Enabling Key for Rotation Job
Use the post /v1/cckm/aws/keys/{id}/enable-rotation-job API to enable an AWS key for scheduled rotation job. To use this API, first create a new rotation job configuration, the job_config_id is required to call this API. Refer to Scheduling Key Rotation for details.
Syntax
curl -k '<IP>/api/v1/cckm/aws/keys/{id}/enable-rotation-job' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "job_config_id": "<job config id>",\n "auto_rotate_disable_encrypt": <boolean>\n}' --compressed
Here, {id} represents the key ID.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| auto_rotate_domain_id | string | ID of the domain in which the DSM key will be created. |
| auto_rotate_key_source | string | Source of the key material. Possible options are: • dsm • ciphertrust. The default key source is ciphertrust. |
| job_config_id | string | ID of the scheduler configuration job that will schedule the key rotation. |
| auto_rotate_disable_encrypt | boolean | Flag to disable encryption on the old key. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/f36e8dbb-0259-4c61-a35f-d74b6d39effc/enable-rotation-job' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjZlZWE0NWJlLTc5NTMtNGUzZS1iNWJjLWZlZDEwMmZhNGNiYSIsImlhdCI6MTYwNDU1OTMxOSwiZXhwIjoxNjA0NTU5NjE5fQ.8BNfjt82PmwBoIzFsUk2eh4AvWwrjZxRiewK9Hyp67A' -H 'Content-Type: application/json' --data-binary $'{\n "job_config_id": "b080efd5-946f-4d59-b6e4-11ba362d9c98",\n "auto_rotate_disable_encrypt": true\n}' --compressed
Example Response
{
"id": "f36e8dbb-0259-4c61-a35f-d74b6d39effc",
"uri": "kylo:kylo:cckm:aws-key:f36e8dbb-0259-4c61-a35f-d74b6d39effc",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:57:55.533058Z",
"updatedAt": "2020-11-05T06:58:08.450289264Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"labels": {
"disable_encrypt_on_auto_rotate": "true",
"job_config_id": "b080efd5-946f-4d59-b6e4-11ba362d9c98"
},
"synced_at": "2020-11-05T06:57:55.527352Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
"AWSAccountId": "123456789012",
"Arn": "arn:aws:kms:ap-south-1:123456789012:key/9905c8da-2a0f-4666-a9c9-555c2567a242",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"Enabled": true,
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"KeyID": "9905c8da-2a0f-4666-a9c9-555c2567a242",
"KeyManager": "CUSTOMER",
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"CreationDate": "2020-11-05T06:57:42Z",
"Policy": {
"Id": "key-default-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Action": "kms:*",
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
},
"Alias": [
"alias/aws-test-key-1"
],
"Tags": [
{
"TagKey": "key",
"TagValue": "value"
}
],
"KeyRotationEnabled": false
}
}
The sample output shows that the key (with ID a22742b4-2ad9-4f4a-9103-3507bed1420e) is enabled for the scheduled key rotation.
To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.