Enabling Auto Rotation of Google Cloud Keys
Use the post /v1/cckm/google/keys/{id}/enable-auto-rotation API to enable auto rotation of a Google Cloud key with the given ID.
Syntax
curl -k '<IP>/api/v1/cckm/google/keys/{id}/enable-auto-rotation' -X POST -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id} represents the resource ID of the Google Cloud key for which automatic key rotation is to be enabled.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| auto_rotate_algorithm | string | Algorithm for automatic key rotation. The algorithm can be: • RSA_SIGN_PSS_2048_SHA256 • RSA_SIGN_PSS_3072_SHA256 • RSA_SIGN_PSS_4096_SHA256 • RSA_SIGN_PSS_4096_SHA512 • RSA_SIGN_PKCS1_2048_SHA256 • RSA_SIGN_PKCS1_3072_SHA256 • RSA_SIGN_PKCS1_4096_SHA256 • RSA_SIGN_PKCS1_4096_SHA512 • RSA_DECRYPT_OAEP_2048_SHA256 • RSA_DECRYPT_OAEP_3072_SHA256 • RSA_DECRYPT_OAEP_4096_SHA256 • RSA_DECRYPT_OAEP_4096_SHA512 • EC_SIGN_P256_SHA256 • EC_SIGN_P384_SHA384 • EC_SIGN_SECP256K1_SHA256 (Only for protection level, HSM) • GOOGLE_SYMMETRIC_ENCRYPTION • HMAC_SHA256 |
| auto_rotate_key_source | string | Source of key material for the new Google Cloud key. The options are: • native • hsm-luna (FM-enabled Luna HSM is not supported as a key source) • dsm • external-cm • ciphertrust |
| job_config_id | string | ID of the key rotation scheduler job. |
| auto_rotate_domain_id | string | (DSM keys only) ID of the domain in which the DSM key will be created. Specify this when auto_rotate_key_source is dsm. |
| auto_rotate_external_cm_domain_id | string | (External CipherTrust Manager keys only) ID of the external CipherTrust Manager domain in which the external CipherTrust Manager key will be created. Specify this when auto_rotate_key_source is external-cm. |
| auto_rotate_partition_id | string | (Luna HSM keys only) ID of the partition in which the HSM key will be created. Specify this when auto_rotate_key_source is hsm-luna. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/google/keys/ecc73bfb-7605-4263-abb8-84fe431d35fb/enable-auto-rotation' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI0MmFmZDExNy02YzllLTRhNGUtOTAwYS1lYjlhNDNjYWE5ZDIiLCJzdWIiOiJsb2NhbHwzMTI5ODdkMS0wOWNiLTQxZTEtOThmNy1jZjRhNzgwNTZiMTMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNDVmOWE3NWUtMzI1NC00NWJkLWE0NzYtOWU2NWUyNjdmNGVkIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjdiYzNkOWM4LWRiYTQtNDVmMy05YWNiLWI3NGM2MzQyYzYyMCIsImlhdCI6MTYxNDc1MTg1MSwiZXhwIjoxNjE0NzUyMTUxfQ.ahdxfM7-WA4u7sotHy6qelc9MkoZytst7oZWsvE7Cr0' --compressed
Example Response
{
"id": "ecc73bfb-7605-4263-abb8-84fe431d35fb",
"uri": "kylo:kylo:cckm:gcp-key-versions:35feef15-83c5-44a8-8b84-946575ced214",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-07-09T07:43:34.555549Z",
"labels": {
"auto_rotate_algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
"auto_rotate_key_source": "ciphertrust",
"job_config_id": "1491da7c-ca51-4925-ab1b-779f83d0fd73"
},
"updatedAt": "2021-07-09T09:15:34.571392Z",
"cloud_name": "gcp",
"key_id": "TestKey",
"project_id": "cckm",
"location_id": "global",
"key_ring_id": "Cckm-test",
"key_ring_name": "projects/cckm/locations/global/keyRings/demo-key-ring",
"gone": false,
"auto_rotate": true,
"status": "AVAILABLE",
"create_status": "AVAILABLE",
"gcp_cloud_resource_name": "projects/cckm/locations/global/keyRings/demo-key-ring/cryptoKeys/TestKey",
"gcp_params": {
"name": "projects/cckm/locations/global/keyRings/demo-key-ring/cryptoKeys/TestKey",
"primary": "projects/cckm/locations/global/keyRings/demo-key-ring/cryptoKeys/TestKey/cryptoKeyVersions/2",
"createTime": "2021-07-09T07:45:16.366376Z",
"labels": {
"isakey": "yes"
},
"purpose": "ENCRYPT_DECRYPT",
"next_rotation_time": null,
"protectionLevel": "SOFTWARE",
"algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION"
},
"organization_name": "organizations/123456789012",
"organization_display_name": "123456789012"
}
The sample output shows details such as the key material origin and algorithm for automatic rotation of the specified Google Cloud key.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
