Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

Key Life Cycle Management APIs

Updating Key Policy

search

Please Note:

Updating Key Policy

Use the post /v1/cckm/aws/keys/{id}/policy API to update the policy of an AWS key.

Syntax

curl -k '<IP>/api/v1/cckm/aws/keys/{id}/policy' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n  "key_users": ["key_user"],\n "key_admins": ["key_admin"],\n  "external_accounts": ["external_account"]\n\n}'--compressed

Here, {id} represents the key ID.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization token.
external_accountsarray of stringsAWS accounts that can use this key.
key_adminsarray of stringsIAM users who can administer this key using the KMS API.
key_admins_rolesarray of stringsIAM roles that can administer this key using the KMS API.
key_usersarray of stringsIAM users who can use this key in cryptographic operations.
key_users_rolesarray of stringsIAM roles that can use the CMK in cryptographic operations.
policyJSONKey policy mapped to the key.
policytemplatestringID of the policy template to apply.

Specify Policy, policytemplate, or one of key_admins, key_admins_roles, key_users, key_users_roles, and external_accounts. They are mutually exclusive. If no parameters are specified, the default policy is used.

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/policy' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImIyZjQxZTFiLTc0MmQtNDA1Mi04NTA5LWRlZDE1NjNjNjRmNCIsImlhdCI6MTYwNDU1OTAyMywiZXhwIjoxNjA0NTU5MzIzfQ.R9TjeIn5d9N7-V_8FGcl-90aRarpQayXfBL2OJ50AKk' -H 'Content-Type: application/json' --data-binary $'{\n  "key_users": ["user2"]\n}' --compressed

Example Response

{
"id": "baf58871-2503-4d13-a84a-339aeb8fdfaf",
"uri": "kylo:kylo:cckm:aws-key:baf58871-2503-4d13-a84a-339aeb8fdfaf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T06:35:42.443457Z",
"updatedAt": "2020-11-05T06:54:46.590542851Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T06:38:27.581643Z",
"rotation_status": "",
"cloud_name": "aws",
"key_users": [
    "arn:aws:iam::123456789012:user/user2"
],
"key_type": "symmetric",
"basic_view_enabled": true,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "native",
"aws_param": {
    "AWSAccountId": "123456789012",
    "Arn": "arn:aws:kms:ap-south-1:123456789012:key/623321f4-a7d4-4d52-89bf-a9f26a29360e",
    "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
    "Description": "key-description",
    "Enabled": true,
    "EncryptionAlgorithms": [
        "SYMMETRIC_DEFAULT"
    ],
    "KeyID": "623321f4-a7d4-4d52-89bf-a9f26a29360e",
    "KeyManager": "CUSTOMER",
    "KeyState": "Enabled",
    "KeyUsage": "ENCRYPT_DECRYPT",
    "Origin": "AWS_KMS",
    "CreationDate": "2020-11-05T06:35:29Z",
    "Policy": {
        "Id": "key-consolepolicy-3",
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Enable IAM UserName Permissions",
                "Effect": "Allow",
                "Principal": {
                    "AWS": [
                        "arn:aws:iam::123456789012:root"
                    ]
                },
                "Action": [
                    "kms:*"
                ],
                "Resource": "*"
            },
            {
                "Sid": "Allow use of the key",
                "Effect": "Allow",
                "Principal": {
                    "AWS": [
                        "arn:aws:iam::123456789012:user/user2"
                    ]
                },
                "Action": [
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:ReEncrypt*",
                    "kms:GenerateDataKey*",
                    "kms:DescribeKey"
                ],
                "Resource": "*"
            },
            {
                "Sid": "Allow attachment of persistent resources",
                "Effect": "Allow",
                "Principal": {
                    "AWS": [
                        "arn:aws:iam::123456789012:user/user2"
                    ]
                },
                "Action": [
                    "kms:CreateGrant",
                    "kms:ListGrants",
                    "kms:RevokeGrant"
                ],
                "Resource": "*",
                "Condition": {
                    "Bool": {
                        "kms:GrantIsForAWSResource": "true"
                    }
                }
            }
        ]
    },
    "Alias": [
        "alias/aws-test-key"
    ],
    "Tags": [
        {
            "TagKey": "key",
            "TagValue": "value"
        }
    ],
    "KeyRotationEnabled": true
}
}

The sample output shows that Key User (user2) is added and based on the assigned permissions, the Key User(user2) can perform cryptographic operations on the AWS KMS.

To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.