Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

Azure APIs

Vault Management APIs

search

Vault Management APIs

This chapter describes how CCKM manages Azure vaults.

Prerequisites

An Azure connection must already exist on the CipherTrust Manager. Refer to the CipherTrust Manager Administrator Guide for details on adding an Azure connection to the CipherTrust Manager.

Use the Azure vault management APIs to perform the following tasks:

Fetching List of Vaults from Azure

Use the post /v1/cckm/azure/get-vaults API to fetch the list of vaults from Azure.

Syntax

curl -k '<IP>/api/v1/cckm/azure/get-vaults' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "subscription_id":"<subscription_id>",\n "connection": "<connection identifier>",\n "limit":<limit>\n}' --compressed

Request Parameters

Parameter Type Description
AUTHTOKEN string Authorization token.
connection string Name or ID of the connection. Connection name must be associated with the key vault to which it belongs.
subscription_id string Subscription ID of the vault.
limit integer Number of vaults to view. The default value is 10 and maximum value is 1000.
nextLink string Displays the remaining vaults left in the list. The limit to view the vaults is same as you set for the first time. For example, if there are 20 vaults and you set the limit to 11, then to view the remaining 9 vaults, you need to use nextLink.

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/azure/get-vaults' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIwMGY0MGI0Mi0xODIwLTQwYzEtYTEzZS1kN2YxYjZlY2MxYzIiLCJzdWIiOiJsb2NhbHxkZmM2ZTJlYS0yYTE2LTRlYTMtOGRhNC05ZWM0ZGNhYjA1YmMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjcwODY3MTktNWUyYy00NWQxLWJlYmEtOWM3ZjU5YTdlNWMwIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjRlMWE4YjQ0LWM1ZGYtNGNhOS05OWU5LTkxOTE3MmU5MDI5MSIsImlhdCI6MTYwNDkxMzExNywiZXhwIjoxNjA0OTEzNDE3fQ.7q2fF3PQyP9AMNL62pBRE2bBg_yWO57wjWTY6m1y5a8' -H 'Content-Type: application/json' --data-binary $'{\n  "subscription_id": "f716c603-f206-43ed-bb39-758d9d3aa052",\n  "connection": "azure-connection",\n  "limit": 2\n}' --compressed

Example Response

{
"vaults": [
    {
        "name": "vault-v1",
        "azure_vault_id": "/subscriptions/f716c603-f206-43ed-bb39-758d9d3aa052/resourceGroups/key-vault/providers/Microsoft.KeyVault/vaults/vault-v1",
        "type": "Microsoft.KeyVault/vaults",
        "location": "westus",
        "properties": {
            "tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
            "sku": {
                "family": "A",
                "name": "standard"
            },
            "vaultUri": "https://vault-v1.vault.azure.net/",
            "enabledForDeployment": true,
            "enabledForDiskEncryption": true,
            "enabledForTemplateDeployment": true
        }
    },
    {
        "name": "vault-v10-has-long-name",
        "azure_vault_id": "/subscriptions/f716c603-f206-43ed-bb39-758d9d3aa052/resourceGroups/key-vault/providers/Microsoft.KeyVault/vaults/vault-v10-has-long-name",
        "type": "Microsoft.KeyVault/vaults",
        "location": "westus",
        "properties": {
            "tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
            "sku": {
                "family": "A",
                "name": "standard"
            },
            "vaultUri": "https://vault-v10-has-long-name.vault.azure.net/",
            "enabledForDeployment": true,
            "enabledForDiskEncryption": true,
            "enabledForTemplateDeployment": true
        }
    }
],
"connection": "azure-connection",
"subscription_id": "f716c603-f206-43ed-bb39-758d9d3aa052",
"nextLink": "https://management.azure.com/subscriptions/f716c603-f206-43ed-bb39-758d9d3aa052/resources?%24filter=resourceType+eq+%27Microsoft.KeyVault%2fvaults%27&%24top=2&api-version=2015-11-01&%24skiptoken=eyJuZXh0UGFydGl0aW9uS2V5IjoiMSE4IU5VSTRNelUtIiwibmV4dFJvd0tleSI6IjEhMTMyIU1qWXdSVU5DUlRjM056ZENORVF6UXpnMFJVRTRPRGMyTWpBME9UZzROak5mVkVkT1RDMU5TVU5TVDFOUFJsUTZNa1ZMUlZsV1FWVk1WRG95UmxaQlZVeFVVeTFCUVVSV1FVdzZNa1JTUnkxQlFVUldRVXc2TWtSV01pMVhSVk5VVlZNLSJ9"
}

The sample output displays the list of Azure vaults associated with the Subscription ID (f716c603-f206-43ed-bb39-758d9d3aa052).

To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.

Response Codes

Response Code Description
2xx Success
4xx Client errors
5xx Server errors

Refer to HTTP status codes for details.

Fetching List of Managed HSM Vaults from Azure

Use the post /v1/cckm/azure/get-managed-vaults API to fetch the list of managed HSM vaults from Azure.

Syntax

curl -k '<IP>/api/v1/cckm/azure/get-managed-hsms' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "subscription_id":"<subscription_id>",\n "connection": "<connection identifier>",\n "limit":<limit>\n}' --compressed

Request Parameters

Parameter Type Description
AUTHTOKEN string Authorization token.
connection string Name or ID of the connection. Connection name must be associated with the key vault to which it belongs.
subscription_id string Subscription ID of the managed HSM vault.
limit integer Number of vaults to view. The default value is 10 and maximum value is 1000.
nextLink string Displays the remaining vaults left in the list. The limit to view the vaults is same as you set for the first time. For example, if there are 20 vaults and you set the limit to 11, then to view the remaining 9 vaults, you need to use nextLink.

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/azure/get-vaults' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIwMGY0MGI0Mi0xODIwLTQwYzEtYTEzZS1kN2YxYjZlY2MxYzIiLCJzdWIiOiJsb2NhbHxkZmM2ZTJlYS0yYTE2LTRlYTMtOGRhNC05ZWM0ZGNhYjA1YmMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjcwODY3MTktNWUyYy00NWQxLWJlYmEtOWM3ZjU5YTdlNWMwIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjRlMWE4YjQ0LWM1ZGYtNGNhOS05OWU5LTkxOTE3MmU5MDI5MSIsImlhdCI6MTYwNDkxMzExNywiZXhwIjoxNjA0OTEzNDE3fQ.7q2fF3PQyP9AMNL62pBRE2bBg_yWO57wjWTY6m1y5a8' -H 'Content-Type: application/json' --data-binary $'{\n  "subscription_id": "bb03157e-7aff-421b-a01d-267f9613f462",\n  "connection": "azure-connection",\n  "limit": 2\n}' --compressed

Example Response

{
  "vaults": [
    {
      "name": "vault-name",
      "azure_vault_id": "/subscriptions/bb03157e-7aff-421b-a01d-267f9613f462/resourceGroups/CCKM-resource/providers/Microsoft.KeyVault/managedHSMs/vault-name",
      "type": "Microsoft.KeyVault/managedHSMs",
      "location": "eastus2",
      "properties": {
        "tenantId": "2b0913e6-2c7b-45b8-8c56-c5e2e4ed27bf",
        "sku": {
          "family": "B",
          "name": "Standard_B1"
        },
        "vaultUri": "https://vault-name.managedhsm.azure.net/",
        "enableSoftDelete": true,
        "softDeleteRetentionInDays": 7
      }
    }
  ],
  "connection": "azure-connection",
  "subscription_id": "bb03157e-7aff-421b-a01d-267f9613f462",
}

Adding Azure Vaults

Use the post /v1/cckm/azure/add-vaults API to add an Azure vault to the CCKM. After the vault is added, the CCKM can access and manage it.

Syntax

curl -k '<IP>/api/v1/cckm/azure/add-vaults' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n  "subscription_id": "<subscription_id>",\n  "connection": "<connection_identifier>",\n  "vaults": [\n "name": "<vault_name>",\n"azure_vault_id": "<vault_id>",\n"type": "<vault_type>",\n"location": "<location>",\n "properties": {\n"tenantId": "<tenant_id>",\n"sku": {\n"family": "<family>",\n"name": "<name>"\n},\n"vaultUri": "<vault_uri>",\n"enabledForDeployment": <boolean>,\n"enabledForDiskEncryption": <boolean>,\n"enabledForTemplateDeployment": <boolean>\n}\n  ]\n}' --compressed

Request Parameters

Parameter Type Description
AUTHTOKEN string Authorization token.
connection string Name or ID of the connection.
subscription_id string Azure subscription ID.
vaults array of JSONs Azure vault parameters. Refer to Azure Vault Parameters for details.

Azure Vault Parameters

Parameter Type Description
azure_vault_id string ID of the Azure vault.
location string Location of the Azure vault.
name string Name for the vault.
properties JSON Properties of the Azure vault. Refer to Vault Properties for details.
type string Type of the Azure vault - non-managed and managed HSM. Managed HSMs only support HSM-protected keys.
tags JSON Tags for the Azure vault.

Vault Properties

Parameter Type Description
createMode string The vault's create mode to indicate whether the vault need to be recovered or not. Possible values are:
• CreateModeRecover
• CreateModeDefault
enablePurgeProtection boolean Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion.
The setting is effective only if soft delete is also enabled.
Enabling this functionality is irreversible - that is, the property does not accept false as its value.
enableRbacAuthorization boolean Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions.
enableSoftDelete boolean Property to specify whether the soft delete functionality is enabled for this key vault. It does not accept the value false.
enabledForDeployment boolean Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
enabledForDiskEncryption boolean Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
enabledForTemplateDeployment boolean Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
sku JSON sku details of the Azure vault. Refer to SKU Details for details.
softDeleteRetentionInDays integer Soft delete data retention days. It accepts value >=7 and <=90.
tenantId string The Azure Active Directory tenant ID that is used for authenticating requests to the key vault.
vaultUri string The URI of the Azure vault for performing operations on keys and secrets.

SKU Details

Parameter Type Description
family string SKU family name of the Azure vault.
name string SKU name to specify whether the key vault is a standard vault or a premium vault.

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/azure/add-vaults' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIwMGY0MGI0Mi0xODIwLTQwYzEtYTEzZS1kN2YxYjZlY2MxYzIiLCJzdWIiOiJsb2NhbHxkZmM2ZTJlYS0yYTE2LTRlYTMtOGRhNC05ZWM0ZGNhYjA1YmMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjcwODY3MTktNWUyYy00NWQxLWJlYmEtOWM3ZjU5YTdlNWMwIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjRlMWE4YjQ0LWM1ZGYtNGNhOS05OWU5LTkxOTE3MmU5MDI5MSIsImlhdCI6MTYwNDkxMzExNywiZXhwIjoxNjA0OTEzNDE3fQ.7q2fF3PQyP9AMNL62pBRE2bBg_yWO57wjWTY6m1y5a8' -H 'Content-Type: application/json' --data-binary $'{\n  "subscription_id": "f716c603-f206-43ed-bb39-758d9d3aa052",\n  "connection": "azure-connection",\n  "vaults": [\n  {\n"name": "vault-v1",\n"azure_vault_id": "/subscriptions/f716c603-f206-43ed-bb39-758d9d3aa052/resourceGroups/key-vault/providers/Microsoft.KeyVault/vaults/vault-v1",\n"type": "Microsoft.KeyVault/vaults",\n"location": "westus",\n"properties": {\n"tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",\n"sku": {\n"family": "A",\n"name": "standard"\n},\n"vaultUri": "https://vault-v1.vault.azure.net/",\n"enabledForDeployment": true,\n"enabledForDiskEncryption": true,\n"enabledForTemplateDeployment": true\n}\n}\n  ]\n}' --compressed

Example Response

{
"id": "75e916da-1f31-4c9d-b3d8-04f52c268a0a",
"uri": "kylo:kylo:cckm:subscription:75e916da-1f31-4c9d-b3d8-04f52c268a0a",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-09T09:00:43.167607Z",
"updatedAt": "2020-11-09T09:13:19.116352114Z",
"subscription_id": "f716c603-f206-43ed-bb39-758d9d3aa052",
"subscription_uri": "/subscriptions/f716c603-f206-43ed-bb39-758d9d3aa052",
"displayName": "Pay-As-You-Go",
"state": "Enabled",
"subscriptionPolicies": {
    "quotaId": "PayAsYouGo_2014-09-01",
    "spendingLimit": "Off",
    "locationPlacementId": "Public_2014-09-01"
},
"authorizationSource": "RoleBased",
"connection": "azure-connection",
"vaults": [
    {
        "name": "vault-v1::f716c603-f206-43ed-bb39-758d9d3aa052",
        "azure_vault_id": "/subscriptions/f716c603-f206-43ed-bb39-758d9d3aa052/resourceGroups/key-vault/providers/Microsoft.KeyVault/vaults/vault-v1",
        "type": "Microsoft.KeyVault/vaults",
        "location": "westus",
        "properties": {
            "tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
            "sku": {
                "family": "A",
                "name": "standard"
            },
            "vaultUri": "https://vault-v1.vault.azure.net/",
            "enabledForDeployment": true,
            "enabledForDiskEncryption": true,
            "enabledForTemplateDeployment": true
        }
    }
]
}

The sample output shows that the vault named vault-v1 is added to CCKM.

To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.

Response Codes

Response Code Description
2xx Success
4xx Client errors
5xx Server errors

Refer to HTTP status codes for details.

Removing Azure Vaults

Use the delete /v1/cckm/azure/vaults/{id}/remove-vault API to delete an Azure vault from the CCKM.

Syntax

curl -k '<IP>/api/v1/cckm/azure/vaults/{id}/remove-vault' -X POST -H 'Authorization:
Bearer AUTHTOKEN' --compressed

Here, {id} represents the vault ID.

Request Parameter

Parameter Type Description
AUTHTOKEN string Authorization token.

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/azure/vaults/543e3f50-aac1-4e07-8499-
e5de03a22528/remove-vault' -X POST -H 'Authorization: Bearer    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc  3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4  iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImExMTZkZWEwLTk0YWUtNDgyNi05M  jI4LWI4ZjgwNWM3YjYxYyIsImlhdCI6MTYwMTQ1OTk0OCwiZXhwIjoxNjAxNDYwMjQ4fQ.s1obwpA_ZgDbd8wCO2CXyvbUlZ8AvZ9cgipyfOmksuI' --compressed

Example Response

{
    "status": 204
}

The sample output shows that the vault (with ID 543e3f50-aac1-4e07-8499-e5de03a22528) is deleted successfully from the CCKM and "status": 204 is returned in response.

To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.

Response Codes

Response Code Description
2xx Success
4xx Client errors
5xx Server errors

Refer to HTTP status codes for details.

Fetching List of Azure Vaults from CCKM

Use the get /v1/cckm/azure/vaults API to fetch the list of Azure vaults that are already exists on the CCKM. The results can be filtered using the query parameters.

Syntax

curl -k '<IP>/api/v1/cckm/azure/vaults?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer AUTHTOKEN' --compressed

Request Parameter

Parameter Type Description
AUTHTOKEN string Authorization token.

Request Query Parameters

Parameter Type Description
name string Name of the Azure vault.
location string Location of the Azure vault.
id string ID of the key vault.
subscription_id string ID of the Azure vault subscription.
cloud_name string Name of the cloud.
subscription_id string ID of the Azure vault subscription.
subscription_name string Name of the Azure subscription.
type string Type of the Azure vault - non-managed and managed HSM.
skip integer Number of records to skip. For example, if "skip":5 is specified, the first five records will not be displayed in the output.
limit integer Numbers of records to display. For example, if "limit":10 is specified, then the next 10 records (after skipping the number of records specified in skip parameter) will be displayed in the output.
sort string Comma-delimited list of properties to sort the results.

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/azure/vaults?skip=0&limit=10&sort=updatedAt' -
H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3  MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb2  1haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAw  MDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImExMTZkZWEwLTk0YWUtNDgyNi05MjI4LWI4ZjgwNWM3YjYxYyIsImlhdCI6MTYwMTQ1OTk0OCwiZXhwIjoxNjAxNDYwMjQ4fQ.s1obwpA_ZgDbd8wCO2CXyvbUlZ8AvZ9cgipyfOmksuI' --compressed

Example Response

{
    "id": "543e3f50-aac1-4e07-8499-e5de03a22528",
    "uri": "kylo:kylo:cckm:azure-vault:keyvault-premium::12e533dd-b5c2-
    4e58-a264-0cd812dc5a34",
    "account": "kylo:kylo:admin:accounts:kylo",
    "application": "ncryptify:gemalto:admin:apps:kylo",
    "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
    "createdAt": "2020-09-30T09:59:12.030403Z",
    "name": "keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
    "updatedAt": "2020-09-30T09:59:12.030403Z",
    "azure_vault_id": "/subscriptions/12e533dd-b5c2-4e58-a264-0cd812dc5a34/
    resourceGroups/CCKM-resource/providers/Microsoft.KeyVault/vaults/
    keyvault-premium",
    "type": "Microsoft.KeyVault/vaults",
    "location": "northcentralus",
    "connection": "azure-connection",
    "cloud_name": "AzureCloud",
    "subscription_id": "12e533dd-b5c2-4e58-a264-0cd812dc5a34",
    "azure_name": "keyvault-premium",
    "synced_at": "2020-09-30T09:59:11.991824Z",
    "subscription_name": "Pay-As-You-Go",
    "properties": {
        "tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
        "sku": {
        "family": "A",
        "name": "premium"
        },
        "vaultUri": "https://keyvault-premium.vault.azure.net/"
    }
},
{
    "id": "bedb82b9-582c-402d-9874-f3368722cf46",
    "uri": "kylo:kylo:cckm:azure-vault:keyvault-softkeys::12e533dd-b5c2-4e58-
    a264-0cd812dc5a34",
    "account": "kylo:kylo:admin:accounts:kylo",
    "application": "ncryptify:gemalto:admin:apps:kylo",
    "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
    "createdAt": "2020-09-30T09:59:12.034062Z",
    "name": "keyvault-softkeys::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
    "updatedAt": "2020-09-30T09:59:12.034062Z",
    "azure_vault_id": "/subscriptions/12e533dd-b5c2-4e58-a264-0cd812dc5a34/
    resourceGroups/CCKM-resource/providers/Microsoft.KeyVault/vaults/
    keyvault-softkeys",
    "type": "Microsoft.KeyVault/vaults",
    "location": "northcentralus",
    "connection": "azure-connection",
    "cloud_name": "AzureCloud",
    "subscription_id": "12e533dd-b5c2-4e58-a264-0cd812dc5a34",
    "azure_name": "keyvault-softkeys",
    "azure_name": "keyvault-softkeys",
    "synced_at": "2020-09-30T09:59:11.991883Z",
    "subscription_name": "Pay-As-You-Go",
    "properties": {
        "tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
        "sku": {
        "family": "A",
        "name": "Standard"
        },
        "vaultUri": "https://keyvault-softkeys.vault.azure.net/",
        "enableSoftDelete": true
    }
    }
    ]
}

The sample output shows the list of vaults.

To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.

Response Codes

Response Code Description
2xx Success
4xx Client errors
5xx Server errors

Refer to HTTP status codes for details.

Viewing Details of Azure Vaults

Use the get /v1/cckm/azure/vaults/{id} API to view details of an Azure vault.

Syntax

curl -k '<IP>/api/v1/cckm/azure/vaults/{id}' -H 'Authorization: Bearer AUTHTOKEN' --compressed

Here, {id} is the vault ID.

Request Parameter

Parameter Type Description
AUTHTOKEN string Authorization token.

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/azure/vaults/543e3f50-aac1-4e07-8499-
e5de03a22528' -H 'Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1MDIzNTY1Yy0xOWI3LTQyY2UtODZmMi1jNWI3
MTA1MTJhZjMiLCJzdWIiOiJsb2NhbHwwMWI4M2EwZS1mY2U1LTQ5MjgtODhiNi0zNTNkMmQ3ZTBiNDMiLCJpc
3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb2
1haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4
iXSwic2lkIjoiZGJlNzU2MWYtZDVhOS00ZGEzLWJiZTEtNjlhMTg0Y2U3YzEzIiwiem9uZV9pZCI6IjAwMDAw
MDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjlmYzczODkyLWEyNDItNGVjMS1hZ
TQ4LWJkMTY4MzY0MTExZCIsImlhdCI6MTYwMTQ2MDI0MywiZXhwIjoxNjAxNDYwNTQzfQ.OkGRkc0O1U6-
geWnhgKISWn0cZeY2gFvnWnzWms5JmQ' --compressed

Example Response

{
    "id": "543e3f50-aac1-4e07-8499-e5de03a22528",
    "uri": "kylo:kylo:cckm:azure-vault:keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
    "account": "kylo:kylo:admin:accounts:kylo",
    "application": "ncryptify:gemalto:admin:apps:kylo",
    "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
    "createdAt": "2020-09-30T09:59:12.030403Z",
    "name": "keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
    "updatedAt": "2020-09-30T09:59:12.030403Z",
    "azure_vault_id": "/subscriptions/12e533dd-b5c2-4e58-a264-0cd812dc5a34/resourceGroups/
    CCKM-resource/providers/Microsoft.KeyVault/vaults/keyvault-premium",
    "type": "Microsoft.KeyVault/vaults",
    "location": "northcentralus",
    "connection": "azure-connection",
    "cloud_name": "AzureCloud",
    "subscription_id": "12e533dd-b5c2-4e58-a264-0cd812dc5a34",
    "azure_name": "keyvault-premium",
    "synced_at": "2020-09-30T09:59:11.991824Z",
    "subscription_name": "Pay-As-You-Go",
    "properties": {
        "tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
        "sku": {
        "family": "A",
        "name": "premium"
        },
        "vaultUri": "https://keyvault-premium.vault.azure.net/"
    }
}

The sample output shows the details corresponding to the vault (with ID 543e3f50-aac1-4e07-8499-e5de03a22528).

To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.

Response Codes

Response Code Description
2xx Success
4xx Client errors
5xx Server errors

Refer to HTTP status codes for details.

Updating Azure Vaults

Use the patch /v1/cckm/azure/vaults/{id} API to update details of an Azure vault.

You can only update the connection parameter for an Azure vault.

Syntax

curl -k '<IP>/api/v1/cckm/azure/vaults/5{id}' -X PATCH -H 'Authorization: Bearer
AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "connection":
"<connection_name>"\n}' --compressed

Here, {id} is the vault ID.

Request Parameters

Parameter Type Description
AUTHTOKEN string Authorization token.
connection string Name or ID of the connection.

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/azure/vaults/543e3f50-aac1-4e07-8499-
e5de03a22528' -X PATCH -H 'Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0NjE0MWIyYi04MGVkLTQyMmEtYTY4Yy1jZmMw
MWIzNTQ5NzciLCJzdWIiOiJsb2NhbHxhNjg4YjAwNC0zNTc1LTQzM2EtODYzOC0wMTNiYTJhYzFmNjQiLCJpc
3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb2
1haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4
iXSwic2lkIjoiY2I2NjkwM2EtOTgyMy00NTExLTgyYmYtYzJmMzAzZmU5OTJlIiwiem9uZV9pZCI6IjAwMDAw
MDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjM0NjBhNTYzLTlmMTAtNDkyYS05N
jEwLWRhNmI3YWRlMWU2NCIsImlhdCI6MTYwMTg4NjYxOSwiZXhwIjoxNjAxODg2OTE5fQ.I4n_NBNmd-
61o59ULm8g9Hyh1dSMQow_UaQQgqtqgiA' -H 'Content-Type: application/json' --data-binary
$'{\n "connection": "azure-connection2"\n}' --compressed

Example Response

{
    "id": "543e3f50-aac1-4e07-8499-e5de03a22528",
    "uri": "kylo:kylo:cckm:azure-vault:keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
    "account": "kylo:kylo:admin:accounts:kylo",
    "application": "ncryptify:gemalto:admin:apps:kylo",
    "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
    "createdAt": "2020-09-30T09:59:12.030403Z",
    "name": "keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
    "updatedAt": "2020-09-30T09:59:12.030403Z",
    "azure_vault_id": "/subscriptions/12e533dd-b5c2-4e58-a264-0cd812dc5a34/resourceGroups/
    CCKM-resource/providers/Microsoft.KeyVault/vaults/keyvault-premium",
    "type": "Microsoft.KeyVault/vaults",
    "location": "northcentralus",
    "connection": "azure-connection2",
    "cloud_name": "AzureCloud",
    "subscription_id": "12e533dd-b5c2-4e58-a264-0cd812dc5a34",
    "azure_name": "keyvault-premium",
    "synced_at": "2020-09-30T09:59:11.991824Z",
    "subscription_name": "Pay-As-You-Go",
    "properties": {
        "tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
        "sku": {
        "family": "A",
        "name": "premium"
        },
    "vaultUri": "https://keyvault-premium.vault.azure.net/"
    }
}

The sample output shows that connection parameter for the vault (with ID 543e3f50-aac1-4e07-8499-e5de03a22528) is updated to azure-connection2.

To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.

Response Codes

Response Code Description
2xx Success
4xx Client errors
5xx Server errors

Refer to HTTP status codes for details.

Managing User Permissions on Azure Vaults

Use the post /v1/cckm/azure/vaults/{id}/update-acls API to grant permissions to users to perform specific actions on the Azure vaults.

For the first time users, actions are permitted as configured by the CCKM administrator. However, if the permissions of a user need to be modified later, for example, a new action is to be permitted or an existing action is to be revoked, the CCKM administrator needs to set that particular action to true or false.

For example, a user or group is permitted actions, keycreate, keyupdate, and keypurge. Now, to permit one more action keydelete to the user or group, set "permit":true and "actions": "keydelete" and run the API. Similarly, now to deny permission to the action keycreate, set "permit":false, "actions": "keycreate", and run the API.

Syntax

curl -k '<IP>/api/v1/cckm/azure/vaults/{id}/update-acls' -H 'Authorization: Bearer
AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n\n "group":
"<group>",\n "permit": <boolean>,\n "actions": [actions]\n}' --compressed

Here, {id} represents the vault ID.

Request Parameters

Parameter Type Description
AUTHTOKEN string Authorization token.
actions array of strings Permitted actions on the Azure vault. Refer to APIs and Action Mapping for details.

Supported actions are:
• keycreate
• keyupdate
• keydelete
• keypurge
• keyupload
• keyrecover
• keyrestore
• keysynchronize
• view
• deletebackup
group string Name of the group to be granted permissions.
permit boolean Flag to permit users to perform specific actions on the Azure vault. Set to true to permit, false to deny.
user_id string ID of the user to be granted permissions.

User ID and group are mutually exclusive – specify either of the two.

APIs and Action Mapping

The following table lists the mapping of APIs and actions required to call these APIs.

APIs Actions Required Description
Create keycreate Permission to create an Azure key.
Recover keyrecover Permission to recover a soft-deleted Azure key.
Purge keypurge Permission to permanently delete the Azure key.
Soft Delete keydelete Permission to soft delete an Azure key from the vault.
Upload keyupload Permission to upload the CipherTrust Manager key to Azure.
Synchronize keysynchronize Permission to synchronize Azure keys.
Cancel keysynchronize Permission to cancel the synchronization job.
Restore keyrestore Permission to restore a backed up key to a vault.
Update keyupdate Permission to updates the key attributes, tags and key operations.
List view Permission to view vaults and its keys.
Get (Azure Keys) view Permission to get the details of an Azure key with the given id.
List Vaults view Permission to view vaults and its keys.
Get (Azure Vaults) view Permission to get the details of the Azure vault with the given id.
Delete Backup deletebackup Permission to deletes an Azure key and its versions from the CCKM.
Create Secret secretcreate Permission to create an Azure secret.
Recover Secret secretrecover Permission to recover a soft-deleted Azure secret.
Purge Secret secretpurge Permission to permanently delete the Azure secret.
Soft Delete Secret secretdelete Permission to soft delete an Azure secret from the vault.
Synchronize Secret secretsynchronize Permission to synchronize Azure secrets.
Cancel Synchronize Secret secretsynchronize Permission to cancel the synchronization job.
Restore Secret secretrestore Permission to restore a backed up secret to a vault.
Update Secret secretupdate Permission to updates the Certificate attributes, and tags.
Delete Backup secretdeletebackup Permission to deletes an Azure secret and its versions from the CCKM.
Get (Azure Secrets) secretview Permission to get the details of an Azure secret with the given id.
List secretview Permission to view secrets of a vault.
Create Certificate certificatecreate Permission to create an Azure Certificate.
Recover Certificate certificaterecover Permission to recover a soft-deleted Azure Certificate.
Purge Certificate certificatepurge Permission to permanently delete the Azure Certificate.
Soft Delete Certificate certificatedelete Permission to soft delete an Azure Certificates from the vault.
Synchronize Certificate certificatesynchronize Permission to synchronize Azure Certificates.
Cancel Synchronize Certificate certificatesynchronize Permission to cancel the Certificates synchronization job.
Restore Certificate certificaterestore Permission to restore a backed up Certificate to a vault.
Update Certificate certificateupdate Permission to updates the Certificate attributes, and tags.
Delete Backup certificatedeletebackup Permission to deletes an Azure Certificate and its versions from the CCKM.
Get (Azure Certificates) certificateview Permission to get the details of an Azure Certificate with the given id.
List certificateview Permission to view Certificates of a vault.
Upload (Azure Certificates) certificateupload Permission to upload the CipherTrust Manager certificate to Azure.

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/azure/vaults/543e3f50-aac1-4e07-8499-
e5de03a22528/update-acls' -H 'Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0NjE0MWIyYi04MGVkLTQyMmEtYTY4Yy1jZmMw
MWIzNTQ5NzciLCJzdWIiOiJsb2NhbHxhNjg4YjAwNC0zNTc1LTQzM2EtODYzOC0wMTNiYTJhYzFmNjQiLCJpc
3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb2
1haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4
iXSwic2lkIjoiY2I2NjkwM2EtOTgyMy00NTExLTgyYmYtYzJmMzAzZmU5OTJlIiwiem9uZV9pZCI6IjAwMDAw
MDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjFlYTQxOTMxLWVjNDUtNGIyZS1hN
TM1LTcyMWIyZWM0NjcwYyIsImlhdCI6MTYwMTg5MDI0MywiZXhwIjoxNjAxODkwNTQzfQ._r1U5EsgJu1kSs_
JFbjjZp-Tb7eEMqHkWP6bf98DQto' -H 'Content-Type: application/json' --data-binary $'
{\n\n "group": "CCKM Users",\n "permit": true,\n "actions":
["view","keycreate"]\n}' --compressed

Example Response

{
    "id": "543e3f50-aac1-4e07-8499-e5de03a22528",
    "uri": "kylo:kylo:cckm:azure-vault:keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
    "account": "kylo:kylo:admin:accounts:kylo",
    "application": "ncryptify:gemalto:admin:apps:kylo",
    "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
    "createdAt": "2020-09-30T09:59:12.030403Z",
    "name": "keyvault-premium::12e533dd-b5c2-4e58-a264-0cd812dc5a34",
    "updatedAt": "2020-09-30T10:09:08.492827686Z",
    "azure_vault_id": "/subscriptions/12e533dd-b5c2-4e58-a264-0cd812dc5a34/resourceGroups/
    CCKM-resource/providers/Microsoft.KeyVault/vaults/keyvault-premium",
    "type": "Microsoft.KeyVault/vaults",
    "location": "northcentralus",
    "connection": "azure-connection",
    "acls": [
        {
            "group": "CCKM Users",
            "actions": [
                "view",
                "keycreate"
            ]
        }
    ],
    "cloud_name": "AzureCloud",
    "subscription_id": "12e533dd-b5c2-4e58-a264-0cd812dc5a34",
    "azure_name": "keyvault-premium",
    "synced_at": "2020-09-30T09:59:11.991824Z",
    "subscription_name": "Pay-As-You-Go",
    "properties": {
        "tenantId": "d27d849e-e487-4b0e-a54c-a71e67687d10",
        "sku": {
            "family": "A",
            "name": "premium"
        },
        "vaultUri": "https://keyvault-premium.vault.azure.net/"
    }
}

The sample output shows that the group (CCKM Users) is granted permissions to perform the view and keycreateoperations on the Azure vault.

To know more about response parameters, refer to Response Parameters of Azure Vault Management APIs.

Response Codes

Response Code Description
2xx Success
4xx Client errors
5xx Server errors

Refer to HTTP status codes for details.

After the permissions are configured on the Azure vault, use the get /v1/cckm/azure/vaults/{id} API to view the details of the Azure vault with the list of actions a user or group can perform on the Azure vault.