Policy Template Management APIs
A default policy template is attached to AWS keys. With CCKM, you can create and attach custom policy templates to AWS keys. This section describes the CCKM policy template management APIs for AWS.
Creating Policy Templates
Use the post /v1/cckm/aws/templates API to create an AWS key policy template on CCKM. When creating a key policy template, you can specify policy parameters according to your requirements.
When a policy template is created, its status is unverified. A policy template can only be verified when it is applied to a key (during its creation). If the policy template is incorrect, the key creation fails.
To create a policy template, you must have the keycreate, keyupload, hyokkeycreate, or cloudhsmkeycreate permission.
Syntax
curl -k '<IP>/api/v1/cckm/aws/templates' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "kms": "<kms-name>",\n "key_users": ["<key-user>"]\n}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| kms | string | Name or ID of the KMS. |
| name | string | Name for the policy template. |
| policy | JSON | Key policy attached to the key. Refer to Using key policies in AWS KMS for details. |
| external_accounts | array of strings | AWS accounts that can use this key. |
| key_admins | array of strings | IAM users who can administer this key using the KMS API. |
| key_admins_roles | array of strings | IAM roles that can administer this key using the KMS API. |
| key_users | array of strings | IAM users who can use this key in cryptographic operations. |
| key_users_roles | array of strings | IAM roles that can use the CMK in cryptographic operations. |
Specify policy or one of key_admins, key_admins_roles, key_users, key_users_roles, and external_accounts. They are mutually exclusive. If no parameters are specified, the default policy is used.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/templates' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiMzUwZGQzOS1lNmEzLTQzNmItYjcyNi05YjlmNmNkMzVjZjciLCJzdWIiOiJsb2NhbHw4YTQ1MGNjZS02MGY4LTQxZTYtYTZkNS0xMTVkNDYzNDk5ZjUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDk0NGUzZjctYzcyNi00YTQ1LThjY2YtMDk5ZTg0Zjg1NzU2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNjMmFlMjA1LTYzZjMtNDgxNS1iYWVjLWU1NDBmOTE2ZTU1YSIsImlhdCI6MTYyMjE4NzgyMywiZXhwIjoxNjIyMTg4MTIzfQ.d2rAAQI-VP_xObiBDLCUh8A7M1LUxZhVfnIk87_3fIU' -H 'Content-Type: application/json' --data-binary $'{\n "kms": "kms",\n "key_users": ["aws-user"]\n}' --compressed
Example Response
{
"id": "6b9f2043-0a99-4041-a62d-4f6eaa408fb5",
"name": "demo-policy-template",
"uri": "kylo:kylo:cckm:aws-template:642aafda",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-17T11:01:08.226051365Z",
"updatedAt": "2021-05-17T11:01:08.218122217Z",
"key_users": [
"aws-user"
],
"key_users_roles": [
"iam-role"
],
"key_admins": [
"aws-user"
],
"key_admins_roles": [
"iam-role"
],
"external_accounts": null,
"policy": {
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement":
[
{
"Sid": "Enable IAM UserName Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:root"
]
},
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user",
"arn:aws:iam::123456789012:role/iam-role"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user",
"arn:aws:iam::123456789012:role/iam-role"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user",
"arn:aws:iam::123456789012:role/iam-role"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
},
"kms_name": "aws-kms",
"kms": "3ed28894-b9f8-4c5e-bc26-daed0c3bda26",
"account_id": 123456789012,
"cloud": "aws",
"is_verified": false
}
The sample output shows that an AWS key policy template with a unique ID (6b9f2043-0a99-4041-a62d-4f6eaa408fb5) is created on the AWS KMS.
In the output, "is_verified": false shows that the template is not yet used by a key and its status is unverified.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Viewing the Policy Templates
Use the get /v1/cckm/aws/templates API to get the list of AWS key policy templates. The results can be filtered using the query parameters.
To view policy templates, you must have the view, viewnative, viewbyok, or viewhyokkey permission.
Syntax
curl -k '<IP>/api/v1/cckm/aws/templates?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Request Query Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | ID of the policy template. |
| name | string | Name of the policy template. |
| kms_name | string | Name or ID of the KMS. |
| account_id | string | ID of the AWS KMS account. |
| cloud | string | Name of the AWS cloud. |
| is_verified | string | Whether the template is verified. |
| skip | integer | Number of records to skip. For example, if "skip":5 is specified, the first five records will not be displayed in the output. |
| limit | integer | Numbers of records to display. For example, if "limit":10 is specified, then the next 10 records (after skipping the number of records specified in the skip parameter ) will be displayed in the output. |
| sort | string | Comma-delimited list of properties to sort the results. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/templates?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiMzUwZGQzOS1lNmEzLTQzNmItYjcyNi05YjlmNmNkMzVjZjciLCJzdWIiOiJsb2NhbHw4YTQ1MGNjZS02MGY4LTQxZTYtYTZkNS0xMTVkNDYzNDk5ZjUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDk0NGUzZjctYzcyNi00YTQ1LThjY2YtMDk5ZTg0Zjg1NzU2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNjMmFlMjA1LTYzZjMtNDgxNS1iYWVjLWU1NDBmOTE2ZTU1YSIsImlhdCI6MTYyMjE4NzgyMywiZXhwIjoxNjIyMTg4MTIzfQ.d2rAAQI-VP_xObiBDLCUh8A7M1LUxZhVfnIk87_3fIU' --compressed
Example Response
{
"skip": 0,
"limit": 10,
"total": 2,
"resources": [
{
"id": "6b9f2043-0a99-4041-a62d-4f6eaa408fb5",
"name": "demo-policy-template-1",
"uri": "kylo:kylo:cckm:aws-template:8e104422",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-20T03:22:06.715624Z",
"updatedAt": "2021-05-20T03:22:06.714583Z",
"key_users": [
"aws-user"
],
"key-admins": [
"aws-user"
],
"policy": {
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM UserName Permissions",
"Action": [
"kms:*"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:root"
]
}
},
{
"Sid": "Allow access for Key Administrators",
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user"
]
}
},
{
"Sid": "Allow use of the key",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user"
]
}
},
{
"Sid": "Allow attachment of persistent resources",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
},
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user"
]
}
}
]
},
"kms_name": "aws-kms",
"kms": "3ed28894-b9f8-4c5e-bc26-daed0c3bda26",
"account_id": 123456789012,
"cloud": "aws",
"is_verified": false
},
{
"id": "6b9f2043-0a99-4041-a62d-4f6eaa408fb6",
"name": "demo-policy-template-2",
"uri": "kylo:kylo:cckm:aws-template:e53f41eb",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-20T03:19:15.369859Z",
"updatedAt": "2021-05-20T03:19:15.364818Z",
"key_admins": [
"aws-user"
],
"key_admins_roles": [
"iam-role"
],
"key_users": [
"aws-user"
],
"key_users_roles": [
"iam-role"
],
"policy": {
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM UserName Permissions",
"Action": [
"kms:*"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:root"
]
}
},
{
"Sid": "Allow access for Key Administrators",
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user",
"arn:aws:iam::123456789012:role/iam-role"
]
}
},
{
"Sid": "Allow use of the key",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user",
"arn:aws:iam::123456789012:role/iam-role"
]
}
},
{
"Sid": "Allow attachment of persistent resources",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
},
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user",
"arn:aws:iam::123456789012:role/iam-role"
]
}
}
]
},
"kms_name": "aws-kms",
"kms": "3ed28894-b9f8-4c5e-bc26-daed0c3bda26",
"account_id": 123456789012,
"cloud": "aws",
"is_verified": false
}
]
}
The sample output shows two AWS key policy templates.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Viewing Details of a Policy Template
Use the get /v1/cckm/aws/templates/{id} API to view the details of an AWS key policy template. When a template is created, the API shows "is_verified": false.
When you apply a template while creating an AWS key:
-
If the key is created or uploaded successfully, the template status changes to verified, and the template cannot be modified. It is indicated by
"is_verified": true. -
If the key creation fails, the template status remains
"is_verified": false.
To view policy templates, you must have the view, viewnative, viewbyok, or viewhyokkey permission.
Syntax
curl -k '<IP>/api/v1/cckm/aws/templates/{id}' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id} represents the ID of the policy template.
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/templates/6b9f2043-0a99-4041-a62d-4f6eaa408fb5' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiMzUwZGQzOS1lNmEzLTQzNmItYjcyNi05YjlmNmNkMzVjZjciLCJzdWIiOiJsb2NhbHw4YTQ1MGNjZS02MGY4LTQxZTYtYTZkNS0xMTVkNDYzNDk5ZjUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDk0NGUzZjctYzcyNi00YTQ1LThjY2YtMDk5ZTg0Zjg1NzU2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNjMmFlMjA1LTYzZjMtNDgxNS1iYWVjLWU1NDBmOTE2ZTU1YSIsImlhdCI6MTYyMjE4NzgyMywiZXhwIjoxNjIyMTg4MTIzfQ.d2rAAQI-VP_xObiBDLCUh8A7M1LUxZhVfnIk87_3fIU' --compressed
Example Response
{
"id": "6b9f2043-0a99-4041-a62d-4f6eaa408fb5",
"name": "demo-policy-template",
"uri": "kylo:kylo:cckm:aws-template:642aafda",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-17T11:01:08.226051365Z",
"updatedAt": "2021-05-17T11:01:08.218122217Z",
"key_users": [
"aws-user"
],
"key-admins": [
"aws-user"
],
"external_accounts": null,
"policy": {
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM UserName Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:root"
]
},
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user",
"arn:aws:iam::123456789012:role/iam-role"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user",
"arn:aws:iam::123456789012:role/iam-role"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
],
"kms_name": "aws-kms",
"kms": "3ed28894-b9f8-4c5e-bc26-daed0c3bda26",
"account_id": 123456789012,
"cloud": "aws",
"is_verified": true
}
}
The sample output shows details of the policy template with the ID 6b9f2043-0a99-4041-a62d-4f6eaa408fb5. In the output, "is_verified": "true" shows that the template has been used by an AWS key.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Updating Policy Templates
Use the patch /v1/cckm/aws/templates/{id} API to update an AWS key policy template on CCKM. When updating a key policy template, you can modify policy parameters according to your requirements.
-
An unverified template remains unverified after update.
-
A verified but not in-use template turns unverified after update.
-
When you try to update a verified and in-use template, changes are pushed to all the associated keys and the template remains verified. To ensure the changes are pushed, the
auto_pushparameter must be set totrue.
To update a policy template, you must have the keyupdate permission.
Syntax
curl -k '<IP>/api/v1/cckm/aws/templates/{id}' -X PATCH -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "kms": "<kms-name>",\n "external_accounts": ["<external-account>"],\n "key_admins": ["<key-admin>"],\n "key_admins_roles": ["<key-admin-role>"],\n "key_users": ["<key-user>"],\n "key_users_roles": ["<key-user-role>"],\n "policy": {<key-policy>},\n "auto_push": <false|true>\n}' --compressed
Here, {id} represents the ID of the policy template.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| kms | string | Name or ID of the KMS. |
| external_accounts | array of strings | AWS accounts that can use this policy template. |
| key_admins | array of strings | IAM users who can administer this policy template using the KMS API. |
| key_admins_roles | array of strings | IAM roles that can administer this policy template using the KMS API. |
| key_users | array of strings | IAM users who can use this policy template in cryptographic operations. |
| key_users_roles | array of strings | IAM roles that can use the CMK in cryptographic operations. |
| policy | JSON | Policy to be attached to the template. |
| auto_push | boolean | Pushes the verified policy template to all the associated keys. When updating a 'verified' policy template, auto_push must be set to true. |
Specify policy or one of key_admins, key_admins_roles, key_users, key_users_roles, and external_accounts. They are mutually exclusive. If no parameters are specified, the default policy is used.
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/templates/6b9f2043-0a99-4041-a62d-4f6eaa408fb5' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiMzUwZGQzOS1lNmEzLTQzNmItYjcyNi05YjlmNmNkMzVjZjciLCJzdWIiOiJsb2NhbHw4YTQ1MGNjZS02MGY4LTQxZTYtYTZkNS0xMTVkNDYzNDk5ZjUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDk0NGUzZjctYzcyNi00YTQ1LThjY2YtMDk5ZTg0Zjg1NzU2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNjMmFlMjA1LTYzZjMtNDgxNS1iYWVjLWU1NDBmOTE2ZTU1YSIsImlhdCI6MTYyMjE4NzgyMywiZXhwIjoxNjIyMTg4MTIzfQ.d2rAAQI-VP_xObiBDLCUh8A7M1LUxZhVfnIk87_3fIU' -H 'Content-Type: application/json' --data-binary $'{\n "kms": "kms",\n "policy": {<key-policy>}\n}' --compressed
Example Response
{
"id": "6b9f2043-0a99-4041-a62d-4f6eaa408fb5",
"name": "demo-policy-template",
"uri": "kylo:kylo:cckm:aws-template:8e104422",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-20T03:22:06.715624Z",
"updatedAt": "2021-05-20T03:22:06.714583Z",
"key_users": [
"aws-user"
],
"key-admins": [
"aws-user"
],
"policy": {
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM UserName Permissions",
"Action": [
"kms:*"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:root"
]
}
},
{
"Sid": "Allow access for Key Administrators",
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user"
]
}
},
{
"Sid": "Allow use of the key",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user"
]
}
},
{
"Sid": "Allow attachment of persistent resources",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
},
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/aws-user"
]
}
}
]
},
"kms_name": "aws-kms",
"kms": "3ed28894-b9f8-4c5e-bc26-daed0c3bda26",
"account_id": 123456789012,
"cloud": "aws",
"is_verified": true,
"job_id": "8e2c8400-be19-4da7-80b9-9beb51e03650",
"job_status": "in_progress"
}
The sample output shows that an AWS key policy template with a unique ID (6b9f2043-0a99-4041-a62d-4f6eaa408fb5) is created on the AWS KMS.
In the output, "is_verified": true shows whether the template is verified. When a verified template is updated, a new scheduler job with the ("job_id") is created. You can view the job status using its "job_id".
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Deleting a Policy Template
Use the delete /v1/cckm/aws/templates/{id} API to delete an AWS key policy template.
An unverified policy template can be deleted directly. However, if a template is verified and in use by a key (applied to a key), it cannot be deleted.
To delete a policy template, you must have the keydelete, hyokkeydelete, or cloudhsmkeydelete permission.
Syntax
curl -k '<IP>/api/v1/cckm/aws/templates/{id}' -X DELETE -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id} represents the ID of the policy template.
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/templates/6b9f2043-0a99-4041-a62d-4f6eaa408fb5' -X DELETE -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiMzUwZGQzOS1lNmEzLTQzNmItYjcyNi05YjlmNmNkMzVjZjciLCJzdWIiOiJsb2NhbHw4YTQ1MGNjZS02MGY4LTQxZTYtYTZkNS0xMTVkNDYzNDk5ZjUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDk0NGUzZjctYzcyNi00YTQ1LThjY2YtMDk5ZTg0Zjg1NzU2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNjMmFlMjA1LTYzZjMtNDgxNS1iYWVjLWU1NDBmOTE2ZTU1YSIsImlhdCI6MTYyMjE4NzgyMywiZXhwIjoxNjIyMTg4MTIzfQ.d2rAAQI-VP_xObiBDLCUh8A7M1LUxZhVfnIk87_3fIU' --compressed
Example Response
{
"status": 204
}
The policy template with the ID 6b9f2043-0a99-4041-a62d-4f6eaa408fb5 is deleted.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.