-933f-30174a27dc20:cckm:aws-key:0016ea0c-8f37-44ac-ac8f-3b5396130a19",
"account": "kylo:kylo-81539629-e4b5-4d77-933f-30174a27dc20:admin:accounts:kylo-81539629-e4b5-4d77-933f-30174a27dc20",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2022-08-09T23:05:48.03608398Z",
"updatedAt": "2022-08-09T23:05:48.033508896Z",
"kms_id": "7262dee3-e0dc-4a0c-91c5-40395dd8f92e",
"kms": "aws_acc_atf",
"synced_at": "2022-08-09T23:05:48.027918202Z",
"rotation_status": "",
"cloud_name": "aws",
"key_users": [
"arn:aws:iam::556782317223:user/richard-roe"
],
"key_users_roles": [
"arn:aws:iam::556782317223:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport"
],
"key_admins": [
"arn:aws:iam::556782317223:user/john.doe"
],
"key_admins_roles": [
"arn:aws:iam::556782317223:role/aws-service-role/elasticfilesystem.amazonaws.com/AWSServiceRoleForAmazonElasticFileSystem"
],
"key_type": "symmetric",
"basic_view_enabled": true,
"region": "eu-west-1",
"gone": false,
"blocked": false,
"linked_state": true,
"key_material_origin": "CloudHSM",
"key_source": "CloudHSM",
"custom_key_store_id": "1421d123-5cfc-4291-bc3f-4232362a8ee4",
"custom_key_store_name": "test-eu-cloudhsm-2",
"aws_param": {
"AWSAccountId": "556782317223",
"Arn": "arn:aws:kms:eu-west-1:556782359223:key/0c0389d3-d327-4689-b8f9-0f966f83424c",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "Test CloudHSM key ",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "0c0389d3-d327-4689-b8f9-0f966f83424c",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_CLOUDHSM",
"CreationDate": "2022-08-09T23:05:47.448Z",
"Policy": {
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::556782359223:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::556782359223:role/aws-service-role/elasticfilesystem.amazonaws.com/AWSServiceRoleForAmazonElasticFileSystem",
"arn:aws:iam::556782359223:user/john.doe"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::556782359223:user/richard-roe",
"arn:aws:iam::556782359223:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::556782359223:user/richard-roe",
"arn:aws:iam::556782359223:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
},
"Alias": [
"alias/cloudhsmkey13"
],
"Tags": [
{
"TagKey": "tag3",
"TagValue": "value3"
}
],
"KeyRotationEnabled": false,
"CustomKeyStoreId": "cks-ea58c749fdb248c96"
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Block Access to External Custom Key Store
Use POST /v1/cckm/aws/custom-key-stores/{id}/block
to disallow AWS KMS from performing encrypt, decrypt, and health requests on an external custom key store.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/block' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/block' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiN2NlNzAwZmItMDI5OC00Y2M4LWIxMWUtZTJhODg0OGVkNDg3Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImQwODA5ZjkyLTUwZjMtNGZmYi04YzdhLTNjYmJhMWVjNjBjYiIsImlhdCI6MTY1MDU2Njg2MSwiZXhwIjoxNjUwNTY3MTYxfQ.ktaPfZkjiWILr5mB4saH8yA653l4LXzOFbdfJ-Gfqws' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-01-10T03:09:21.716283Z",
"updatedAt": "2022-01-10T03:09:21.714446Z",
"name": "cks_name",
"kms": "aws",
"region": "ap-south-1",
"locally_hosted": true,
"kms_id": "custom_cks_id",
"cloud_name": "aws",
"aws_param": {
"custom_key_store_name": "cks_name"
},
"local_hosted_params": {
"partition_label": "12345_name",
"partition_id": "12345",
"blocked": true,
"policy": {
"reserved": false
},
"source_container_id": "12345",
"source_container_type": "container_type",
"linked_state": false
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Unblock Access to External Custom Key Store
Use POST /v1/cckm/aws/custom-key-stores/{id}/unblock
to restore the ability of AWS KMS to perform encrypt, decrypt, and health requests on an external custom key store.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/unblock' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/unblock' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiN2NlNzAwZmItMDI5OC00Y2M4LWIxMWUtZTJhODg0OGVkNDg3Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImQwODA5ZjkyLTUwZjMtNGZmYi04YzdhLTNjYmJhMWVjNjBjYiIsImlhdCI6MTY1MDU2Njg2MSwiZXhwIjoxNjUwNTY3MTYxfQ.ktaPfZkjiWILr5mB4saH8yA653l4LXzOFbdfJ-Gfqws' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-01-10T03:09:21.716283Z",
"updatedAt": "2022-01-10T03:09:21.714446Z",
"name": "cks_name",
"kms": "aws",
"region": "ap-south-1",
"locally_hosted": true,
"kms_id": "custom_cks_id",
"cloud_name": "aws",
"aws_param": {
"custom_key_store_name": "cks_name"
},
"local_hosted_params": {
"partition_label": "12345_name",
"partition_id": "12345",
"blocked": true,
"policy": {
"reserved": false
},
"source_container_id": "12345",
"source_container_type": "container_type",
"linked_state": false
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Connect a Custom Key Store
Use POST /v1/cckm/aws/custom-key-stores/{id}/connect
to connect the AWS custom key store using the AWS KMS API.
Syntax
curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/connect' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "key_store_password": "<key_store_password>"\n}' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
key_store_password | string | The password of the kmsuser crypto user (CU) account configured in the specified CloudHSM cluster. This parameter does not change the password in CloudHSM cluster. User needs to configure the credentials on CloudHSM cluster separately. Required field for custom key store of type AWS_CLOUDHSM. Omit for External Key Stores. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/123567/connect' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI3OWY5MjMwMy0wMzFlLTQzMzYtYmNlMS04OWIyMTg4ZDY1NzAiLCJzdWIiOiJsb2NhbHwyMDAxODU3Ny1kNTQ3LTQ5YjctYmIzNS1lNjlkYjMzMDljYmIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZTg0MWZmODItODQ2OS00YTYxLWJlZjctNmMxMDc3NjgzYTU4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImY3OWI4MmMyLWY0MzMtNGYwMi1hMTY2LWExYzUwZDQwZTY3NiIsImlhdCI6MTY2MTcwMDE3MSwiZXhwIjoxNjYxNzAwNDcxfQ.uH1kYKKFuhkcOrWmHthkMteLLitv3drJSNjTJRuUF_o' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "key_store_password": "myPassword"\n}' --compressed
Example Response
{
"application/json": {
"id": "7527884a-6f73-4d4b-8078-64e35640629c",
"uri": "kylo:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb:cckm:aws_cks:7527884a-6f73-4d4b-8078-64e35640629c",
"account": "kylo:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb:admin:accounts:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb",
"createdAt": "2022-07-27T21:12:48.903987Z",
"updatedAt": "2022-07-27T21:12:49.75161Z",
"name": "cks_1",
"kms": "aws",
"region": "us-east-1",
"type": "LOCAL",
"credential_version": 1,
"kms_id": "8aa11278-2547-4a63-b0dd-1e1464e6433c",
"cloud_name": "aws",
"version_count": 0,
"aws_param": {
"custom_key_store_name": "cks_1",
"xks_proxy_uri_endpoint": "https://demo-xksproxy.test.com",
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/7527884a-6f73-4d4b-8078-64e35640629c/kms/xks/v1",
"custom_key_store_type": "EXTERNAL_KEY_STORE",
"custom_key_store_id": "cks-8a87408fb819ddb94",
"xks_proxy_connectivity": "PUBLIC_ENDPOINT",
"connection_state": "CONNECTED"
},
"local_hosted_params": {
"blocked": false,
"policy": {
"reserved": false
},
"source_container_id": "f152b503-5f01-4735-b1ac-49c3a9734fa7",
"source_container_type": "hsm-luna",
"linked_state": true,
"partition_label": "aws_cm_vpc_par1",
"partition_id": "f152b503-5f01-4735-b1ac-49c3a9734fa7",
"health_check_key_id": "615c1278-cfa4-4f85-8b0a-848dae3cafa2",
"health_check_ciphertext": "UYKUHavXloi8gKcRVFEc5SCLkUS8taf8EjqliRb3xSGUIMz4X2kRv9Qd7yog84IaYDF/SJ6EvMFjxGTCmQcCBFU=",
"max_credentials": 5
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Disconnect a Custom Key Store
Use POST /v1/cckm/aws/custom-key-stores/{id}/disconnect
to connect the AWS custom key store using the AWS KMS API.
Syntax
curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/disconnect' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/123567/connect' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI3OWY5MjMwMy0wMzFlLTQzMzYtYmNlMS04OWIyMTg4ZDY1NzAiLCJzdWIiOiJsb2NhbHwyMDAxODU3Ny1kNTQ3LTQ5YjctYmIzNS1lNjlkYjMzMDljYmIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZTg0MWZmODItODQ2OS00YTYxLWJlZjctNmMxMDc3NjgzYTU4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImY3OWI4MmMyLWY0MzMtNGYwMi1hMTY2LWExYzUwZDQwZTY3NiIsImlhdCI6MTY2MTcwMDE3MSwiZXhwIjoxNjYxNzAwNDcxfQ.uH1kYKKFuhkcOrWmHthkMteLLitv3drJSNjTJRuUF_o' -H 'Content-Type: application/json' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "7527884a-6f73-4d4b-8078-64e35640629c",
"uri": "kylo:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb:cckm:aws_cks:7527884a-6f73-4d4b-8078-64e35640629c",
"account": "kylo:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb:admin:accounts:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb",
"createdAt": "2022-07-27T21:12:48.903987Z",
"updatedAt": "2022-07-27T21:12:49.75161Z",
"name": "cks_1",
"kms": "aws",
"region": "us-east-1",
"type": "LOCAL",
"credential_version": 1,
"kms_id": "8aa11278-2547-4a63-b0dd-1e1464e6433c",
"cloud_name": "aws",
"version_count": 0,
"aws_param": {
"custom_key_store_name": "cks_1",
"xks_proxy_uri_endpoint": "https://demo-xksproxy.test.com",
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/7527884a-6f73-4d4b-8078-64e35640629c/kms/xks/v1",
"custom_key_store_type": "EXTERNAL_KEY_STORE",
"custom_key_store_id": "cks-8a87408fb819ddb94",
"xks_proxy_connectivity": "PUBLIC_ENDPOINT",
"connection_state": "DISCONNECTED"
},
"local_hosted_params": {
"blocked": false,
"policy": {
"reserved": false
},
"source_container_id": "f152b503-5f01-4735-b1ac-49c3a9734fa7",
"source_container_type": "hsm-luna",
"linked_state": true,
"partition_label": "aws_cm_vpc_par1",
"partition_id": "f152b503-5f01-4735-b1ac-49c3a9734fa7",
"health_check_key_id": "615c1278-cfa4-4f85-8b0a-848dae3cafa2",
"health_check_ciphertext": "UYKUHavXloi8gKcRVFEc5SCLkUS8taf8EjqliRb3xSGUIMz4X2kRv9Qd7yog84IaYDF/SJ6EvMFjxGTCmQcCBFU=",
"max_credentials": 5
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Link Local External Custom Key Store
Use POST /v1/cckm/aws/custom-key-stores/{id}/link
to link local custom key store with AWS custom key store. Applicable only to external custom key stores.
Syntax
curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/link' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "aws_param": {\n "xks_proxy_uri_endpoint": "<xks_proxy_endpoint>",\n "xks_proxy_vpc_endpoint_service_name": "<vpc_endpoint_service_name>"\n }\n}' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
aws_param | JSON | Parameters related to AWS interaction with the custom key store. |
AWS Parameters
Parameter | Type | Description |
---|---|---|
xks_proxy_uri_endpoint | string | Required. Indicates the URL endpoint used by the custom key store. |
xks_proxy_vpc_endpoint_service_name | string | Indicates the VPC endpoint service name used by the custom key store. This field is required when the xks_proxy_connectivity of custom key store is VPC_ENDPOINT_SERVICE. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/123456/link' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhMjE5ODNhMS0yOGViLTQxM2UtODMzNy1hOWM2ZTgwZjIxZTciLCJzdWIiOiJsb2NhbHxkMjg1MDRmZC00MmExLTQ2YWUtYmY4Yi1hZDgzOGY2ZjZhNGIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDc1YzUyMDktNzA5Ni00NzQwLWE1NzUtNTI1MTc3ODBjMjAyIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjA4Y2ZlYzUwLWE5OGMtNDEyNi1hMWU4LWZkNzI5ZTFkZTY1NiIsImlhdCI6MTY2MjU3NTAyNSwiZXhwIjoxNjYyNTc1MzI1fQ.nTzFCUkltF0jS5J6eU7ljjhkxAEtFBUokoNb-oDsBvQ' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "aws_param": {\n "xks_proxy_uri_endpoint": "https://xks.example.com",\n "xks_proxy_vpc_endpoint_service_name": "com.amazonaws.vpce.us-east-1.vpce-svc-03d5ed"\n }\n}' --compressed
Example Response
{
"application/json": {
"id": "a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"uri": "kylo:kylo:cckm:aws_cks:a9e80f5a-9680-413d-8ec0-c901d3cb04b9",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-01-10T03:09:21.716283Z",
"updatedAt": "2022-01-10T03:09:21.714446Z",
"name": "cks_name_1",
"kms": "aws",
"region": "ap-south-1",
"type": "LOCAL",
"credential_version": 1,
"kms_id": "7f13c680-d050-4eb8-9ab9-ed6e76b730e9",
"cloud_name": "aws",
"version_count": 0,
"aws_param": {
"custom_key_store_name": "cks_name_1",
"xks_proxy_uri_endpoint": "https://dev3-xksproxy.thalescpl.io",
"xks_proxy_vpc_endpoint_service_name": "com.amazonaws.vpce.us-east-1.vpce-svc-03d5ed",
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/35164f70-2308-4a02-b2ee-436c478beaa1/kms/xks/v1",
"custom_key_store_type": "EXTERNAL_KEY_STORE",
"custom_key_store_id": "cks-007ee1e9c09e6690e",
"xks_proxy_connectivity": "VPC_ENDPOINT_SERVICE",
"connection_state": "CONNECTED"
},
"local_hosted_params": {
"partition_label": "cckm-1608012946",
"partition_id": "80d88390-78bd-40e2-bbac-b1782ed6e456",
"health_check_key_id": "511e1344-ad9f-4ee6-9eb5-df94e3c4a17c",
"health_check_ciphertext": "Dp5Dn3azWYBt5AZaIEqEiEdD53GH0XRMzXoYgRlPEX1Ooq+HjcTp8jTA3H67uNYY4WWPSIMGQfH5CaNqMufSZ5Q=",
"blocked": true,
"policy": {
"reserved": false
},
"source_container_id": "80d88390-78bd-40e2-bbac-b1782ed6e456",
"source_container_type": "hsm-luna",
"linked_state": true,
"max_credentials": 10
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Check Health Status of External Custom Key Store
Use POST v1/cckm/aws/custom-key-stores/{keystore_id}/health
to validate whether a custom key store, which uses a Luna HSM or a CipherTrust Manager as a key source, is available, working, and ready to handle requests. In the event of a successful validation, this API returns an HTTP status code of 200 (OK) and no message body.
Note
This API does not require authentication.
Syntax
curl -k 'https://<ciphertrust_fqdn>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/health' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/e58070c2-d359-484d-a42d-93e6cda8a906/health' -H 'accept: application/json' --compressed
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Synchronize Custom Key Stores
User POST /v1/cckm/aws/custom-key-stores/synchronization-jobs
to synchronize custom key stores on CCKM with the corresponding key stores on AWS KMS.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/synchronization-jobs' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhMjE5ODNhMS0yOGViLTQxM2UtODMzNy1hOWM2ZTgwZjIxZTciLCJzdWIiOiJsb2NhbHxkMjg1MDRmZC00MmExLTQ2YWUtYmY4Yi1hZDgzOGY2ZjZhNGIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjE1N2M4NWItNTMxOC00MjRhLThhNzItMjk2OGFkMGRmMDU5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImY1YzZmYzA0LWEyYTgtNDljOC05ODJkLWVlMTlmYTc5ODZjNSIsImlhdCI6MTY2MjU3OTQ2OCwiZXhwIjoxNjYyNTc5NzY4fQ.hLbhBT9cYVIxVSErH4F8UJmGSd3bsZfzkkTJYMfBAtw' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "kms": [],\n "synchronize_all": false,\n "regions": []\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
kms | array | Name or ID of KMS resource from which the AWS custom key stores will be synchronized. synchronize_all and kms , regions are mutually exclusive. Specify either synchronize_all or kms and regions . |
regions | array | Regions from which the AWS custom key stores will be synchronized. If not specified, custom key stores from all regions are synchronized. synchronize_all and kms , regions are mutually exclusive. Specify either synchronize_all or kms and regions . |
synchronize_all | boolean | Set true to synchronize all custom key stores from all KMS and regions. synchronize_all and kms , regions are mutually exclusive. Specify either synchronize_all or kms and regions . |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/synchronization-jobs' -H 'Authorization: Bearer AUTHTOKEN -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "kms": [],\n "synchronize_all": false,\n "regions": []\n}' --compressed
Example Response
{
"application/json": {
"id": "84980655-f1df-40e1-a2ec-736ac77a7889",
"uri": "kylo:kylo:cckm:synchronize:84980655-f1df-40e1-a2ec-736ac77a7889",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-08-06T09:40:04.915495495Z",
"updatedAt": "2020-08-06T09:40:04.918785299Z",
"overall_status": "in progress",
"cloud": "aws",
"kms": [
"de0b5a77-918a-453e-8675-604133a8984e"
],
"abort": false
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
List the Status of all Synchronization Jobs
Use GET /v1/cckm/aws/custom-key-stores/synchronization-jobs
to return the list of updated synchronization status. The results can be filtered using the query parameters.
Syntax
curl -k 'https://<ciphertrust_FQDN>>/api/v1/cckm/aws/custom-key-stores/synchronization-jobs?<query_parameters>' -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Query Parameters
Parameter | Type | Description |
---|---|---|
id | string | Filter the results by internal ID of synchronization. |
overall_status | string | Filter results by synchronization overall status. Possible values are in_progress , completed , and failed . |
kms | string | Filter the results by KMS. |
skip | integer | The index of the first resource to return. Equivalent to 'offset' in SQL. |
limit | integer | The max number of resources to return. Equivalent to 'limit' in SQL. |
sort | string | The fields to sort results by. This should be a comma-delimited list of properties. Multiple properties will result in a multi-column sort. Sort order is ascending by default. To have a descending sort for a field, precede the field name with a minus sign ("-"). For example: name,-createdAt will sort the results first by name , ascending, then by createdAt , descending. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/synchronization-jobs?skip=0&limit=10' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhMjE5ODNhMS0yOGViLTQxM2UtODMzNy1hOWM2ZTgwZjIxZTciLCJzdWIiOiJsb2NhbHxkMjg1MDRmZC00MmExLTQ2YWUtYmY4Yi1hZDgzOGY2ZjZhNGIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjE1N2M4NWItNTMxOC00MjRhLThhNzItMjk2OGFkMGRmMDU5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImZlYjU4NGJlLTY4OWEtNGNhMi04ZWJlLTU3NDM3ZGQ4ZjM5NiIsImlhdCI6MTY2MjU4MDc1MiwiZXhwIjoxNjYyNTgxMDUyfQ.JIyXwfLs_sHVZHry1u2KRPo5pF5079q9S7U-5hOTanA' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"skip": 0,
"limit": 10,
"total": 2,
"resources": [
{
"id": "84980655-f1df-40e1-a2ec-736ac77a7889",
"uri": "kylo:kylo:cckm:synchronize:84980655-f1df-40e1-a2ec-736ac77a7889",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-08-06T09:40:04.915495Z",
"updatedAt": "2020-08-06T09:40:33.308945Z",
"overall_status": "in progress",
"detailed_status": {
"123456789012/ap-south-1": "region synchronized successfully",
"123456789012/eu-north-1": "region synchronized successfully",
"123456789012/eu-west-2": "region synchronized successfully",
"123456789012/eu-west-3": "region synchronized successfully"
},
"cloud": "aws",
"kms": [
"de0b5a77-918a-453e-8675-604133a8984e"
],
"abort": false
}
]
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
View Details of a Synchronization Job
Use GET /v1/cckm/aws/custom-key-stores/synchronization-jobs/{id}
to return the details of a synchronize process with the given ID.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/synchronization-jobs/<synchronization_job_id>' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Path Parameter
Parameter | Type | Description |
---|---|---|
id | string | ID of the synchronization job. This must be the UUID. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/synchronization-jobs/12345' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhMjE5ODNhMS0yOGViLTQxM2UtODMzNy1hOWM2ZTgwZjIxZTciLCJzdWIiOiJsb2NhbHxkMjg1MDRmZC00MmExLTQ2YWUtYmY4Yi1hZDgzOGY2ZjZhNGIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjE1N2M4NWItNTMxOC00MjRhLThhNzItMjk2OGFkMGRmMDU5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjQxNjE1NWVmLTMzYTctNDA3Ny1hOTY1LWUwNWUzYWJjMWYwMyIsImlhdCI6MTY2MjU4MTczMiwiZXhwIjoxNjYyNTgyMDMyfQ.UHefabPmsuh-wW5-cI5GcB3jplpiAn1G6sEXXAVKIlo' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "84980655-f1df-40e1-a2ec-736ac77a7889",
"uri": "kylo:kylo:cckm:synchronize:84980655-f1df-40e1-a2ec-736ac77a7889",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-08-06T09:40:04.915495Z",
"updatedAt": "2020-08-06T09:43:31.731954Z",
"overall_status": "in progress",
"detailed_status": {
"123456789012/ap-northeast-1": "region synchronized successfully",
"123456789012/ap-northeast-2": "region synchronized successfully",
"123456789012/ap-south-1": "region synchronized successfully",
"123456789012/ap-southeast-1": "region synchronized successfully",
"123456789012/ap-southeast-2": "region synchronized successfully",
"123456789012/ca-central-1": "region synchronized successfully",
"123456789012/eu-west-2": "region synchronized successfully",
"123456789012/eu-west-3": "region synchronized successfully",
"123456789012/sa-east-1": "region synchronized successfully",
"123456789012/us-east-1": "in progress"
},
"cloud": "aws",
"kms": [
"de0b5a77-918a-453e-8675-604133a8984e"
],
"abort": false
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Cancel a Synchronization Job
Use POST /v1/cckm/aws/custom-key-stores/synchronization-jobs/{id}/cancel
to cancel a synchronization job.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/synchronization-jobs/<synchronization_job_id>/cancel' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed
Path Parameter
Parameter | Type | Description |
---|---|---|
id | string | ID of the synchronization job. This must be the UUID. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/synchronization-jobs/123456/cancel' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhMjE5ODNhMS0yOGViLTQxM2UtODMzNy1hOWM2ZTgwZjIxZTciLCJzdWIiOiJsb2NhbHxkMjg1MDRmZC00MmExLTQ2YWUtYmY4Yi1hZDgzOGY2ZjZhNGIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjE1N2M4NWItNTMxOC00MjRhLThhNzItMjk2OGFkMGRmMDU5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImZlYjU4NGJlLTY4OWEtNGNhMi04ZWJlLTU3NDM3ZGQ4ZjM5NiIsImlhdCI6MTY2MjU4MDc1MiwiZXhwIjoxNjYyNTgxMDUyfQ.JIyXwfLs_sHVZHry1u2KRPo5pF5079q9S7U-5hOTanA' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "e8f2e77d-95e8-46f6-891f-37469da3bf57",
"uri": "kylo:kylo:cckm:synchronize:e8f2e77d-95e8-46f6-891f-37469da3bf57",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-08-06T09:46:06.534541Z",
"updatedAt": "2020-08-06T09:46:25.768957301Z",
"overall_status": "in progress",
"detailed_status": {
"123456789012/eu-north-1": "in progress"
},
"cloud": "aws",
"kms": [
"de0b5a77-918a-453e-8675-604133a8984e"
],
"abort": true
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Create Credential for an External Custom Key Store
Use POST /v1/cckm/aws/custom-key-stores/{id}/credential
to create a credential for the external custom key store. You must upload the returned access_key_id
and secret_access_key
to the corresponding key store in AWS KMS.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/credentials' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/credentials' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiYTA0ZTMyMWYtNzI3Zi00YTFjLWI1ZGUtMWUzMjIyMjJkY2IyIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjQ3OWFiNzU1LTVjZGYtNGQ0Yy04ZmU2LWY2YTBiMDkzNjEzNCIsImlhdCI6MTY1MDY0MTEyNCwiZXhwIjoxNjUwNjQxNDI0fQ.agZ3vPoi624xVX61BLaZpbBAGRZN4PHEXJYRXR-oETY' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "4b7dcd7e-47a9-4234-8905-e1b7eb850fd5",
"uri": "kylo:kylo:cckm:aws_cks_credentials:4b7dcd7e-47a9-4234-8905-e1b7eb850fd5",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-12-23T16:25:49.463282986Z",
"updatedAt": "2021-12-23T16:25:49.460296196Z",
"custom_key_store_id": "40d4d382-97ca-4974-86e3-631ccd9ff364",
"version": 1,
"access_key_id": "generated_access_id",
"cloud_name": "aws"
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
List Credentials for an External Custom Key Store
Use GET /v1/cckm/aws/custom-key-stores/{id}/credentials
to list the credentials associated with a specified external custom key store.
Syntax
curl -k 'https:/<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/credentials?<query_parameters>' -H 'AUTHTOKEN' -H 'accept: application/json' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Request Query Parameters
Parameter | Type | Description |
---|---|---|
access_key_id | string | filter by the access key id. |
skip | integer | The index of the first resource to return. Equivalent to 'offset' in SQL. |
limit | integer | The max number of resources to return. Equivalent to 'limit' in SQL. |
sort | string | The fields to sort results by. This should be a comma-delimited list of properties. Multiple properties will result in a multi-column sort. Sort order is ascending by default. To have a descending sort for a field, precede the field name with a minus sign ("-"). For example: name,-createdAt will sort the results first by name , ascending, then by createdAt , descending. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/credentials?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4OWQ5OWYyZS02YThiLTQ3ZDctOWYzMi0xMTY3ZmZiM2Y5MjkiLCJzdWIiOiJsb2NhbHwxNTgwYTA3OS1jMzI4LTRlN2ItYWJjZS0wNTJjNThhYTliOGEiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMmQ3MTg5MGMtMzIyNS00MWJjLWJjNDQtYTE2ODg3ZjVlMzE5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImQzNzIxOGE2LWI3ZWUtNDdkMS1iMGEyLTdlZjBlMTYxMDA1YyIsImlhdCI6MTY0ODQ4MjM3MiwiZXhwIjoxNjQ4NDgyNjcyfQ.Y9ekMDlzrGczHuDkCi3qxZUTw_1uSzWTDQq-D7ILw2Y' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "4b7dcd7e-47a9-4234-8905-e1b7eb850fd5",
"uri": "kylo:kylo:cckm:aws_cks_credentials:4b7dcd7e-47a9-4234-8905-e1b7eb850fd5",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-12-23T16:25:49.463283Z",
"updatedAt": "2021-12-23T16:25:49.460296Z",
"custom_key_store_id": "40d4d382-97ca-4974-86e3-631ccd9ff364",
"access_key_id": "generated_access_id",
"secret_access_key_id": "id_of_generated_secret_key",
"cloud_name": "aws"
}
]
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
View Details of a Credential for an External Custom Key Store
Use GET /v1/cckm/aws/custom-key-stores/{customKeyStoreID}/credentials/{id}
to view details of a given credential for a given external custom key store.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/credentials/<credential_id>' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
customKeyStoreID | string | ID of the key store. This must be the UUID. |
id | string | ID of the credential. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/credentials/123456' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiOWI5YjM3YTItNWMxMy00ZmZmLWJlNzQtMThjOTI0NDc1YTFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImI5NWI3OWY1LWVhMDAtNGQxOS05YWQ3LWQyODJiMjhiYTU2OCIsImlhdCI6MTY1MTA5MTYxOCwiZXhwIjoxNjUxMDkxOTE4fQ.IuQUd-4Lhu3BvnccvBJq873yCdwL6Y7YQv8_s8VzdwY' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "4b7dcd7e-47a9-4234-8905-e1b7eb850fd5",
"uri": "kylo:kylo:cckm:aws_cks_credentials:4b7dcd7e-47a9-4234-8905-e1b7eb850fd5",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-12-23T16:25:49.463283Z",
"updatedAt": "2021-12-23T16:25:49.460296Z",
"custom_key_store_id": "40d4d382-97ca-4974-86e3-631ccd9ff364",
"version": 1,
"access_key_id": "generated_access_id",
"cloud_name": "aws"
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Delete a Credential for an External Custom Key Store
USE DELETE /v1/cckm/aws/custom-key-stores/{customKeyStoreID}/credentials/{id}
to delete a given credential for a given external custom key store.
Syntax
curl -k 'https:/<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/credentials/<credential_id>' -X DELETE -H 'Authorization: Bearer AUTHTOKEN' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
customKeyStoreID | string | ID of the key store. This must be the UUID. |
id | string | ID of the credential. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/1234567/credentials/123456' -X DELETE -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiOWI5YjM3YTItNWMxMy00ZmZmLWJlNzQtMThjOTI0NDc1YTFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNlNDNmYWQ5LTdkNjgtNDI1NS1iMzc3LWU4ZGUyYWY2OTc3YyIsImlhdCI6MTY1MTA5MjA4NCwiZXhwIjoxNjUxMDkyMzg0fQ.9KlwSpuGOZ-CThV4qUGAmoM09c-Xf324PNGdmTPxzNo' -H 'accept: application/json' --compressed
Example Response
{
"status": 204
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Rotate Credential for an External Custom Key Store
Use POST /v1/cckm/aws/custom-key-stores/{id}/rotate-credential
to rotate the credential for the specified external custom key store. This API is only applicable for a custom key store of type EXTERNAL_KEY_STORE. Rotates credential for a given external custom key store. For linked key store, rotated (new) credential will be updated in AWS KMS.
All credentials (new and old) associated with key store will continue to work until deleted.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/rotate-credential' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed
Path Parameter
Parameter | Type | Description |
---|---|---|
id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.my.company.com/api/v1/cckm/aws/custom-key-stores/1234567/rotate-credential' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiYTA0ZTMyMWYtNzI3Zi00YTFjLWI1ZGUtMWUzMjIyMjJkY2IyIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImM1OTJlOTY0LTRkNmQtNDhiMC1iZDY0LTY0Y2IzMGMxZGM1MCIsImlhdCI6MTY1MDY0MDcwMSwiZXhwIjoxNjUwNjQxMDAxfQ.mjJp45ySM1W1Xy6ZhILdQO5uXQ9UT0Xo9J5yc-9Ej0o' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "7527884a-6f73-4d4b-8078-64e35640629c",
"uri": "kylo:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb:cckm:aws_cks:7527884a-6f73-4d4b-8078-64e35640629c",
"account": "kylo:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb:admin:accounts:kylo-6d18dd9a-9302-4605-b19e-2d67eb0956eb",
"createdAt": "2022-07-27T21:12:48.903987Z",
"updatedAt": "2022-07-27T21:12:49.75161Z",
"name": "cks_1",
"kms": "aws_acc",
"region": "us-east-1",
"type": "LOCAL",
"credential_version": 1,
"kms_id": "8aa11278-2547-4a63-b0dd-1e1464e6433c",
"cloud_name": "aws",
"version_count": 0,
"aws_param": {
"custom_key_store_name": "cks_1",
"xks_proxy_uri_endpoint": "https://demo-xksproxy.test.com",
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/7527884a-6f73-4d4b-8078-64e35640629c/kms/xks/v1",
"custom_key_store_type": "EXTERNAL_KEY_STORE",
"custom_key_store_id": "cks-8a87408fb819ddb94",
"xks_proxy_connectivity": "PUBLIC_ENDPOINT",
"connection_state": "DISCONNECTED"
},
"local_hosted_params": {
"blocked": false,
"policy": {
"reserved": false
},
"source_container_id": "f152b503-5f01-4735-b1ac-49c3a9734fa7",
"source_container_type": "hsm-luna",
"linked_state": true,
"partition_label": "aws_cm_vpc_par1",
"partition_id": "f152b503-5f01-4735-b1ac-49c3a9734fa7",
"health_check_key_id": "615c1278-cfa4-4f85-8b0a-848dae3cafa2",
"health_check_ciphertext": "UYKUHavXloi8gKcRVFEc5SCLkUS8taf8EjqliRb3xSGUIMz4X2kRv9Qd7yog84IaYDF/SJ6EvMFjxGTCmQcCBFU=",
"max_credentials": 5
},
"access_key_id": "52EKEOV2JFCCNVSYRIV2",
"secret_access_key": "dc00ea89acd936f72409483623bb9f463662ec699d4cb34b01f20ef8ee1218fa",
"credential_count": 2,
"oldest_credentials_id": "8ceeb249-47cb-4f9a-bdaf-bd5de59c3174"
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Enable Auto Rotation of Credential for an External Custom Key Store
Use the post /v1/cckm/aws/custom-key-stores/{id}/enable-credential-rotation-job
API to enable auto rotation of the credential for the specified external custom key store using the associated scheduler ID. This API is only applicable for a custom key store of type EXTERNAL_KEY_STORE. The key store must also be in a linked state, which allows the auto rotated (new) credentials to be updated in AWS KMS.
All credentials (new and old) associated with key store will continue to work until deleted.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/enable-credential-rotation-job' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "job_config_id": "ID of sccheduler job"\n}' --compressed
Path Parameter
Parameter | Type | Description |
---|---|---|
key_store_id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
job_config_id | string | ID of the scheduler job that will perform the credentials rotation. |
Example Request
curl -k 'https://aws-xks-test.thalescpl.io/api/v1/cckm/aws/custom-key-stores/b5b7d549-b3d8-40e4-bfaa-58bebab31438/enable-credential-rotation-job' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0ZTZkMTc2Zi02YjRhLTQ5MGItYmI1NC02OThiNDAwNWQ1Y2IiLCJzdWIiOiJsb2NhbHw3OTg3ODYwOC05ZmQ5LTQ4NmUtODU5OS1hZDJhNTQ5MDg3ZDgiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJjbGllbnRfdHlwZSI6InVucmVnaXN0ZXJlZCIsImRvbWFpbl9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsImdyb3VwcyI6WyJhZG1pbiJdLCJzaWQiOiI1NDliNGE2MC0xMmRhLTQxNjEtOTg4MC03OWFmZTRmYWUxMzMiLCJ6b25lX2lkIjoiMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwIn0sImp3dGlkIjoiMDIzNDVmYjgtNzA0NS00NGJmLTkzYWEtMjY0YWYzOGVmZGJiIiwiaWF0IjoxNjgzNzQ0NjI2LCJleHAiOjE2ODM3NDQ5MjZ9.xtMLcGf__9cM0d2EAPYaBOcGDIQIvrRuEt-QevwPAbM' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "job_config_id": "ff29eeec-82bf-4e15-81bb-ef7c43099203"\n}' --compressed
Example Response
{
"application/json": {
"id": "b5b7d549-b3d8-40e4-bfaa-58bebab31438",
"uri": "kylo:kylo:cckm:aws_cks:b5b7d549-b3d8-40e4-bfaa-58bebab31438",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-05-10T18:49:58.08837Z",
"labels": {
"job_config_id": "ff29eeec-82bf-4e15-81bb-ef7c43099203"
},
"updatedAt": "2023-05-10T18:51:14.346451Z",
"name": "test_keystore_2",
"kms": "AWS_KMS",
"region": "eu-west-3",
"type": "LOCAL",
credential_version": 1,
"kms_id": "118844e7-2e53-43ed-b53e-567118a324e4",
"cloud_name": "aws",
"version_count": 0,
"aws_param": {
"custom_key_store_name": "test_keystore_2",
"xks_proxy_uri_endpoint": "https://aws-xks-test.thalescpl.io",
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/b5b7d549-b3d8-40e4-bfaa-58bebab31438/kms/xks/v1",
"custom_key_store_type": "EXTERNAL_KEY_STORE",
"custom_key_store_id": "cks-193035a77a8239d6a",
"xks_proxy_connectivity": "PUBLIC_ENDPOINT",
"connection_state": "DISCONNECTED"
},
"local_hosted_params": {
"blocked": false,
"policy": {
"reserved": true
},
"source_container_type": "local",
"linked_state": true,
"health_check_key_id": "f1da90038f16465aa64345394864776543229c19156b405083724b1945ed3fcb",
"health_check_ciphertext": "fe6ad170985d3486dbb4946e159534433b19327c8f5d1859246ec84dafc366e0c6d6a59b9c4a252ad9c12480532928d259b29897b03ba3bf0331cef6a59e7b634e32bafe0c170e07",
"max_credentials": 20,
"source_key_tier": "local",
"mtls_enabled": false
},
"gone": false,
"enable_success_audit_event": true
}
}
The sample output displays that the custom key store with the ID b5b7d549-b3d8-40e4-bfaa-58bebab31438
has been enabled for the auto rotation using scheduler job with ID ff29eeec-82bf-4e15-81bb-ef7c43099203
. Note that the labels
and job_config_id
parameters are included in the output. These parameters indicate auto rotation of the credential is enabled.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Disable Auto Rotation of Credential for an External Custom Key Store
Use the post /v1/cckm/aws/custom-key-stores/{id}/disable-credential-rotation-job
API to disable auto rotation of the credential for the specified external custom key store. This API is only applicable for a custom key store of type EXTERNAL_KEY_STORE. The key store must also be in a linked state.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/<key_store_id>/disable-credential-rotation-job' -X POST -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed
Path Parameter
Parameter | Type | Description |
---|---|---|
key_store_id | string | ID of the key store. This must be the UUID. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://aws-xks-test.thalescpl.io/api/v1/cckm/aws/custom-key-stores/b5b7d549-b3d8-40e4-bfaa-58bebab31438/disable-credential-rotation-job' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0ZTZkMTc2Zi02YjRhLTQ5MGItYmI1NC02OThiNDAwNWQ1Y2IiLCJzdWIiOiJsb2NhbHw3OTg3ODYwOC05ZmQ5LTQ4NmUtODU5OS1hZDJhNTQ5MDg3ZDgiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJjbGllbnRfdHlwZSI6InVucmVnaXN0ZXJlZCIsImRvbWFpbl9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsImdyb3VwcyI6WyJhZG1pbiJdLCJzaWQiOiI1NDliNGE2MC0xMmRhLTQxNjEtOTg4MC03OWFmZTRmYWUxMzMiLCJ6b25lX2lkIjoiMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwIn0sImp3dGlkIjoiMDIzNDVmYjgtNzA0NS00NGJmLTkzYWEtMjY0YWYzOGVmZGJiIiwiaWF0IjoxNjgzNzQ0NjI2LCJleHAiOjE2ODM3NDQ5MjZ9.xtMLcGf__9cM0d2EAPYaBOcGDIQIvrRuEt-QevwPAbM' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "b5b7d549-b3d8-40e4-bfaa-58bebab31438",
"uri": "kylo:kylo:cckm:aws_cks:b5b7d549-b3d8-40e4-bfaa-58bebab31438",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-05-10T18:49:58.08837Z",
"updatedAt": "2023-05-10T18:52:13.207313Z",
"name": "test_keystore_2",
"kms": "AWS_KMS",
"region": "eu-west-3",
"type": "LOCAL",
"credential_version": 1,
"kms_id": "118844e7-2e53-43ed-b53e-567118a324e4",
"cloud_name": "aws",
"version_count": 0,
"aws_param": {
"custom_key_store_name": "test_keystore_2",
"xks_proxy_uri_endpoint": "https://aws-xks-test.thalescpl.io",
"xks_proxy_uri_path": "/api/v1/cckm/aws/xks-proxy-endpoints/b5b7d549-b3d8-40e4-bfaa-58bebab31438/kms/xks/v1",
"custom_key_store_type": "EXTERNAL_KEY_STORE",
"custom_key_store_id": "cks-193035a77a8239d6a",
"xks_proxy_connectivity": "PUBLIC_ENDPOINT",
"connection_state": "DISCONNECTED"
},
"local_hosted_params": {
"blocked": false,
"policy": {
"reserved": true
},
"source_container_type": "local",
"linked_state": true,
"health_check_key_id": "f1da90038f16465aa64345394864776543229c19156b405083724b1945ed3fcb",
"health_check_ciphertext": "fe6ad170985d3486dbb4946e159534433b19327c8f5d1859246ec84dafc366e0c6d6a59b9c4a252ad9c12480532928d259b29897b03ba3bf0331cef6a59e7b634e32bafe0c170e07",
"max_credentials": 20,
"source_key_tier": "local",
"mtls_enabled": false
},
"gone": false,
"enable_success_audit_event": true
}
}
The sample output displays that the auto rotation of the credential associated with the custom key store with the ID of b5b7d549-b3d8-40e4-bfaa-58bebab31438
has been been disabled. Note that the labels
and job_config_id
parameters are no longer included in the output. These parameters are included in the output of the enable-credential-rotation-job API. The removal of these parameters from the output indicates that the auto rotation of the credential is disabled.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
List Unused AWS CloudHSM Clusters
Use POST /v1/cckm/aws/custom-key-stores/get-unused-cloudhsm-clusters
to list CloudHSM clusters in the specified region that are not already associated with a CloudHSM key store.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/custom-key-stores/get-unused-cloudhsm-clusters' -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --data-binary $'{\n "kms": "<kms_id>",\n "region": "<aws_region>"\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
kms | string | Name or ID of KMS resource from which the AWS CloudHSM clusters will be retrieved. |
region | string | AWS region from which the AWS CloudHSM clusters will be retrieved. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/custom-key-stores/get-unused-cloudhsm-clusters' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI3OWY5MjMwMy0wMzFlLTQzMzYtYmNlMS04OWIyMTg4ZDY1NzAiLCJzdWIiOiJsb2NhbHwyMDAxODU3Ny1kNTQ3LTQ5YjctYmIzNS1lNjlkYjMzMDljYmIiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZTg0MWZmODItODQ2OS00YTYxLWJlZjctNmMxMDc3NjgzYTU4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjVkOTRlM2Y2LTVmY2ItNDZjNC04ZjA1LTkzN2NiMmY3NDU5MCIsImlhdCI6MTY2MTcwMDgyNSwiZXhwIjoxNjYxNzAxMTI1fQ.tFKzjQYare-cQ0FQ7rTMyolVRsDU1SPuvw7AQfI4WR8' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "kms": "eab80374-04c2-468a-b732-ce90596f6db0",\n "region": "us-west-1"\n}' --compressed
Example Response
{
"application/json": {
"total": 2,
"detailed_status": "Unused CloudHSM cluster(s) found",
"resources": [
{
"BackupPolicy": "DEFAULT",
"BackupRetentionPolicy": {
"Type": "DAYS",
"Value": "45"
},
"Certificates": {
"AwsHardwareCertificate": null,
"ClusterCertificate": "-----BEGIN CERTIFICATE-----\nMIIEczCCAlsCCQCkL360L0D8ODANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJD\nQTELMAkGA1UECAwCUUMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdHZW1h\nbHRvMQ0wCwYDVQQLDARJRFNTMRwwGgYDVQQDDBNUZXN0Q2xvdWRIU01DbHVzdGVy\nMB4XDTE4MDMwODIyMjMzNloXDTI4MDMwNzIyMjMzNlowgYoxRDAJBgNVBAYTAlVT\nMAkGA1UECAwCQ0EwDQYDVQQKDAZDYXZpdW0wDQYDVQQLDAZOM0ZJUFMwDgYDVQQH\nDAdTYW5Kb3NlMUIwQAYDVQQDDDlIU006ODYxNkE0MkY4Q0M5NEZEQkJGNTY5Q0ZE\nNkM1NUVCOlBBUlROOjgsIGZvciBGSVBTIG1vZGUwggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQC6BOMjF7WK0M2hD6WbkW1qPkizTbF1+iAcZAjBTKn6DaFb\nY5fFl3vl52yRno66vWSMxnjcKxyDGBZ5mm+/cmk4sHgpCYnUKQ5hNy/aQP1ZM8IW\n5lYVqBRuqdhTFkEfYctuxjueiyyRU0rpUNWqEbFQO2h9MOtqI2qkogU9yzWASB6l\nekr/zAwl9qx6EEFW/B/VkN/v3a3CHqdYKu0ANDlNSI8481MQF29WtAmyCy6mUdIa\nRO/S/BcBxnIns+nTpvsd7EGtZ+TUPou+qbxgLQW0JOxg6kkUzS0SE370dtiqt0G3\nhjzpMF6fGo5Lz4Xhu4N6EgA/Q6zd0f9ZKjOIdI/xAgMBAAEwDQYJKoZIhvcNAQEL\nBQADggIBALbJkWPp4w+NjAc9b54I76gEE9Lb8y/oO6mk5yQo2nrvCYFqYcCjjD9G\ncQW7KmK300UuUVTTnfjEh4Txjdp4iy46GFBL5+Kn6p6Q6TMWU6CzCtDdWoNcbK+w\nofjotWtCe83NDfCJb0EBSZ8uvq12c7EczoCcyJVvaamRzmVG3f+h2qLgazudkY9s\nwYFNMzhXaw4z8FJpzEtC4QmmRV4zjZJYmA6Wzz9N0Rr8GhaVGAhM6rV8EvFP0Y8N\nz6W7/hQ8gmek8Ts+u7YMY0HWU6jY6jndnIoXGeBbVnYn04P6eJiSORhmz1ZF5YSC\nwMAUW+w6kkdItgSuHgLRzAPeJoxxlIjkQAOeHLF4WQCc2oaahtnbYZUgt5ADQmlS\nywu3qFCsheZiG5nMPQJu6zrVk1mLArGWXfXJZ7myZjZKKoXl3g/mTz1tqLj/CIl8\nZWYHyBrdLKNI9t3hTHAKtCD5S5LoOFkFHvVw6uZ5wwW5WyBvG5NFJr42Y0egK85L\n97q2avnfH4VuqN1MwhohcfC+E8tsbcE1n74rpoTNoDoOG1kLWWBu2QflIHW+zJMI\nC5uOK6QKckNiMdwsn1olbCABDPCuWXYCFF6qh252QDJGiHf94hKoelOjtujyT1cC\nlNJao5IdI6KtCoMcvHBBeioODUHQKi1MwCq3nCq/FyKh67qPobaA\n-----END CERTIFICATE-----\n",
"ClusterCsr": null,
"HsmCertificate": null,
"ManufacturerHardwareCertificate": null
},
"ClusterId": "cluster-7rq2hgwvl5o",
"CreateTimestamp": "2021-08-04T18:46:37.841Z",
"HsmType": "hsm1.medium",
"Hsms": [],
"PreCoPassword": null,
"SecurityGroup": "sg-01cd078a29065ebc0",
"SourceBackupId": "backup-tecrwims3np",
"State": "ACTIVE",
"StateMessage": null,
"SubnetMapping": {
"us-east-1a": "subnet-8e7983f9",
"us-east-1b": "subnet-8842a6d1",
"us-east-1d": "subnet-6d565145"
},
"TagList": [
{
"Key": "customer-issue",
"Value": "first-republic"
}
],
"VpcId": "vpc-4dc16428"
},
{
"BackupPolicy": "DEFAULT",
"BackupRetentionPolicy": {
"Type": "DAYS",
"Value": "1075"
},
"Certificates": {
"AwsHardwareCertificate": null,
"ClusterCertificate": "-----BEGIN CERTIFICATE-----\nMIIEczCCAlsCCQCkL360L0D8ODANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJD\nQTELMAkGA1UECAwCUUMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdHZW1h\nbHRvMQ0wCwYDVQQLDARJRFNTMRwwGgYDVQQDDBNUZXN0Q2xvdWRIU01DbHVzdGVy\nMB4XDTE4MDMwODIyMjMzNloXDTI4MDMwNzIyMjMzNlowgYoxRDAJBgNVBAYTAlVT\nMAkGA1UECAwCQ0EwDQYDVQQKDAZDYXZpdW0wDQYDVQQLDAZOM0ZJUFMwDgYDVQQH\nDAdTYW5Kb3NlMUIwQAYDVQQDDDlIU006ODYxNkE0MkY4Q0M5NEZEQkJGNTY5Q0ZE\nNkM1NUVCOlBBUlROOjgsIGZvciBGSVBTIG1vZGUwggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQC6BOMjF7WK0M2hD6WbkW1qPkizTbF1+iAcZAjBTKn6DaFb\nY5fFl3vl52yRno66vWSMxnjcKxyDGBZ5mm+/cmk4sHgpCYnUKQ5hNy/aQP1ZM8IW\n5lYVqBRuqdhTFkEfYctuxjueiyyRU0rpUNWqEbFQO2h9MOtqI2qkogU9yzWASB6l\nekr/zAwl9qx6EEFW/B/VkN/v3a3CHqdYKu0ANDlNSI8481MQF29WtAmyCy6mUdIa\nRO/S/BcBxnIns+nTpvsd7EGtZ+TUPou+qbxgLQW0JOxg6kkUzS0SE370dtiqt0G3\nhjzpMF6fGo5Lz4Xhu4N6EgA/Q6zd0f9ZKjOIdI/xAgMBAAEwDQYJKoZIhvcNAQEL\nBQADggIBALbJkWPp4w+NjAc9b54I76gEE9Lb8y/oO6mk5yQo2nrvCYFqYcCjjD9G\ncQW7KmK300UuUVTTnfjEh4Txjdp4iy46GFBL5+Kn6p6Q6TMWU6CzCtDdWoNcbK+w\nofjotWtCe83NDfCJb0EBSZ8uvq12c7EczoCcyJVvaamRzmVG3f+h2qLgazudkY9s\nwYFNMzhXaw4z8FJpzEtC4QmmRV4zjZJYmA6Wzz9N0Rr8GhaVGAhM6rV8EvFP0Y8N\nz6W7/hQ8gmek8Ts+u7YMY0HWU6jY6jndnIoXGeBbVnYn04P6eJiSORhmz1ZF5YSC\nwMAUW+w6kkdItgSuHgLRzAPeJoxxlIjkQAOeHLF4WQCc2oaahtnbYZUgt5ADQmlS\nywu3qFCsheZiG5nMPQJu6zrVk1mLArGWXfXJZ7myZjZKKoXl3g/mTz1tqLj/CIl8\nZWYHyBrdLKNI9t3hTHAKtCD5S5LoOFkFHvVw6uZ5wwW5WyBvG5NFJr42Y0egK85L\n97q2avnfH4VuqN1MwhohcfC+E8tsbcE1n74rpoTNoDoOG1kLWWBu2QflIHW+zJMI\nC5uOK6QKckNiMdwsn1olbCABDPCuWXYCFF6qh252QDJGiHf94hKoelOjtujyT1cC\nlNJao5IdI6KtCoMcvHBBeioODUHQKi1MwCq3nCq/FyKh67qPobaA\n-----END CERTIFICATE-----\n",
"ClusterCsr": null,
"HsmCertificate": null,
"ManufacturerHardwareCertificate": null
},
"ClusterId": "cluster-d5v3afg4pk2",
"CreateTimestamp": "2018-03-08T19:39:30.009Z",
"HsmType": "hsm1.medium",
"Hsms": [
{
"AvailabilityZone": "us-east-1b",
"ClusterId": "cluster-d5v3afg4pk2",
"EniId": "eni-9343f242",
"EniIp": "172.30.1.120",
"HsmId": "hsm-fs4hvzzrnjx",
"State": "ACTIVE",
"StateMessage": "HSM created.",
"SubnetId": "subnet-8842a6d1"
}
],
"PreCoPassword": null,
"SecurityGroup": "sg-5a43e82c",
"SourceBackupId": null,
"State": "ACTIVE",
"StateMessage": null,
"SubnetMapping": {
"us-east-1a": "subnet-8e7983f9",
"us-east-1b": "subnet-8842a6d1",
"us-east-1d": "subnet-6d565145"
},
"TagList": [],
"VpcId": "vpc-4dc16428"
}
]
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Create an AWS HYOK Key (External Key)
Use POST /v1/cckm/aws/create-hyok-key
to create an AWS HYOK (Hold Your Own Key) key, which links a virtual key to an external custom key store. The corresponding key in AWS KMS is referred to as an "external key".
Currently, only creation of HYOK keys for locally hosted key store is supported. Currently, only "unlinked" state is supported, which means HYOK Key isn't automatically created in AWS KMS or in-sync with AWS KMS.
HYOK keys in locally hosted key stores require the following two values:
-
Source Key ID (virtual key ID).
-
Custom key store ID.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/create-hyok-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "local_hosted_params": {\n "source_key_id": "<source_key_id>",\n "custom_key_store_id": "<external_custom_key_store_id>",\n "blocked": <boolean_Value>\n }\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
local_hosted_params | JSON | Local hosted parameters for the AWS HYOK key. |
Local Hosted Parameters
Parameter | Type | Description |
---|---|---|
blocked | boolean | Whether the endpoint is blocked or not blocked. Set to false by default. |
custom_key_store_id | string | External custom key store ID. Required for locally hosted custom key store. |
source_key_id | string | Source Key ID. Required for locally hosted custom key store. |
policy | JSON | This parameter is not currently read. It will be functional in a future release. |
Policy Parameters
Parameter | Type | Description |
---|---|---|
reserved | boolean | This parameter is not currently read. It will be functional in a future release. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/create-hyok-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNTg0ODY5OGUtNjA0NC00MWEwLWEyOTUtNjNlNjZmZTk5MDBhIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6Ijk1M2ZhOWEyLTdjNjItNDAwZS04NjZmLTE0YjFjMGZmN2JjNiIsImlhdCI6MTY1MTE3ODg5MywiZXhwIjoxNjUxMTc5MTkzfQ.KuRRb6VErQRxIcvexxSOBLgGllJV3zLgZErwXZKjE2w' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "local_hosted_params": {\n "source_key_id": "8658e434-1be1-4da6-9c6b-d4ec4f0e91f9",\n "custom_key_store_id": "677f9689-b2af-4fdb-ad9a-71cac77f6789",\n "blocked": false\n }\n}' --compressed
Example Response
{
"application/json": {
"id": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"uri": "kylo:kylo:cckm:aws-key:677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-07-24T04:10:56.180805743Z",
"updatedAt": "2020-07-24T04:10:56.177874659Z",
"kms_id": "ebdd67ec-a87b-4ae6-ae71-fd4dd3e3a5ad",
"kms": "kms-name",
"rotation_status": "",
"synced_at": "2020-07-24T04:10:56.125474304Z",
"local_key_id": "0c20bd6137334d0d832e65cb38aec32165d0ace291ba4a7c939afb987ef2e8e0",
"local_key_name": "aes-local-key",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-southeast-1",
"gone": false,
"key_material_origin": "cckm",
"locally_hosted": true,
"local_hosted_params": {
"blocked": false,
"policy": {
"reserved": false
},
"custom_key_store_id": "677f9689-b2af-4fdb-ad9a-71cac77f6789",
"linked_state": false,
"source_key_id": "8658e434-1be1-4da6-9c6b-d4ec4f0e91f9"
},
"aws_param": {
"XksKeyConfiguration": {
"Id": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0"
}
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
List AWS HYOK Key Versions
Use GET /v1/cckm/aws/keys/{id}/versions
to list the versions of the AWS HYOK key.
Syntax
curl -k 'https://<ciphertrust_fQDN>/api/v1/cckm/aws/keys/<aws_hyok_key_id>/versions?<query_parameters>' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the AWS HYOK key. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Request Query Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
skip | integer | The index of the first resource to return. Equivalent to 'offset' in SQL. |
limit | integer | The max number of resources to return. Equivalent to 'limit' in SQL. |
sort | string | The fields to sort results by. This should be a comma-delimited list of properties. Multiple properties will result in a multi-column sort. Sort order is ascending by default. To have a descending sort for a field, precede the field name with a minus sign ("-"). For example: name,-createdAt will sort the results first by name , ascending, then by createdAt , descending. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/keys/123456/versions?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZjk0MWJjZDctNjk3NC00N2RjLWJkYTYtYWI0ZGJhOWViMWFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImVjZmEyNzgwLTM3NTQtNDMxNS04ZjUwLTUzODE3NmU2NTg1YiIsImlhdCI6MTY1MTI0NjY0MiwiZXhwIjoxNjUxMjQ2OTQyfQ.edjyTlN5tAcUPne0b26YJIdg6mZX69bdwFSFplWE8vk' -H 'accept: application/json' --compressed
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "dfd88e59-b621-45d4-8f19-62d8ea6956e8",
"uri": "kylo:kylo:cckm:subscription:dfd88e59-b621-45d4-8f19-62d8ea6956e8",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-15T10:19:09.246956Z",
"updatedAt": "2020-09-15T10:19:09.245242Z",
"source_key_id": "c0d7f123-6058-418c-bcb0-5e68701df111",
"version": 0
},
{
"id": "dfd88e59-b621-45d4-8f19-62d8ea6956e9",
"uri": "kylo:kylo:cckm:subscription:dfd88e59-b621-45d4-8f19-62d8ea6956e9",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-09-15T10:19:09.246956Z",
"updatedAt": "2020-09-15T10:19:09.245242Z",
"source_key_id": "c0d7f123-6058-418c-bcb0-5e68701df222",
"version": 1
}
]
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Block AWS HYOK key
Use POST /v1/cckm/aws/keys/{id}/block
to block AWS KMS from performing cryptographic operations with the AWS HYOK key.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/keys/<aws_hyok_key_id>/block' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the AWS HYOK key. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/keys/123456/block' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZjk0MWJjZDctNjk3NC00N2RjLWJkYTYtYWI0ZGJhOWViMWFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImM4OWE3NmE0LTk0MzctNDE1YS1hZWVhLWM4ODEzYjIwOGU4OSIsImlhdCI6MTY1MTI0NzE5NSwiZXhwIjoxNjUxMjQ3NDk1fQ.RsGQEMy8hGlgGahHl_rnhwtnLy6i_wQfXb-AAOJa30I' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"uri": "kylo:kylo:cckm:aws-key:677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-07-24T04:10:56.180805743Z",
"updatedAt": "2020-07-24T04:10:56.177874659Z",
"kms_id": "ebdd67ec-a87b-4ae6-ae71-fd4dd3e3a5ad",
"kms": "kms-name",
"rotation_status": "ACTIVE",
"synced_at": "2020-07-24T04:10:56.125474304Z",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-southeast-1",
"gone": false,
"key_material_origin": "native",
"key_source": "hsm-luna",
"blocked": true,
"linked_state": false,
"custom_key_store_id": "eb4fc6ee-35f7-42c7-9116-37fdecb43941",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-southeast-1:123456789012:key/677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "Description",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-07-24T04:10:55Z",
"Policy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
},
"Alias": [
"alias/Test"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Unblock AWS HYOK key
Use POST /v1/cckm/aws/keys/{id}/unblock
to allow AWS KMS to perform cryptographic operations with the AWS HYOK key.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/keys/<aws_hyok_key_id>/unblock' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed
Path Parameters
Parameter | Type | Description |
---|---|---|
id | string | ID of the AWS HYOK key. |
Request Parameter
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/keys/123456/unblock' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4Yzg4ZDY2Mi1mZDQ5LTQwM2QtOGFmMC0zYjljNGM0ZWNmNDMiLCJzdWIiOiJsb2NhbHxmYTEzYzU2Ny04NWQ4LTRiM2QtYWQ1OS1lNzMyOWZjMjNjOTQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZjk0MWJjZDctNjk3NC00N2RjLWJkYTYtYWI0ZGJhOWViMWFiIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImM4OWE3NmE0LTk0MzctNDE1YS1hZWVhLWM4ODEzYjIwOGU4OSIsImlhdCI6MTY1MTI0NzE5NSwiZXhwIjoxNjUxMjQ3NDk1fQ.RsGQEMy8hGlgGahHl_rnhwtnLy6i_wQfXb-AAOJa30I' -H 'accept: application/json' --compressed
Example Response
{
"application/json": {
"id": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"uri": "kylo:kylo:cckm:aws-key:677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-07-24T04:10:56.180805743Z",
"updatedAt": "2020-07-24T04:10:56.177874659Z",
"kms_id": "ebdd67ec-a87b-4ae6-ae71-fd4dd3e3a5ad",
"kms": "kms-name",
"rotation_status": "ACTIVE",
"synced_at": "2020-07-24T04:10:56.125474304Z",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-southeast-1",
"gone": false,
"key_material_origin": "native",
"local_hosted_params": {
"blocked": false
},
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-southeast-1:123456789012:key/677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "Description",
"Enabled": false,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"KeyManager": "CUSTOMER",
"KeyState": "Disabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-07-24T04:10:55Z",
"Policy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
},
"Alias": [
"alias/Test"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.
Link an Unlinked AWS HYOK key
Use POST /v1/cckm/aws/keys/{id}/link
to link an unlinked AWS HYOK key in a local external custom key store.
Syntax
curl -k 'https://<ciphertrust_FQDN>/api/v1/cckm/aws/keys/<aws_hyok_key_id>/link' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "aws_param": {\n "Alias": "alias/<key_alias>",\n "Tags": [\n {\n "TagKey": "<tag_key>",\n "TagValue": "<tag_value>>"\n }\n ],\n "Policy": { <key_policy> },\n "BypassPolicyLockoutSafetyCheck": false\n } \n "external_accounts": [\n <external_accounts>\n] "key_admins": [\n <key_admins>\n] "key_admins_roles": [\n <key_admins_roles>\n] "key_users": [\n <key_users>\n] "key_users_roles": [\n <key_users_roles>\n], "policytemplate": <policytemplate> \n}' --compressed
Path parameter
Parameter | Type | Description |
---|---|---|
id | string | ID of the AWS HYOK key. |
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization Token |
aws_param | JSON | AWS key parameters. |
external_accounts | array | AWS accounts that can use this key. External accounts are mutually exclusive to policy and policy template. If no policy parameters are specified the default policy is used. |
key_admins | array | IAM users who can administer this key using the KMS API. Key admins are mutually exclusive to policy and policy template. If no policy parameters are specified the default policy is used. |
key_admins_roles | array | IAM roles that can administer this key using the KMS API. Key admins are mutually exclusive to policy and policy template. If no policy parameters are specified the default policy is used. |
key_users | array | AM users who can use the KMS key in cryptographic operations. Key users are mutually exclusive to policy and policy template. If no policy parameters are specified the default policy is used. |
key_users_roles | array | IAM roles that can use the KMS key in cryptographic operations. Key users are mutually exclusive to policy and policy template. If no policy parameters are specified the default policy is used. |
policytemplate | string | ID of the policy template to apply. Policy template is mutually exclusive to all other policy parameters. If no policy parameters are specified the default policy is used. |
AWS Key Parameters
Parameter | Type | Description |
---|---|---|
Alias | string | Alias for the KMS key. |
BypassPolicyLockoutSafetyCheck | boolean | Whether to bypass the key policy lockout safety check. |
Description | string | Description of the KMS key. |
Policy | JSON | Key policy to attach to the KMS key. Policy is mutually exclusive to all other policy parameters. If no policy parameters are specified the default policy is used. |
Tags | array | Optional tags for the KMS key. |
TagKey | string | Key for the tag. |
TagValue | string | Value corresponding to key of the tag. |
Example Request
curl -k 'https://ciphertrust.mycompany.com/api/v1/cckm/aws/keys/1234567/link' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0N2U5MjhlNy1lNjg5LTQ0ZDctOTRhZi02NjVjYWU3NWQwNmIiLCJzdWIiOiJsb2NhbHxkMWExZjc4NS1lZmY1LTRiN2UtYTgyYS01MTQxMDAyZTdhMjgiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJkb21haW5fbmFtZSI6InJvb3QiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNTE4ZThiNTUtYTIzNi00MjcxLTljZjUtZjk5N2MzYjU1NTU1Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjkzNzViZDIwLThhMTUtNDhiNi1iNzU3LTk5ZDQ0NmZlMmJhMiIsImlhdCI6MTY2MzM0OTUyMiwiZXhwIjoxNjYzMzQ5ODIyfQ.0t1RgwRNA8bW6UOEm1SHY0emNjP0chJ6HGj242HUOMY' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "aws_param": {\n "Alias": "alias/projectKey1",\n "Tags": [\n {\n "TagKey": "key",\n "TagValue": "value"\n }\n ],\n "Policy": {\n "Version": "2022-04-17",\n "Id": "key-default-1",\n "Statement": [\n {\n "Sid": "Enable IAM User Permissions",\n "Effect": "Allow",\n "Principal": {\n "AWS": "arn:aws:iam::123456789012:root"\n },\n "Action": "kms:*",\n "Resource": "*"\n }\n ]\n },\n "BypassPolicyLockoutSafetyCheck": false\n }\n}' --compressed
Example Response
{
"application/json": {
"id": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"uri": "kylo:kylo:cckm:aws-key:677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-07-24T04:10:56.180805743Z",
"updatedAt": "2020-07-24T04:10:56.177874659Z",
"kms_id": "ebdd67ec-a87b-4ae6-ae71-fd4dd3e3a5ad",
"kms": "kms-name",
"rotation_status": "ACTIVE",
"synced_at": "2020-07-24T04:10:56.125474304Z",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-southeast-1",
"gone": false,
"key_material_origin": "native",
"key_source": "hsm-luna",
"blocked": true,
"linked_state": true,
"custom_key_store_id": "eb4fc6ee-35f7-42c7-9116-37fdecb43941",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-southeast-1:123456789012:key/677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Description": "Description",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "677f9689-b2af-4fdb-ad9a-71cac77f7fa0",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-07-24T04:10:55Z",
"Policy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
},
"Alias": [
"alias/Test"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false
}
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.