Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

Key Life Cycle Management APIs

Creating AWS Keys on CCKM

search

Please Note:

Creating AWS Keys on CCKM

Use the post /v1/cckm/aws/keys API to create an AWS key on the CCKM. When creating an AWS key, you can specify whether the key can be replicated in multiple AWS regions. By default, the base key will be referred to as the multi-region primary key. Later, you can set any replica of the multi-region key as the primary key.

Note

HMAC keys are not available in the cn-north-1 and cn-northwest-1 regions.

Syntax

curl -k '<IP>/api/v1/cckm/aws/keys' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n  "kms": "<kms id>",\n  "region": "<region>",\n  "aws_param": {<aws parameters>}' --compressed

Request Parameters

Parameter Type Description
AUTHTOKEN string Authorization token.
kms string Name or ID of the KMS.
region string Name of the region.
aws_param JSON Key parameters such as alias, description, and usage. Refer to AWS Key Parameters for details.
external_accounts array of strings AWS accounts that can use this key.
key_admins array of strings IAM users who can administer this key using the KMS API.
key_admins_roles array of strings IAM roles that can administer this key using the KMS API.
key_users array of strings IAM users who can use this key in cryptographic operations.
key_users_roles array of strings IAM roles that can use the CMK in cryptographic operations.
policytemplate string ID of the policy template to apply.
Note: When a policy template is applied to an AWS key, CCKM adds the template tag (cckm_policy_template_id) to the key. Do not modify or delete this tag on the AWS cloud.

Specify Policy, policytemplate, or one of key_admins, key_admins_roles, key_users, key_users_roles, and external_accounts. They are mutually exclusive. If no parameters are specified, the default policy is used.

AWS Key Parameters

Parameter Type Description
Alias string Alias of the key.
BypassPolicyLockoutSafetyCheck boolean Flag to bypass the key policy lockout safety check.
CustomerMasterKeySpec string Type of the key. Supported types are:
• SYMMETRIC_DEFAULT (Default)
• RSA_2048 (Asymmetric)
• RSA_3072 (Asymmetric)
• RSA_4096 (Asymmetric)
• ECC_NIST_P256 (secp256r1) (Asymmetric)
• ECC_NIST_P384 (secp384r1) (Asymmetric)
• ECC_NIST_P521 (secp521r1) (Asymmetric)
• ECC_SECG_P256K1 (secp256k1) (Asymmetric)
• HMAC_224
• HMAC_256
• HMAC_384
• HMAC_512
Description string Description of the key.
KeyUsage string Cryptographic operations performed by the key. Supported operations are:
• ENCRYPT_DECRYPT
• SIGN_VERIFY
• GENERATE_VERIFY_MAC
MultiRegion boolean Whether the key can be replicated in multiple AWS regions. The base key will be referred to as the multi-region primary key. Set to true to allow key replication in multiple regions.
Origin string Source of the AWS customer master key (CMK) key material. The key origin cannot be changed. The origin of the key can be:
• AWS_KMS
• EXTERNAL
Policy JSON Key policy to attach to the CMK.
Tags array of JSONs An optional parameter to add additional information to the key. The value must be specified as the key-value pair. CCKM allows the following characters in tag values:
• Alphanumeric characters
• Special characters _ . / = + - @

Specify Policy, policytemplate, or one of key_admins, key_admins_roles, key_users, key_users_roles, and external_accounts. They are mutually exclusive. If no parameters are specified, the default policy is used.

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImU5YWUwYTI3LWVlYjQtNGNhZi04YjE4LTdhNzIzMDBkOTA0MCIsImlhdCI6MTYwNDU1ODEzOCwiZXhwIjoxNjA0NTU4NDM4fQ.MIMArFeC4cpPNTYOd39mu6_-yihdN0CDl_917eH8-kY' -H 'Content-Type: application/json' --data-binary $'{\n  "kms": "kms",\n  "region": "ap-south-1",\n  "aws_param": {\n "Alias": "aws-test-key",\n    "MultiRegion": true,\n    "Tags": [\n  {\n "TagKey": "key",\n        "TagValue": "value"\n }\n    ]\n  }\n}' --compressed

Example Response

{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457335Z",
"updatedAt": "2020-11-05T06:35:42.441821548Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:35:42.438073546Z",
"rotation_status": "",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
    "AWSAccountId": "123456789012",
    "Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
    "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
    "Enabled": true,
    "EncryptionAlgorithms": [
        "SYMMETRIC_DEFAULT"
    ],
    "KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
    "KeyManager": "CUSTOMER",
    "KeyState": "Enabled",
    "KeyUsage": "ENCRYPT_DECRYPT",
    "Origin": "AWS_KMS",
    "CreationDate": "2020-11-05T06:35:29Z",
    "Policy": {
        "Version": "2012-10-17",
        "Id": "key-default-1",
        "Statement": [
            {
                "Sid": "Enable IAM User Permissions",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::123456789012:root"
                },
                "Action": "kms:*",
                "Resource": "*"
            }
        ]
    },
    "Alias": [
        "alias/aws-test-key"
    ],
    "Tags": [
        {
            "TagKey": "key",
            "TagValue": "value"
        }
    ],
    "KeyRotationEnabled": false,
    "MultiRegion": true
}
}

The sample output shows that an AWS key (with alias aws-test-key) is created in the AWS region "ap-south-1" on the AWS KMS. A unique ID (baf58871-2503-4d13-a84a-339aeb8fdfaf) for the key is returned.

In the output, "MultiRegion": true shows that the key is a multi-region primary key. This key can be replicated in multiple AWS regions. Refer to Replicating Multi-Region AWS Keys for replication details.

To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.

Response Codes

Response Code Description
2xx Success
4xx Client errors
5xx Server errors

Refer to HTTP status codes for details.