Your suggested change has been received. Thank you.

Suggest A Change

Please Note:

Reference
PFMigrate Utility
CCKM API
- Overview
- RESTful APIs
- AWS APIs
  - AWS Custom Key Store APIs
  - AWS KMS Management APIs
  - Key Life Cycle Management APIs
    - Creating AWS Keys on CCKM
    - Fetching List of AWS Keys
    - Viewing Details of AWS Keys
    - Deleting AWS Keys from CCKM
    - Downloading Keys Created on AWS to CCKM
    - Viewing Synchronization Status
    - Aborting Synchronization Jobs
    - Viewing Details of Synchronization Jobs
    - Uploading Keys to AWS KMS
    - Importing Key Material to AWS KMS
    - Deleting Imported Key Material
    - Scheduling Key Deletion
    - Canceling Deletion of Keys
    - Updating Key Policy
    - Updating Key Description
    - Enabling AWS Keys
    - Disabling AWS Keys
    - Adding Tags to AWS Keys
    - Removing Tags from AWS Keys
    - Adding Alias to AWS Keys
    - Deleting Alias from AWS Keys
    - Verifying Alias on AWS KMS
    - Enabling Key for Rotation Job
    - Disabling Key for Rotation Job
    - Enabling Automatic Key Rotation
    - Disabling Automatic Key Rotation
    - Rotating Keys on AWS KMS
    - Replicating Multi-Region AWS Keys
    - Changing the Primary Key of a Multi-Region AWS Key
    - Creating a Bulk Job
    - Viewing the List of Bulk Jobs
    - Viewing Details of a Bulk Job
    - Canceling a Bulk Job
  - Policy Template Management APIs
  - AWS Reports APIs
  - Response Parameters of AWS KMS Management APIs
  - Response Parameters of Key Life Cycle Management APIs
- Azure APIs
  - Subscription APIs
  - Vault Management APIs
  - Key Life Cycle Management APIs
    - Creating Azure Keys
    - Fetching List of Azure Keys
    - Viewing Details of Azure Keys
    - Updating Key Parameters
    - Deleting Keys from CCKM
    - Soft-Deleting Azure Keys
    - Purging Azure Keys
    - Uploading Keys to Azure Key Vault
    - Downloading Keys Created on Azure Vault to CCKM
    - Viewing Synchronization Status
    - Viewing Details of Synchronization Jobs
    - Aborting Synchronization Jobs
    - Enabling Key for Rotation Job
    - Disabling Key for Rotation Job
  - Azure Secrets Management APIs
    - Creating Azure Secrets
    - Fetching List of Azure Secrets
    - Viewing Details of Azure Secrets
    - Updating Attributes of Azure Secrets
    - Deleting Azure Secrets with Backup from CCKM
    - Soft-Deleting Azure Secrets
    - Recovering Soft-Deleted Azure Secrets
    - Purging Azure Secrets
    - Restoring Deleted Azure Secrets
    - Synchronizing Azure Secrets
    - Viewing Synchronization Status
    - Viewing Details of Synchronization Jobs
    - Canceling Synchronization Jobs
  - Azure Certificates Management APIs
    - Creating Azure Certificates
    - Fetching List of Azure Certificates
    - Viewing Details of Azure Certificates
    - Updating Attributes of Azure Certificates
    - Deleting Azure Certificates with Backup from CCKM
    - Soft-Deleting Azure Certificates
    - Recovering Soft-Deleted Azure Certificates
    - Purging Azure Certificates
    - Restoring Deleted Azure Certificates
    - Synchronizing Azure Certificates
    - Viewing Synchronization Status
    - Viewing Details of Synchronization Jobs
    - Canceling Synchronization Jobs
    - Importing Azure Certificates
  - Disaster Management APIs
  - Azure Reports APIs
  - Response Parameters of Azure Vault Management APIs
  - Response Parameters of Key Life Cycle Management APIs
- Luna HSM APIs
  - Luna HSM Partition APIs
  - Luna HSM Key APIs
- DSM APIs
  - DSM Domain APIs
    - Getting DSM Domains
    - Adding DSM Domains
    - Viewing DSM Domains
    - Viewing Details of a DSM Domain
    - Changing Connection of a DSM Domain
    - Deleting a DSM Domain
    - Granting Permissions to Users or Groups
  - DSM Key APIs
    - Creating a DSM Key
    - Viewing DSM Keys
    - Getting Details of a DSM Key
    - Deleting a DSM Key from CCKM
    - Deleting a Key from DSM
    - Refreshing DSM Domains
    - Getting Refresh Status of DSM Domains
    - Getting Details of a Domain Refresh
    - Canceling a Domain Refresh
- Google Cloud APIs
  - Google Cloud Project APIs
    - Fetching a Project from Google Cloud
    - Viewing Google Cloud Projects
    - Adding Google Cloud Projects
    - Viewing Details of a Google Cloud Project
    - Granting Permissions to Users or Groups in a Google Cloud Project
    - Deleting a Google Cloud Project
    - Updating a Google Cloud Project
  - Google Cloud Key Ring APIs
    - Getting Google Cloud Key Rings
    - Adding Google Cloud Key Rings
    - Listing Google Cloud Key Rings
    - Viewing Details of a Google Cloud Key Ring
    - Updating a Google Cloud Key Ring
    - Granting Permissions to Users or Groups
    - Deleting Google Cloud Key Rings
  - Google Cloud Key APIs
    - Creating a Google Cloud Key
    - Viewing Google Cloud Keys
    - Getting Details of a Google Cloud Key
    - Updating a Google Cloud Key
    - Viewing Versions of a Google Cloud Key
    - Adding a Version to a Google Cloud Key
    - Viewing Details of a Google Cloud Key Version
    - Refreshing Details of a Google Cloud Key Version
    - Refreshing Details of Google Cloud Key and All Its Versions
    - Updating All Versions of a Google Cloud Key
    - Viewing Details of an Update All Versions Operation
    - Enabling a Version of a Google Cloud Key
    - Disabling a Version of a Google Cloud Key
    - Scheduling Destruction of a Google Cloud Key Version
    - Canceling Scheduled Destruction of a Google Cloud Key Version
    - Downloading Public Key for an Asymmetric Version
    - Uploading a New Key to Google Cloud
    - Synchronizing Google Cloud Keys
    - Viewing Synchronization Status
    - Viewing Details of a Synchronization Job
    - Canceling a Synchronization Job
    - Enabling Auto Rotation of Google Cloud Keys
    - Disabling Auto Rotation of Google Cloud Keys
    - Viewing the IAM Policy Attached to a Key
    - Attaching an IAM Policy to a Key
    - Viewing the IAM Roles
  - Google Cloud Location API
  - Google Cloud Report APIs
- Google Cloud EKM APIs
- SAP APIs
  - SAP Applications API
  - SAP Groups APIs
    - Fetching List of Groups from SAP
    - Managing Permissions on SAP Users or Groups
    - Adding SAP Groups
    - Viewing SAP Groups Added to CipherTrust Manager
    - Viewing Details of SAP Groups
    - Updating Connection of SAP Groups
    - Deleting a SAP Group
  - SAP Keys APIs
    - Creating SAP Key
    - Fetching SAP Keys
    - Getting Details of a SAP Key
    - Updating SAP Key Attributes
    - Deleting a SAP Key Backup from CCKM
    - Deleting a Key from SAP
    - Deleting a SAP Key
    - Adding SAP Key Version
    - Viewing SAP Key Versions
    - Getting Details of a SAP Key Version
    - Synchronizing SAP Keys
    - Updating a SAP Key Version
    - Viewing Synchronization Status
    - Viewing the Job Status
    - Creating New Jobs
    - Uploading Keys to SAP
    - Viewing Synchronization Process Details
    - Canceling Synchronization
    - Enabling Auto Rotation of SAP Keys
    - Disabling Auto Rotation of SAP Keys
    - Creating a Dynamic Key Reference (DKR)
    - Viewing the List of DKRs
    - Getting Details of a DKR
    - Updating Details of a DKR
    - Deleting a DKR from CCKM
    - Deleting a DKR from SAP
  - SAP Reports APIs
- Salesforce APIs
  - Salesforce Organization APIs
    - Getting Salesforce Organizations
    - Adding Salesforce Organizations
    - Listing Salesforce Organizations
    - Viewing Details of a Salesforce Organization
    - Updating a Salesforce Organization
    - Granting Permissions to Users or Groups
    - Deleting Salesforce Organizations
  - Salesforce Tenant Secret APIs
    - Creating a Salesforce Tenant Secret
    - Viewing Salesforce Tenant Secrets
    - Getting Details of a Salesforce Tenant Secret
    - Destroying a Salesforce Tenant Secret
    - Synchronizing Tenant Secrets
    - Importing a Tenant Secret
    - Viewing Synchronizing Status
    - Viewing Details of a Synchronization Job
    - Canceling a Synchronization Job
    - Uploading Salesforce Tenant Secrets
    - Deleting Backup of a Salesforce Tenant Secret
    - Activate a Cache-Only Key
    - Fetching a Salesforce Cache-Only Key for a Given Identifier
    - Updating a Salesforce Cache-Only Key
    - Uploading a Salesforce Cache-Only Key
  - Salesforce Reports APIs
  - Salesforce Cache Only Key Endpoints APIs
  - Salesforce Cloud Certificates APIs
  - Salesforce Named Credentials APIs
- Oracle Cloud APIs
  - OCI Vaults APIs
    - Fetching List of OCI Vaults from Oracle
    - Adding OCI Vaults
    - Viewing OCI Vaults Added to CipherTrust Manager
    - Viewing Details of OCI Vaults
    - Managing Permissions on OCI Users or Groups
    - Deleting OCI Vaults
    - Updating Connection of OCI Vaults
  - OCI Keys APIs
    - Creating OCI Keys
    - Fetching OCI Keys
    - Getting Details of an OCI Key
    - Updating OCI Key Attributes
    - Deleting an OCI Key
    - Canceling Deletion of an OCI Key
    - Deleting an OCI Key Backup from CCKM
    - Restoring a Deleted OCI Key
    - Scheduling Deletion of an OCI Key
    - Adding OCI Key Version
    - Viewing OCI Key Versions
    - Getting Details of an OCI Key Version
    - Scheduling Deletion of an OCI Key Version
    - Canceling Scheduled Deletion of an OCI Key Version
    - Uploading Keys to OCI
    - Synchronizing OCI Keys
    - Viewing Synchronization Status
    - Viewing Synchronization Process Details
    - Canceling Synchronization
    - Changing the Compartment of an OCI Key
    - Disabling an OCI Key
    - Enabling an OCI Key
    - Refreshing an OCI Key
    - Enabling Auto Rotation of OCI Keys
    - Disabling Auto Rotation of OCI Keys
  - OCI Subscribed Regions API
  - OCI Compartments API
  - OCI Reports APIs
- OCI External APIs
  - Issuers APIs
    - Creating an Issuer
    - Returning a List of Issuers
    - Viewing Details of an Issuer
    - Updating Issuers
    - Deleting Issuers
  - External Vaults APIs
    - Creating an External vault
    - Blocking Access to External Vaults
    - Unblocking Access to External vaults
  - External Keys APIs
    - Creating an External Key
    - Blocking Access to External keys
    - Unblocking Access to External keys
  - OCI Invoked APIs
    - Fetching the Metadata of External Vaults
    - Fetching the Metadata of External Keys
    - Fetching the Metadata of a Version of External Keys
    - Encrypting Data Using External Keys
    - Decrypting Data Using External Keys
    - Generating Random Bytes
- CipherTrust Manager as External Keystore APIs
  - External CipherTrust Manager Domain APIs
    - Getting external CipherTrust Manager Domains
    - Adding External CipherTrust Manager Domains
    - Viewing External CipherTrust Manager Domains
    - Viewing Details of an External CipherTrust Manager Domain
    - Changing Connection of an External CipherTrust Manager Domain
    - Deleting an External CipherTrust Manager Domain
    - Granting Permissions to Users or Groups
  - External CipherTrust Manager Key APIs
    - Creating an External CipherTrust Manager Key
    - Viewing External CipherTrust Manager Keys
    - Getting Details of an External CipherTrust Manager Key
    - Deleting an External CipherTrust Manager Key from CCKM
    - Deleting a Key from External CipherTrust Manager
    - Creating a New Version of External CipherTrust Manager Key
    - Viewing External CipherTrust Manager Key Versions
    - Refreshing External CipherTrust Manager Domains
    - Getting Refresh Status of External CipherTrust Manager Domains
    - Getting Details of a Domain Refresh
    - Canceling a Domain Refresh
- Key Material Export and Upload
- Scheduler APIs
  - Scheduling Synchronization
  - Scheduling Key Rotation
  - Scheduling Rotation
  - Response Parameters
- Google Workspace CSE APIs
  - Creating an Issuer
  - Viewing Issuers
  - Viewing Details of an Issuer
  - Deleting an Issuer
  - Creating KACLS Endpoints
  - Viewing KACLS Endpoints
  - Viewing Details of a KACLS Endpoint
  - Updating a KACLS Endpoint
  - Disabling a KACLS Endpoint
  - Enabling a KACLS Endpoint
  - Archiving a KACLS Endpoint
  - Recovering a KACLS Endpoint
  - Deleting a KACLS Endpoint
  - Rotating Endpoint Keys (rotate-key)
  - Viewing KACLS Endpoint Perimeters
  - Updating a KACLS Endpoint Perimeter
  - Encrypting Private Keys (wrapprivatekey)
  - Google Invoked APIs
    - Encrypting Data Encryption Keys (wrap)
    - Decrypting Data Encryption Keys (unwrap)
    - Decrypting and Downloading Document (privilegedunwrap)
    - Viewing the KACLS Endpoint Status
    - Signing Private Keys (privatekeysign)
    - Decrypting Content Encryption Keys (privatekeydecrypt)
    - Decrypting and Downloading Gmail Message (privilegedprivatekeydecrypt)
DDC Architecture Guidelines
DDC GLASS Reference
DDC ELK Reference
KMIP Reference
Server Audit Record Reference
- KMIP Errors
- Key Errors
- Certificate Errors
- SNMP Errors
- SMTP Errors
- LDAP Errors
- Authentication Errors
- NAE Errors
- Clustering Errors
- HSM Errors
- Backup and Restore Errors
- General Errors
NAE-XML Interface Development
- Starting an XML Session
- NAE Client Registration
- User Requests
- User Group Requests
- Key Management Operations
- Importing, Exporting, and Replicating Keys
- Secret Management Operations
- Certificate and CA Requests
- Cryptographic Operations
- Logging
- Error Messages
- Supported Key Algorithms
- Differences Between Key Managers

Viewing the IAM Roles

Use the post /v1/cckm/google/get-iam-roles API to get the list of IAM roles that can be granted to a Google Cloud key.

Syntax

curl -k '<IP>/api/v1/cckm/google/get-iam-roles' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "key_id": "<key-id>"\n}' --compressed

Request Parameters

Parameter	Type	Description
AUTHTOKEN	string	Authorization token.
key_id	string	Resource ID of the Google Cloud key on the CipherTrust Manager.

Example Request

curl -k 'https://127.0.0.1/api/v1/cckm/google/get-iam-roles' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIyYTNhODM5Ny1hNzg3LTQ0NzctOGE0MS1jODA0MjAyYTdiMzIiLCJzdWIiOiJsb2NhbHw1NWU1NzQ1OC1kNWU0LTQ2OTUtOWEwOC1mYTNjZGUzNzAyNWEiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJjbGllbnRfaWQiOiI4MzdjODQwZC03NWRkLTRiNGYtYTMxOC03OWNiMTZjYTI0OGQiLCJjbGllbnRfbmFtZSI6ImFwaS1wbGF5Z3JvdW5kIiwiY2xpZW50X3R5cGUiOiJwdWJsaWMiLCJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMjZiODdkZTAtZTYxZS00MTFmLTg0NDMtZTNkNzA0YTI2ZmJhIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjgwOTcyNWZiLTMwM2MtNGFkMC05M2EyLTI0YzZkMDUwNWVlZiIsImlhdCI6MTY4NTQ0MjQzMiwiZXhwIjoxNjg1NDQyNzMyfQ.q23aSRM3Qf1Kzu0Bi5tYFTU44FOcVKWUVQOqfwzVe6Q' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n  "key_id": "2f18eade-2fd9-4c48-85f7-550107729299"\n}' --compressed

Example Response

{
    "roles": [
        {
            "description": "Enables management of crypto resources.",
            "name": "roles/cloudkms.admin",
            "title": "Cloud KMS Admin"
        },
        {
            "description": "Enables Decrypt operations",
            "name": "roles/cloudkms.cryptoKeyDecrypter",
            "title": "Cloud KMS CryptoKey Decrypter"
        },
        {
            "description": "Enables Decrypt operations via other GCP services",
            "name": "roles/cloudkms.cryptoKeyDecrypterViaDelegation",
            "title": "Cloud KMS CryptoKey Decrypter Via Delegation"
        },
        {
            "description": "Enables Encrypt operations",
            "name": "roles/cloudkms.cryptoKeyEncrypter",
            "title": "Cloud KMS CryptoKey Encrypter"
        },
        {
            "description": "Created on: 2020-12-10",
            "etag": "BwXO2Ui2+EY=",
            "name": "projects/gemalto-kyloeng/roles/KMSAPIAdmin",
            "title": "KMS_API Admin"
        }
    ]
}

The output shows the IAM roles that can be granted to a Google Cloud key.

Response Codes

Response Code	Description
2xx	Success
4xx	Client errors
5xx	Server errors

Refer to HTTP status codes for details.