Updating AWS Key Templates
Use the patch /v1/cckm/aws/key-templates/{id} API to update the parameters of a key template. You can modify the key attributes such as key description, key policy, and tags.
Syntax
curl -k '<IP>/api/v1/cckm/aws/key-templates/{id}' -X PATCH -H 'Authorization: Bearer AUTHTOKEN' -H 'accept: application/json' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| description | string | An optional parameter to specify the description of the key template. |
| key_attributes | string | An optional parameter to define the key attribute parameters. |
| aws_param | JSON | An optional parameter to define the AWS key template parameters. Refer to AWS Parameters for more information. |
| name | string | Name of the key template used for AWS Key. Key template names can only contain alphanumeric characters and dashes. |
| external_accounts | string | An optional parameter to specify the AWS accounts that can use this key. External accounts are mutually exclusive to policy and policy template. If policy parameters are not specified, the default policy is used. |
| external_cm_domain_id | string | An optional parameter to specify the external-cm domain ID in which the external-cm key is located. |
| key_admins | string | An optional parameter to specify the IAM users to administer this key using the KMS API. Key admins are mutually exclusive to policy and policy template. If policy parameters are not specified, the default policy is used. |
| key_admins_roles | string | An optional parameter to specify the roles of the IAM users to administer this key. |
| key_users | string | An optional parameter to specify the IAM users who can use the KMS key in cryptographic operations. Key users are mutually exclusive to policy and policy template. If policy parameters are not specified, the default policy is used. |
| key_users_roles | string | An optional parameter to specify the roles of the IAM users to use the KMS key in cryptographic operations. |
| kms | string | An optional parameter to specify the name or ID of the KMS where the key template will be created. |
| local_hosted_params | JSON | An optional parameter to specify the local hosted parameters. Applicable to AWS HYOK. • blocked: Indicates whether the endpoint is blocked or not. The value is specified as boolean. The default value is false, which means the endpoint is not blocked. • custom_key_store_id: Specifies the custom key store ID. Required for a custom key store that is locally hosted. The value is specified as string. • linked_state: Indicates whether xks key should be linked with AWS. The default value is false, which means xks key should not be linked with AWS. • source_key_tier: Specifies the source key tier. Options are local and hsm-luna. Default is hsm-luna. The only value supported by the service is local. |
| partition_id | string | An optional parameter to specify the partition ID in which HSM key is located. |
| policytemplate | string | An optional parameter to specify the policy template ID. Policy template is mutually exclusive to all other policy parameters. If policy parameters are not specified, the default policy is used. |
| region | string | An optional parameter to specify the name of the available regions. |
| rotation_setting | JSON | An optional parameter to specify the AWS key rotation setting parameters. • auto_rotate_disable_encrypt: Inactivates encryption on the old key. The value is specified as boolean. The auto_rotate_disable_encrypt and auto_rotate_disable_encrypt_on_all_accounts are mutually exclusive. Specify either auto_rotate_disable_encrypt or auto_rotate_disable_encrypt_on_all_accounts. • auto_rotate_disable_encrypt_on_all_accounts: Inactivates encryption permissions on the old key for all the accounts. The auto_rotate_disable_encrypt and auto_rotate_disable_encrypt_on_all_accounts are mutually exclusive. Specify either auto_rotate_disable_encrypt or auto_rotate_disable_encrypt_on_all_accounts.• auto_rotate_external_cm_domain_id: A string value. Specifies the ID of the external-cm domain to create the external-cm key. • auto_rotate_key_source: A string value. Specifies the source of the key material. Options are hsm-luna, external-cm, and local.• auto_rotate_partition_id: A string value. Specifies the ID of the partition to create the HSM key. • job_config_id: Specifies the ID of the scheduler job to perform the key rotation. |
| source_key_tier | string | An optional parameter to specify the source key tier. Possible option are local, hsm-luna, and external-cm. The default value and the only value supported by the service is local. |
| override_attributes | boolean | An optional parameter to determine whether key attributes from the template should be overridden by the values provided in the create or upload key parameters. The default value is true. |
| template_type | string | An optional parameter to specify the template type. If type is not specified, the template can be used for all key types. Possible options are: • native: Template to create native keys. • byok: Template to create byok keys. • hyok: Template to create hyok keys. |
AWS Parameters
| Parameter | Type | Description |
|---|---|---|
| BypassPolicyLockoutSafetyCheck | boolean | An optional parameter to determine whether to bypass the key policy lockout safety check. |
| CustomerMasterKeySpec | string | An optional parameter to determine whether the KMS key contains a symmetric key or an asymmetric key pair. Possible options are: • SYMMETRIC_DEFAULT (Default) • RSA_2048 (Asymmetric) • RSA_3072 (Asymmetric) • RSA_4096 (Asymmetric) • ECC_NIST_P256 (secp256r1, prime256v1) (Asymmetric) • ECC_NIST_P384 (secp384r1) (Asymmetric) • ECC_NIST_P521 (secp521r1) (Asymmetric) • ECC_SECG_P256K1 (secp256k1) (Asymmetric) • HMAC_224 • HMAC_256 • HMAC_384 • HMAC_512 |
| Description | string | An optional parameter to specify the description of the key. |
| KeyUsage | string | An optional parameter to specify the use of the KMS key. Possible options are: • ENCRYPT_DECRYPT • SIGN_VERIFY • GENERATE_VERIFY_MAC • ENCRYPT_SIGN • DECRYPT_VERIFY |
| MultiRegion | boolean | An optional parameter to specify whether to create a multi-region primary key. |
| Origin | string | An optional parameter to specify the source of the key material of the KMS key. The origin cannot be changed after the KMS key is created. Possible options are: • AWS_KMS • EXTERNAL |
| Policy | JSON | An optional parameter to specify the key policy to attach to the KMS key. Policy is mutually exclusive to all other policy parameters. If policy parameters are not specified, the default policy is used. |
| Tags | JSON | An optional parameter to specify the tag information. • TagKey: A string value to specify the tag key. • TagValue: A string value to specify a corresponding value to tag key. |
Example Request
curl -k 'https://127.0.1.1/api/v1/cckm/aws/key-templates/68c4bab9-21f1-4a61-86ae-7325142beb46' -X PATCH -H 'Authorization: Bearer {Place jwt token here. Bearer token / JWT can be created via the /v1/auth/tokens API.}' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n \n\x09\x09\x09"key_attributes": { \n\n\x09\x09\x09\n\x09\x09\x09\x09"rotation_setting": {\n\x09\x09\x09\x09\x09\n\x09\x09\x09\x09\x09 "auto_rotate_key_source": "hsm-luna"\n\x09\x09\x09\x09\x09\n\x09\x09\x09\x09}\n\x09\x09\x09\x09\n\x09\x09\x09}\n}' --compressed
Example Response
{
"id": "68c4bab9-21f1-4a61-86ae-7325142beb46",
"uri": "kylo:kylo-bafd7fa9-4fcb-4bec-8391-d099340db929:cckm:aws-key-template:temp6-68c4bab9-21f1-4a61-86ae-7325142beb46",
"account": "kylo:kylo-bafd7fa9-4fcb-4bec-8391-d099340db929:admin:accounts:kylo-bafd7fa9-4fcb-4bec-8391-d099340db929",
"createdAt": "2025-10-10T05:23:45.830971Z",
"updatedAt": "2025-10-10T06:25:46.831067Z",
"name": "Temp6",
"description": "Testing Temp",
"override_attributes": false,
"template_type": "byok",
"key_attributes": {
"aws_param": {
"CustomerMasterKeySpec": "HMAC_512",
"KeyUsage": "SIGN_VERIFY",
"MultiRegion": true,
"Origin": "AWS_KMS",
"Tags": [
{
"TagKey": "Check",
"TagValue": "1"
}
]
},
"region": "us-east-3",
"external_cm_domain_id": "1425",
"rotation_setting": {
"job_config_id": "f404f720-9671-4eae-9449-dd5044bb8e50",
"auto_rotate_disable_encrypt": null,
"auto_rotate_disable_encrypt_on_all_accounts": null,
"auto_rotate_external_cm_domain_id": null,
"auto_rotate_key_source": "local",
"auto_rotate_partition_id": "5854"
},
"local_hosted_params": {}
}
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
