Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

Key Life Cycle Management APIs

Replicating Multi-Region AWS Keys

search

Please Note:

Replicating Multi-Region AWS Keys

Use the post /v1/cckm/aws/keys/{id}/replicate-key API to replicate a multi-region AWS key to different AWS regions. When replicating the key, specify the desired AWS region.

When you replicate a multi-region primary key with imported key material (that is uploaded from CCKM), instead of returning a replica key with the same key material as the primary key, the replicate process returns a replica key with no key material and a key state of PendingImport. To enable the replica key, you must import the same key material into the replica key that you imported into its primary key.

Syntax

curl -k '<IP>/api/v1/cckm/aws/keys/{id}/replicate-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n  "replica_region": "<replication-region>",\n  "aws_param": {<aws parameters>}}' --compressed

Here, {id} represents the resource ID of the primary multi-region AWS key.

Request Parameters

Parameter Type Description
AUTHTOKEN string Authorization token.
replica_region string Name of the region where the key is to be replicated.
aws_param JSON Key parameters such as alias, description, and usage. Refer to AWS Key Parameters for details.
external_accounts array of strings AWS accounts that can use this key.
key_admins array of strings IAM users who can administer this key using the KMS API.
key_admins_roles array of strings IAM roles that can administer this key using the KMS API.
key_users array of strings IAM users who can use this key in cryptographic operations.
key_users_roles array of strings IAM roles that can use the CMK in cryptographic operations.
policytemplate string ID of the policy template to apply.
Note: When a policy template is applied to an AWS key, CCKM adds the template tag (cckm_policy_template_id) to the key. Do not modify or delete this tag on the AWS cloud.

Specify Policy, policytemplate, or one of key_admins, key_admins_roles, key_users, key_users_roles, and external_accounts. They are mutually exclusive. If no parameters are specified, the default policy is used.

AWS Key Parameters

Parameter Type Description
Alias string Alias of the key.
BypassPolicyLockoutSafetyCheck boolean Flag to bypass the key policy lockout safety check.
Description string Description of the key.
Origin string Source of the AWS customer master key (CMK) key material. The key origin cannot be changed. The origin of the key can be:
• AWS_KMS
• EXTERNAL
Policy JSON Key policy to attach to the CMK.
Tags array of JSONs An optional parameter to add additional information to the key. The value must be specified as the key-value pair. CCKM allows the following characters in tag values:
• Alphanumeric characters
• Special characters _ . / = + - @

Specify Policy, policytemplate, or one of key_admins, key_admins_roles, key_users, key_users_roles, and external_accounts. They are mutually exclusive. If no parameters are specified, the default policy is used.

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/replicate-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImU5YWUwYTI3LWVlYjQtNGNhZi04YjE4LTdhNzIzMDBkOTA0MCIsImlhdCI6MTYwNDU1ODEzOCwiZXhwIjoxNjA0NTU4NDM4fQ.MIMArFeC4cpPNTYOd39mu6_-yihdN0CDl_917eH8-kY' -H 'Content-Type: application/json' --data-binary $'{\n  "ReplicaRegion": "ap-south-1",\n  "aws_param": {\n  "Description": "Replicated key",\n    "Tags": [\n      {\n        "TagKey": "key",\n        "TagValue": "value"\n      }\n    ]\n  }\n}' --compressed

Example Response

{
    "id": "a152ad26-df3f-4116-abae-b93a914e76ac",
    "uri": "kylo:kylo:cckm:aws-replica-key:a152ad26-df3f-4116-abae-b93a914e76ac",
    "account": "kylo:kylo:admin:accounts:kylo",
    "application": "ncryptify:gemalto:admin:apps:kylo",
    "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
    "createdAt": "2021-08-10T05:55:49.010163222Z",
    "updatedAt": "2021-08-10T05:55:49.008870847Z",
    "kms_id": "10fa8bf3-3070-4bdc-8f19-f7cbed593f40",
    "kms": "kms",
    "synced_at": "2021-08-10T05:55:48.907773918Z",
    "rotation_status": "",
    "cloud_name": "aws",
    "key_type": "symmetric",
    "basic_view_enabled": false,
    "region": "ap-south-1",
    "gone": false,
    "key_material_origin": "native",
    "aws_param": {
        "AWSAccountId": "556782317223",
        "Arn": "arn:aws:kms:ap-south-1:556782317223:key/mrk-6ad3ab90026044a2a24fef020c5d02dc",
        "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
        "Description": "Replicated key",
        "Enabled": false,
        "EncryptionAlgorithms": [
            "SYMMETRIC_DEFAULT"
        ],
        "KeyID": "mrk-6ad3ab90026044a2a24fef020c5d02dc",
        "KeyManager": "CUSTOMER",
        "KeyState": "Creating",
        "KeyUsage": "ENCRYPT_DECRYPT",
        "Origin": "AWS_KMS",
        "CreationDate": "2021-08-10T05:55:48.542Z",
        "Alias": [
            "alias/ab-mr-key"
        ],
        "KeyRotationEnabled": false,
        "MultiRegion": true,
        "MultiRegionConfiguration": {
            "MultiRegionKeyType": "REPLICA",
            "PrimaryKey": {
                "Arn": "arn:aws:kms:ap-south-1:556782317223:key/mrk-6ad3ab90026044a2a24fef020c5d02dc",
                "Region": "ap-south-1"
            },
            "ReplicaKeys": [
                {
                    "Arn": "arn:aws:kms:ap-southeast-1:556782317223:key/mrk-6ad3ab90026044a2a24fef020c5d02dc",
                    "Region": "ap-southeast-1"
                }
            ]
        },
        "ReplicaPolicy": {
            "Version": "2012-10-17",
            "Id": "key-default-1",
            "Statement": [
                {
                    "Sid": "Enable IAM User Permissions",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": "arn:aws:iam::556782317223:root"
                    },
                    "Action": "kms:*",
                    "Resource": "*"
                }
            ]
        },
        "ReplicaTags": [
            {
                "TagKey": "key",
                "TagValue": "value"
            }
        ]
    }
}

The sample output shows that the AWS key (with the unique ID baf58871-2503-4d13-a84a-339aeb8fdfaf of the AWS region ap-south-1) is replicated to the AWS region "ap-southeast-1". The unique ID of the replica key is a152ad26-df3f-4116-abae-b93a914e76ac.

Response Codes

Response Code Description
2xx Success
4xx Client errors
5xx Server errors

Refer to HTTP status codes for details.