Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Key Life Cycle Management APIs

Importing Key Material to AWS KMS

search

Please Note:

Importing Key Material to AWS KMS

Use the post /v1/cckm/aws/keys/{id}/import-material API to import the key material to the AWS KMS.

Syntax

curl -k '<IP>/api/v1/cckm/aws/keys/{id}/import-material' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n  "source_key_tier": "<source_key_tier>",\n  "source_key_identifier": "<source_key_identifier>",\n  "key_expiration": <boolean>,\n  "valid_to": "<key validity>"\n}' --compressed

Here, {id} represents the key material ID.

Request Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization token.
key_expirationbooleanFlag to disable encryption on the key which is getting rotated.
source_key_tierstringTier of the source. Possible options are:
local for CipherTrust Manager (default)
dsm for Data Security Manager
external-cm for external CipherTrust Manager
hsm-luna for Luna HSM (FM-enabled Luna HSM is not supported as a key source)
source_key_identifier (Optional)stringThis is a mandatory field. It is optional only when the source_key_tier is local and the key is 256 bits AES key. If key material is re-imported, AWS allows only the re-import of the same key material. Therefore, it is mandatory to provide the source key identifier of the same key that was imported previously.
valid_tostringKey expiration time of the newly rotated key, must be formatted as per RFC3339.

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/40387a72-6e24-4cdd-8840-b586757c44bf/import-material' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjkxZGNhYjVkLWJmNDktNDk1Yi1iM2YyLWQ5ZjlkOGU5MDQ5MyIsImlhdCI6MTYwNDU1OTY0OCwiZXhwIjoxNjA0NTU5OTQ4fQ.j_7biN5YJm188ZzU-IMDsTxJ3X57GbzkOxunP4XE6J0' -H 'Content-Type: application/json' --data-binary $'{\n  "source_key_identifier": "test-key",\n  "key_expiration": true,\n  "valid_to": "2020-12-04T06:51:18.505860192Z"\n}' --compressed

Example Response

{
"id": "40387a72-6e24-4cdd-8840-b586757c44bf",
"uri": "kylo:kylo:cckm:aws-key:40387a72-6e24-4cdd-8840-b586757c44bf",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-05T07:01:48.965088Z",
"updatedAt": "2020-11-05T07:02:26.388806901Z",
"kms_id": "0b90f8de-8617-498d-ad63-ca18eb717ae7",
"kms": "kms",
"synced_at": "2020-11-05T07:01:48.959221Z",
"rotation_status": "",
"local_key_id": "361d928ac7e340d093e7d231c80ca934acc62528601647ce86a219c9a82f4f93",
"local_key_name": "test-key",
"cloud_name": "aws",
"key_type": "symmetric",
"basic_view_enabled": false,
"region": "ap-south-1",
"gone": false,
"key_material_origin": "cckm",
"aws_param": {
    "AWSAccountId": "123456789012",
    "Arn": "arn:aws:kms:ap-south-1:123456789012:key/031c5703-aaf7-425e-a141-7e0c6f5886ab",
    "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
    "Enabled": true,
    "EncryptionAlgorithms": [
        "SYMMETRIC_DEFAULT"
    ],
    "KeyID": "031c5703-aaf7-425e-a141-7e0c6f5886ab",
    "KeyManager": "CUSTOMER",
    "KeyState": "Enabled",
    "KeyUsage": "ENCRYPT_DECRYPT",
    "Origin": "EXTERNAL",
    "CreationDate": "2020-11-05T07:01:36Z",
    "Policy": {
        "Id": "key-default-1",
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Enable IAM User Permissions",
                "Action": "kms:*",
                "Effect": "Allow",
                "Resource": "*",
                "Principal": {
                    "AWS": "arn:aws:iam::123456789012:root"
                }
            }
        ]
    },
    "Alias": [
        "alias/aws-test-key-External"
    ],
    "Tags": [
        {
            "TagKey": "key",
            "TagValue": "value"
        }
    ],
    "ValidTo": "2020-12-04T06:51:18.505860192Z",
    "KeyRotationEnabled": false,
    "ExpirationModel": "KEY_MATERIAL_EXPIRES"
}
}

The sample output shows that the key material is imported to the AWS KMS. As the key is not created on the AWS KMS, its origin is EXTERNAL. A unique ID (40387a72-6e24-4cdd-8840-b586757c44bf) for the imported key is returned.

To know more about response parameters, refer to Response Parameters of Key Life Cycle Management APIs.

Response Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

On this page