Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

Key Life Cycle Management APIs

Importing Key Material to AWS KMS

search

Importing Key Material to AWS KMS

Use the post /v1/cckm/aws/keys/{id}/import-material API to import the key material to the AWS KMS.

Syntax

curl -k '<IP>/api/v1/cckm/aws/keys/{id}/import-material' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n  "source_key_tier": "<source_key_tier>",\n  "source_key_identifier": "<source_key_identifier>",\n  "key_expiration": <boolean>,\n  "valid_to": "<key validity>"\n}' --compressed

Here, {id} represents the key material ID.

Request Parameters

Parameter Type Description
AUTHTOKEN string Authorization token.
key_expiration boolean Flag to disable encryption on the key which is getting rotated.
source_key_tier string Tier of the source. Possible options are:
• local (default)
• dsm
source_key_identifier string Name or ID of the key to be imported to the AWS KMS.
• If source_key_tier is local, this is the ID of the CipherTrust Manager key to be uploaded. By default, a new CipherTrust Manager key is generated automatically.
• If source_key_tier is dsm, this is the ID of the DSM key to be uploaded. source_key_identifier is a mandatory parameter.
If the key material is reimported, AWS allows reimporting the same key material only. It is mandatory to provide the source_key_identifier of the same CipherTrust Manager or DSM key which was imported previously.
valid_to string Key expiration time of the newly rotated key, must be formatted as per RFC3339.

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/40387a72-6e24-4cdd-8840-b586757c44bf/import-material' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjkxZGNhYjVkLWJmNDktNDk1Yi1iM2YyLWQ5ZjlkOGU5MDQ5MyIsImlhdCI6MTYwNDU1OTY0OCwiZXhwIjoxNjA0NTU5OTQ4fQ.j_7biN5YJm188ZzU-IMDsTxJ3X57GbzkOxunP4XE6J0' -H 'Content-Type: application/json' --data-binary $'{\n  "source_key_identifier": "test-key",\n  "key_expiration": true,\n  "valid_to": "2020-12-04T06:51:18.505860192Z"\n}' --compressed

Example Response

{
"id": "40387a72-6e24-4cdd-8840-b586757c44bf",
"uri": "kylo:kylo:cckm:aws-key:40387a72-6e24-4cdd-8840-b586757c44bf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T07:01:48.965088Z",
"updatedAt": "2020-11-05T07:02:26.388806901Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T07:01:48.959221Z",
"rotation_status": "",
"local_key_id": "361d928ac7e340d093e7d231c80ca934acc62528601647ce86a219c9a82f4f93",
"local_key_name": "test-key",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "cckm",
"aws_param": {
    "AWSAccountId": "123456789012",
    "Arn": "arn:aws:kms:ap-south-1:123456789012:key/031c5703-aaf7-425e-a141-7e0c6f5886ab",
    "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
    "Enabled": true,
    "EncryptionAlgorithms": [
        "SYMMETRIC_DEFAULT"
    ],
    "KeyID": "031c5703-aaf7-425e-a141-7e0c6f5886ab",
    "KeyManager": "CUSTOMER",
    "KeyState": "Enabled",
    "KeyUsage": "ENCRYPT_DECRYPT",
    "Origin": "EXTERNAL",
    "CreationDate": "2020-11-05T07:01:36Z",
    "Policy": {
        "Id": "key-default-1",
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Enable IAM User Permissions",
                "Action": "kms:*",
                "Effect": "Allow",
                "Resource": "*",
                "Principal": {
                    "AWS": "arn:aws:iam::123456789012:root"
                }
            }
        ]
    },
    "Alias": [
        "alias/aws-test-key-External"
    ],
    "Tags": [
        {
            "TagKey": "key",
            "TagValue": "value"
        }
    ],
    "ValidTo": "2020-12-04T06:51:18.505860192Z",
    "KeyRotationEnabled": false,
    "ExpirationModel": "KEY_MATERIAL_EXPIRES"
}
}

The sample output shows that the key material is imported to the AWS KMS. As the key is not created on the AWS KMS, its origin is EXTERNAL. A unique ID (40387a72-6e24-4cdd-8840-b586757c44bf) for the imported key is returned.

To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.

Response Codes

Response Code Description
2xx Success
4xx Client errors
5xx Server errors

Refer to HTTP status codes for details.