Introduction
IBM® Key Protect for IBM Cloud® helps you provision encrypted keys for apps across IBM Cloud. As you manage the lifecycle of your keys, you can benefit from knowing that your keys are secured by cloud-based FIPS 140-2 Level 3 hardware security modules (HSMs) that protect against the theft of information.
Key Protect provides a REST API that you can use with any programming language to store, retrieve, and generate encryption keys. For details about using Key Protect, see the IBM Cloud docs.
API endpoint
https://<region>.kms.cloud.ibm.com
Replace <region> with the prefix that represents the geographic area where
your Key Protect service instance resides.
For more information, see
Regions and locations.
The code examples on this tab use the client library that is provided for Go.
go get -u github.com/IBM/keyprotect-go-client
GitHub:
The code examples on this tab use the client library that is provided for NodeJS.
npm install @ibm-cloud/ibm-key-protect
GitHub:
The code examples on this tab use the client library that is provided for Python.
pip install -U keyprotect
GitHub:
The code examples on this tab use the client library that is provided for Java.
git clone https://github.com/IBM/keyprotect-java-client
cd keyprotect-java-client
mvn install
GitHub:
Authentication
To call each method, you'll need to be assigned a role that includes the required IAM actions. Each method lists the associated action. For more information about IAM actions and how they map to roles, see Managing access for Key Protect.
To work with the API, authenticate your app or service by including your IBM Cloud IAM access token and instance ID in API requests.
You can build your API request by pairing a
service endpoint
with your authentication credentials. For example, if you created a
Key Protect service instance for the
us-south region, use the following endpoint and API headers to browse keys in
your service:
curl -X GET \
https://us-south.kms.cloud.ibm.com/api/v2/keys \
-H "accept: application/vnd.ibm.collection+json" \
-H "authorization: Bearer <access_token>" \
-H "bluemix-instance: <instance_ID>"
Replace <access_token> with your Cloud IAM token, and <instance_ID> with the
IBM Cloud instance ID that identifies your
Key Protect service instance.
You can retrieve an access token by first creating an API key, and then exchanging your API key for a Cloud IAM token. For more information, see Retrieving an access token programmatically.
To find out more about setting up the Key Protect API, see Accessing the API.
IBM Cloud Identity and Access Management (IAM) is the primary method to
authenticate to the Key Protect API. The SDK
provides client config initialization method in which you will need to replace
<key_protect_url> with the appropriate service endpoint,
the <api_key> with the API key
associated with your application, and <instance_ID> with the IBM Cloud
instance ID that identifies your Key Protect
service instance.
The value kp.DefaultTokenURL for TokenURL defaults to the IAM production URL,
but you may need to alter the value to be associated with virtual private networks.
Use the client config options in the method to create a new
Key Protect client. The method handles the
authentication procedure with the provided API_KEY.
IBM Cloud Identity and Access Management (IAM) is the primary method to authenticate to the Key Protect API. The SDK provides a client config setup in which you will need to export environment variables to match the IBMCLOUD_API_KEY term with the API key associated with your service credentials, another term, IAM_AUTH_URL with the appropriate URL like 'https://iam.cloud.ibm.com/identity/token', another term, KP_SERVICE_URL with the endpoint, including the region, such as https://us-south.kms.cloud.ibm.com, and KP_INSTANCE_ID with the IBM Cloud instance ID that identifies your Key Protect service instance.
To retrieve your instance ID:
ibmcloud resource service-instance <instance_name> --output JSON
IBM Cloud Identity and Access Management (IAM) is the primary method to
authenticate to the Key Protect API. The SDK
provides a client config setup in which you will need to replace the
IBMCLOUD_API_KEY with the API key associated with your application, and
KP_INSTANCE_ID with the IBM Cloud instance ID that identifies your
Key Protect service instance.
IBM Cloud Identity and Access Management (IAM) is the primary method to
authenticate to the Key Protect API. The SDK
provides a client config setup in which you will need to replace the
IBMCLOUD_API_KEY with the API key associated with your application, and
KP_INSTANCE_ID with the IBM Cloud instance ID that identifies your
Key Protect service instance.
IBM Cloud Identity and Access Management (IAM) is the primary method to
authenticate to the Key Protect API.
The SDK provides a client config setup in which you will need to replace the
IAM_API_KEY with the API key associated with your application, IAM_AUTH_URL
with your Cloud IAM token,KEY_PROTECT_URL with a service endpoint, and
INSTANCE_ID with the IBM Cloud instance ID that identifies your
Key Protect service instance.
To retrieve your access token:
curl -X POST https://iam.cloud.ibm.com/identity/token -H "accept: application/json" -H "content-type: application/x-www-form-urlencoded" -d "grant_type=urn%3Aibm%3Aparams%3Aoauth%3Agrant-type%3Aapikey&apikey=<API_KEY>" > token.json
Replace <API_KEY> with your
service credentials.
Then use the full access_token value, prefixed by the _Bearer_token type, to
authenticate your API requests.
To retrieve your instance ID:
ibmcloud resource service-instance <instance_name> --output JSON
Replace <instance_name> with the unique alias that you assigned to your
Key Protect service instance. The GUID
value in the JSON output represents the instance ID for the service.
To authenticate to Key Protect API:
import (
"context"
"encoding/json"
"fmt"
kp "github.com/IBM/keyprotect-go-client"
)
func getConfigAPIKey() kp.ClientConfig {
return kp.ClientConfig{
BaseURL: <key_protect_url>,
APIKey: <api_key>,
TokenURL: kp.DefaultTokenURL,
InstanceID: <instance_ID>,
Verbose: kp.VerboseFailOnly,
}
}
func main() {
options := getConfigAPIKey()
api, err := kp.New(options, kp.DefaultTransport())
if err != nil {
fmt.Println("Error creating kp client")
return
}
}
To access the API through your service endpoint, you will need to use the following format.
API endpoint format:
https://<region>.kms.cloud.ibm.com
Replace <region> with the prefix that represents the geographic area where
your Key Protect service instance resides.
For more informaton, see
Regions and locations.
To retrieve your instance ID, run the following command using the CLI:
ibmcloud resource service-instance <instance_name> --output JSON
Replace <instance_name> with the unique alias that you assigned to your
Key Protect service instance. The GUID
value in the JSON output represents the <instance_ID> for the service.
To authenticate to Key Protect API:
const KeyProtectV2 = require('@ibm-cloud/ibm-key-protect/ibm-key-protect-api/v2');
const { IamAuthenticator } = require('@ibm-cloud/ibm-key-protect/auth');
// using external configuration of environment variables
const envConfigs = {
apiKey: process.env.IBMCLOUD_API_KEY,
iamAuthUrl: process.env.IAM_AUTH_URL,
serviceUrl: process.env.KP_SERVICE_URL,
bluemixInstance: process.env.KP_INSTANCE_ID,
};
// Create an IAM authenticator.
const authenticator = new IamAuthenticator({
apikey: envConfigs.apiKey,
url: envConfigs.iamAuthUrl,
});
// Construct the service client.
const keyProtectClient = new KeyProtectV2({
authenticator,
serviceUrl: envConfigs.serviceUrl,
});
For more information on the regional endpoint where your data can be accessed, see Regions and locations.
To authenticate to Key Protect API:
import os
import keyprotect
from keyprotect import bxauth
tm = bxauth.TokenManager(api_key=os.getenv("<IBMCLOUD_API_KEY>"))
kp = keyprotect.Client(
credentials=tm,
region="<region>",
service_instance_id=os.getenv("<KP_INSTANCE_ID>")
)
Replace <IBMCLOUD_API_KEY> with your
service credentials.
Replace <KP_INSTANCE_ID> with the UUID that identifies your
Key Protect instance.
To retrieve your instance ID:
ibmcloud resource service-instance <instance_name> --output JSON
Replace <region> with the prefix that represents the geographic area where
your Key Protect service instance resides.
For more information, see
Regions and locations.
To authenticate to Key Protect API:
import com.ibm.cloud.ibm_key_protect_api.v2.IbmKeyProtectApi;
import com.ibm.cloud.ibm_key_protect_api.v2.model.*;
import com.ibm.cloud.sdk.core.http.Response;
import com.ibm.cloud.sdk.core.security.*;
public class KPClient {
private static IbmKeyProtectApi testClient;
public static void main(String[] args) {
IamAuthenticator authenticator = new IamAuthenticator("<IAM_API_KEY>");
authenticator.setURL("<IAM_AUTH_URL>");
authenticator.validate();
testClient = new IbmKeyProtectApi("<INSTANCE_ID>", authenticator);
testClient.setServiceUrl("<KEY_PROTECT_URL>");
}
}
Replace <INSTANCE_ID> with the UUID that identifies your Key Protect instance.
Replace <IAM_API_KEY> with your service credentials.
Replace <IAM_AUTH_URL> with https://iam.cloud.ibm.com/identity/token.
Replace <KEY_PROTECT_URL> with the service endpoint for your instance that handles your requests.
To retrieve your instance ID, replace <instance_name> in the command as shown:
ibmcloud resource service-instance <instance_name> --output JSON
Your endpoint is specific to the geographic area where your Key Protect service instance resides. For more information, see Regions and locations.
Auditing
You can monitor API activity within your account. Whenever an API method is called, an event is generated that you can then track and audit. The specific event type is listed for each method that generates auditing events. For methods that don't list any events, no events are generated.
For more information about how to track Key Protect activity, see Auditing the events for Key Protect.
Error handling
The Key Protect service uses standard HTTP
response codes to indicate whether a method completed successfully. A 200
response always indicates success. A 400 type response is some sort of
failure, and a 500 type response usually indicates an internal system error.
| Status code | Description |
|---|---|
200 OK |
Everything worked as expected. |
201 OK |
Everything worked as expected; no content. |
400 Bad Request |
The request was unsuccessful; ensure no required parameters are missing. |
401 Unauthorized |
The parameters were valid but the request failed due insufficient permissions. |
404 Not Found |
The requested resource doesn't exist. |
410 Gone |
The requested resource was deleted and no longer exists. |
429 Too Many Requests |
Too many requests hit the API too quickly. |
500 Server Error |
Something went wrong on Key Protect's end. |
Metadata
When you create or store keys in Key Protect, you can attach key-value data to your resources for easy identification of your keys.
The name, description, and tag parameters are useful for storing
information on your resources. For example, you can store corresponding unique
identifiers from your app or system on a
Key Protect key.
To protect your privacy, do not store any personally identifiable information, such as your name or location, as metadata for your keys.
Pagination
Some API requests might return a large number of results. By specifying the
limit and offset parameters at query time, you can retrieve a subset of your
keys, starting with the offset value that you specify. For more information, see
Retrieving a subset of keys.
There are optional operations that can effect pagination and the resulting list of keys returned by the service. Some operations may still be in development, and will be listed as "Beta" while that is the case.
Search
When used, this operation performs a search, possibly limiting the number of keys returned. If you want to narrow the number of results returned by a search, try using one or a combination of the following values as a prefix for the term you wish to have searched:
not:when specified, inverts the logic the search uses (for example,not:foowill search for keys that have aliases or names that do not containfoo).escape:everything after this option is take as plaintext (example:escape:not:will search for keys that have an alias or name containing the substringnot:).exact:only looks for exact matches.alias:only looks for key aliases.name:only looks for key names.
The list of keys returned is sorted on id by default, if this parameter is not provided.
Sort
When used, this operation sorts the list of keys returned based on one or more key properties. The key properties that can be sorted at this time are:
idstateextractableimportedcreationDatelastUpdateDatelastRotateDatedeletionDateexpirationDate
The list of keys returned is sorted on id by default, if this parameter is not provided.
Rate Limiting
Rate limits for API requests are enforced on a per-service-instance basis. If the number of requests for a particular method and endpoint reaches the request limit within the specified time window, no further requests are accepted until the timer expires. After the timer expires, a new time window begins with the next accepted request.
An HTTP status code of 429 indicates that the rate limit has been exceeded.
Change log
Important changes, such as additions, updates, and breaking changes, are marked with a change notice in this reference.
New features will be initially released as "beta" implementations.
"Beta" means that the specification is subject to change, with limited support in different environments (from partial support to none at all, depending on the specifics), in order to test new features that are not yet stable for use in production environments.
As part of continued migration and improvement, the algorithmBitSize, algorithmMode,
algorithmType and algorithmMetadata fields are deprecated within the Key Protect API.
Key Protect announces several changes to both the structure and to particular names of certain events to better conform with IBM naming conventions.
The alias parameter in the event generated with a key alias added to a key at creation time is being moved from the response data section to the request data section.
Also, to better conform with IBM standards, the names of certain events are changing.
| Old event name | New event name |
|---|---|
| kms.secrets.eventack | kms.secrets-event.ack |
| kms.secrets.readmetadata | kms.secrets-metadata.read |
| kms.secrets.listkeyversions | kms.secrets-key-versions.list |
| kms.secrets.defaultalias | kms.secrets-alias.default |
| kms.secrets.createalias | kms.secrets-alias.create |
| kms.secrets.deletealias | kms.secrets-alias.delete |
| kms.importtoken.create | kms.import-token.create |
| kms.importtoken.default | kms.import-token.default |
| kms.importtoken.read | kms.import-token.read |
| kms.instancepolicies.write | kms.instance-policies.write |
| kms.instancepolicies.default | kms.instance-policies.default |
| kms.instancepolicies.read | kms.instance-policies.read |
| kms.instance.readallowedipport | kms.instance-allowed-ip-port.read |
| kms.instance.readipwhitelistport | kms.instance-ip-whitelist-port.read |
| kms.keyrings.create | kms.key-rings.create |
| kms.keyrings.delete | kms.key-rings.delete |
| kms.keyrings.list | kms.key-rings.list |
| kms.keyrings.default | kms.key-rings.default |
| kms.governance.configread | kms.governance-config.read |
Methods
Create a key
Creates a new key with specified key material.
Key Protect designates the resource as either a root key or a standard
key based on the extractable value that you specify. A successful
POST /keys operation adds the key to the service and returns the
details of the request in the response entity-body, if the Prefer header
is set to return=representation.
POST /api/v2/keys
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$Alters server behavior for POST or DELETE operations. A header with
return=minimalcauses the service to return only the key identifier as metadata. A header containingreturn=representationreturns both the key material and metadata in the response entity-body. If the key has been designated as a root key, the system cannot return the key material. Note: During POST operations, Key Protect may not immediately return the key material due to key generation time. To retrieve the key material, you can perform a subsequentGET /keys/{id}request.Allowable values: [
return=representation,return=minimal]Possible values: 14 ≤ length ≤ 21
The ID of the key ring that the specified key belongs to. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$Default:
default
The base request for creating a new key.
{
"metadata": {
"collectionType": "application/vnd.ibm.kms.key+json",
"collectionTotal": 1
},
"resources": [
{
"type": "application/vnd.ibm.kms.key+json",
"name": "Root-key",
"description": "A Key Protect key",
"extractable": false
}
]
}A collection of resources.
Possible values: number of items = 1
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/keys -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.key+json' -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.key+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.key+json", "name": "Root-key", "description": "A Key Protect key", "extractable": false } ] }'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication // Method CreateKeyWithAliases supports creating key with aliases. To provide alias names pass array of strings to the method // otherwise pass nil. rootkey, err := api.CreateKeyWithAliases(context.Background(), <key_name>, <expiration_date>, <extractable>, <aliases>) if err != nil { fmt.Println("Error while creating key: ", err) return } b, _ := json.MarshalIndent(rootkey, "", " ") fmt.Println(string(b)) }
// Initialize the Key Protect client as specified in Authentication // Define the key parameters const body = { metadata: { collectionType: 'application/vnd.ibm.kms.key+json', collectionTotal: 1, }, resources: [ { type: 'application/vnd.ibm.kms.key+json', name: 'nodejsKey', extractable: false, }, ], }; const createParams = Object.assign({}, envConfigs); createParams.body = body; const response = keyProtectClient.createKey(createParams); const keyId = response.result.resources[0].id; console.log('Key created, id is: ' + keyId);
import os import keyprotect from keyprotect import bxauth # Initialize the Key Protect client as specified in Authentication key = kp.create(name="<key_name>") print("Created key '%s'" % key["id"])
// payload is null if not an imported key // payload should be base64 encoded string // notRootKey is false if this is a root key public static String createKey(String keyName, String keyDescription, String payload, boolean notRootKey) { InputStream inputstream = null; CreateKeyOptions createKeyOptionsModel = null; try { // build json format input stream JsonObjectBuilder resourceObjectBuilder = Json.createObjectBuilder() .add("name", keyName) .add("extractable", notRootKey) .add("description", keyDescription); // imported key if (payload != null) { resourceObjectBuilder.add("payload", payload); } JsonObjectBuilder jsonObjectBuilder = Json.createObjectBuilder() .add("metadata", Json.createObjectBuilder() .add("collectionType", "application/vnd.ibm.kms.key+json") .add("collectionTotal", 1)) .add("resources", Json.createArrayBuilder() .add(resourceObjectBuilder)); JsonObject jsonObject = jsonObjectBuilder.build(); inputstream = new ByteArrayInputStream(jsonObject.toString().getBytes()); createKeyOptionsModel = new CreateKeyOptions.Builder() .bluemixInstance("<instance_id>") .createKeyOneOf(inputstream) .prefer("return=representation") .build(); } catch(ClassCastException e) { System.out.println("Error: " + e.toString()); return "failed to create key"; } Response<Key> response = testClient.createKey(createKeyOptionsModel).execute(); List<KeyWithPayload> key = response.getResult().getResources(); return key.toString(); }
Response
Properties associated with a key response.
A collection of resources.
Possible values: number of items = 1
Status Code
The key was successfully created.
The key is missing a required field.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. Learn more.
There are three possible causes for HTTP 404 while trying to create a key, specifying a reason code (resouces[0].reasons[0].code) as follows:
KEY_RING_NOT_FOUND_ERR: The key cannot be created because the key ring does not exist. Note the default key ring name is "default."
INSTANCE_NOT_FOUND_ERR: The key cannot be created because the instance does not exist.
IMPORT_TOKEN_NOT_FOUND_ERR: The key cannot be created because the import token does not exist.
The import token that was used to encrypt this key has reached its
maxAllowedRetrievalsorexpirationDate, and it is no longer available for operations. To create a new import token, usePOST /import_token.In very rare cases, the import token may expire before its expiration time. Ensure that your client application is configured with a retry mechanism for catching and responding to
409conflict exceptions.KEY_ALIAS_QUOTA_ERR: The alias quota for this key has been reached.
KEY_ALIAS_NOT_UNIQUE_ERR: One or more aliases are already associated with a key in the instance.
KEY_CREATE_IMPORT_ACCESS_ERR: KeyCreateImportAccess instance policy is enabled. Key Protect only permits the creation or import of keys in your Key Protect instance that follow the key creation and import settings listed on the keyCreateImportAccess policy.
IMPORT_TOKEN_EXPIRED_ERR: The key cannot be created because the import token has expired.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.key+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.key+json", "id": "fadedbee-0000-0000-0000-1234567890ab", "name": "Root-key", "aliases": [ "alias-for-this-key" ], "description": "A Key Protect key", "state": 1, "extractable": false, "keyRingID": "default", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:key:fadedbee-0000-0000-0000-1234567890ab", "imported": false, "creationDate": "2000-03-21T00:00:00Z", "createdBy": "IBMid-0000000000", "algorithmType": "Deprecated", "algorithmMetadata": { "bitLength": "256", "mode": "Deprecated" }, "algorithmBitSize": 256, "algorithmMode": "Deprecated", "lastUpdateDate": "2000-03-21T00:00:00Z", "keyVersion": { "id": "fadedbee-0000-0000-0000-1234567890ab", "creationDate": "2000-03-21T00:00:00Z" }, "dualAuthDelete": { "enabled": true, "keySetForDeletion": true, "authExpiration": "2000-03-21T00:00:00Z" }, "deleted": false } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: The key is missing a required field." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. [Learn more](/docs/key-protect?topic=key-protect-integrate-services#grant-access)" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: The import token that was used to encrypt this key has reached its 'maxAllowedRetrievals' or 'expirationDate', and it is no longer available for key operations. To create a new import token, use 'POST /import_token'." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
List keys
Retrieves a list of keys that are stored in your Key Protect service instance.
Important: When a user of Key Protect on Satellite views lists of keys through the IBM Console, or programmatically via this API, keys with "fine grain" permissions won't appear due to the manner in which the service aggregates the collection. While the user can still use the key resource, only by using the CLI or API and passing the specific key ID can a user access the metadata and other details of the key.
Note: GET /keys will not return the key material in the response
body. You can retrieve the key material for a standard key with a
subsequent GET /keys/{id} request.
GET /api/v2/keys
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the target key ring. If unspecified, all resources in the instance that the caller has access to will be returned. When the header is specified, only resources within the specified key ring, that the caller has access to, will be returned. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Query Parameters
The number of keys to retrieve. By default,
GET /keysreturns the first 200 keys. To retrieve a different set of keys, uselimitwithoffsetto page through your available resources. The maximum value forlimitis 5,000. Usage: If you have 20 keys in your instance, and you want to retrieve only the first 5 keys, use../keys?limit=5.Possible values: 1 ≤ value ≤ 5000
Default:
200The number of keys to skip. By specifying
offset, you retrieve a subset of keys that starts with theoffsetvalue. Useoffsetwithlimitto page through your available resources. Usage: If you have 100 keys in your instance, and you want to retrieve keys 26 through 50, use../keys?offset=25&limit=25.Possible values: value ≥ 0
Default:
0The state of the keys to be retrieved. States must be a list of integers from 0 to 5 delimited by commas with no whitespace or trailing commas. Valid states are based on NIST SP 800-57. States are integers and correspond to the Pre-activation = 0, Active = 1, Suspended = 2, Deactivated = 3, and Destroyed = 5 values. Usage: If you want to retrieve active and deleted keys, use
../keys?state=1,5.Allowable values: [
0,1,2,3,5]Possible values: 0 ≤ number of items ≤ 5, 0 ≤ value ≤ 5
Default:
[0,1,2,3]The type of keys to be retrieved. Filters keys based on the
extractableproperty. You can use this query parameter to search for keys whose material can leave the service. If set totrue, standard keys will be retrieved. If set tofalse, root keys will be retrieved. If omitted, both root and standard keys will be retrieved. Usage: If you want to retrieve standard keys, use../keys?extractable=true.When provided, performs a search, possibly limiting the number of keys returned. Examples:
foobar- find keys where the name or any of its aliases containfoobar, case insentive (i.e. matchesxfoobar,Foobar).fadedbee-0000-0000-0000-1234567890ab(a valid key id) - find keys where the id the key isfadedbee-0000-0000-0000-1234567890ab, or the name or any of its aliases containfadedbee-0000-0000-0000-1234567890ab, case insentive.
May prepend with options:
not:= when specified, inverts matching logic (example:not:foowill search for keys that have aliases or names that do not containfoo)escape:= everything after this option is take as plaintext (example:escape:not:will search for keys that have an alias or name containing the substringnot:)exact:= only looks for exact matches
May prepend with search scopes:
alias:= search in key aliases for search queryname:= search in key names for search query
Examples:
not:exact:foobar/exact:not:foobar- find keys where the name nor any of its aliases are not exactlyfoobar(i.e. matchesxfoobar,bar,foo)exact:escape:not:foobar- find keys where the name or any of its aliases are exactlynot:foobarnot:alias:foobar/alias:not:foobar- find keys where any of its aliases do not containfoobarname:exact:foobar/exact:name:foobar- find keys where the name is exactlyfoobar
Note:
By default, if no scopes are provided, search will be performed in both
nameandaliasscopes.Search is only possible on a intial searchable space of at most 5000 keys. If the initial seachable space is greater than 5000 keys, the API returns HTTP 400 with the property resouces[0].reasons[0].code equals to 'KEY_SEARCH_TOO_BROAD'. Use the following filters to reduce the initial searchable space:
state(query parameter)extractable(query parameter)X-Kms-Key-Ring(HTTP header)
If the total intial searchable space exceeds the 5000 keys limit and when providing a fully specified key id or when searching within the
aliasscope, a lookup will be performed and if a key is found, the key will be returned as the only resource and in the response metadata the propertyincompleteSearchwill betrue.When providing a fully specified key id or when searching within the
aliasscope, a key lookup is performed in addition to the search. This means search will try to lookup a single key that is uniquely identified by the key id or provided alias, this key will be included in the response as the first resource, before other matches.Search scopes are disjunctive, behaving in an OR manner. When using more than one search scope, a match in at least one of the scopes will result in the key being returned.
Possible values: 0 ≤ length ≤ 256, Value must match regular expression
^.{0,256}$When provided, sorts the list of keys returned based on one or more key properties. To sort on a property in descending order, prefix the term with "-". To sort on multiple key properties, use a comma to separate each properties. The first property in the comma-separated list will be evaluated before the next. The key properties that can be sorted at this time are:
idstateextractableimportedcreationDatelastUpdateDatelastRotateDatedeletionDateexpirationDate
The list of keys returned is sorted on id by default, if this parameter is not provided.
Allowable values: [
id,state,extractable,imported,creationDate,lastUpdateDate,lastRotateDate,deletionDate,expirationDate]Possible values: 2 ≤ length ≤ 14
Default:
idWhen provided, returns the list of keys that match the queried properties. Each key property to be filtered on is specified as the property name itself, followed by an “=“ symbol, and then the value to filter on, followed by a space if there are more properties to filter only. Note: Anything between
<and>in the examples or descriptions represent placeholder to specify the value Basic format:= = - The value to filter on may contain a value related to the property itself, or an operator followed by a value accepted by the operator - Only one operator and value, or one value is accepted per property at a time Format with operator/value pair: = : Up to three of the same property may be specified at a time. The key properties that can be filtered at this time are: creationDate- Date in RFC 3339 format in double-quotes: “2000-03-21T00:00:00Z”
deletionDate- Date in RFC 3339 format in double-quotes: “2000-03-21T00:00:00Z”
expirationDate- Date in RFC 3339 format in double-quotes: “2000-03-21T00:00:00Z”
extractable- Boolean true or false without quotes, case-insensitive
lastRotateDate- Date in RFC 3339 format in double-quotes: “2000-03-21T00:00:00Z”
lastUpdateDate- Date in RFC 3339 format in double-quotes: “2000-03-21T00:00:00Z”
state- A list of comma-separated integers with no space in between: 0,1,2,3,5 Comparison operations (operators) that can be performed on date values are:
lte:<value>Less than or equal to -lt:<value>Less than -gte:<value>Greater than or equal to -gt:<value>Greater than A special keyword for date,none(case-insensitive), may be used to retreive keys that do not have that property. This is useful forlastRotateDate, where only keys that have never been rotated can be retreived. Examples:lastRotateDate="2022-02-15T00:00:00Z"Filter keys that were last rotated on February 15, 2022 -lastRotateDate=gte:"2022-02-15T00:00:00Z"Filter keys that were last rotated after or on February 15, 2022 -lastRotateDate=gte:"2022-02-15T00:00:00Z" lastRotateDate=lt:"2022-03-15T00:00:00Z"Filter keys that were last rotated after or on February 15, 2022 but before (not including) March 15, 2022 -lastRotateDate="2022-02-15T00:00:00Z" state=0,1,2,3,5 extractable=falseFilter root keys that were last rotated on February 15, 2022, with any state Note: When you filter bystateorextractablein this query parameter, you will not be able to use the deprecatedstateorextractableindependent query parameter. You will get a 400 response code if you specify a value for one of the two properties in both this filter query parameter and the deprecated independent query of the same name (the same applies vice versa).
Possible values: 0 ≤ length ≤ 512, Value must match regular expression
^.{0,512}$
curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/keys -H 'accept: application/vnd.ibm.kms.key+json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication keys, err := api.GetKeys(context.Background(), <limit>, <offset>) if err != nil { fmt.Println("Error while retrieving keys: ", err) return } b, _ := json.MarshalIndent(keys, "", " ") fmt.Println(string(b)) }package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication limit := uint32(5) offset := uint32(0) extractable := false keyStates := []kp.KeyState{kp.KeyState(kp.Active), kp.KeyState(kp.Suspended)} listKeysOptions := &kp.ListKeysOptions{ Limit : &limit, Offset : &offset, Extractable : &extractable, State : keyStates, } keys, err := client.ListKeys(ctx, listKeysOptions) if err != nil { fmt.Println(err) } fmt.Println(keys) }package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication srtStr, _ := kp.GetKeySortStr(kp.WithCreationDate(), WithImportedDesc()) listKeysOptions := &kp.ListKeysOptions{ Sort:srtStr, } keys, err := client.ListKeys(ctx, listKeysOptions) if err != nil { fmt.Println(err) } fmt.Println(keys) }
import os import keyprotect from keyprotect import bxauth # Initialize the Key Protect client as specified in Authentication keys = kp.keys() for key in kp.keys(): print("%s\t%s" % (key["id"], key["name"]))
// Initialize the Key Protect client as specified in Authentication const response = keyProtectClient.getKeys(envConfigs); console.log('Get keys result:'); for (let resource of response.result.resources){ console.log(resource); }
public static List<KeyRepresentation> getKeys() { GetKeysOptions getKeysOptionsModel = new GetKeysOptions.Builder() .bluemixInstance("<instance_id>") .build(); Response<ListKeys> response = testClient.getKeys(getKeysOptionsModel).execute(); List<KeyRepresentation> keys = response.getResult().getResources(); return keys; }
Response
The base schema for listing keys.
The metadata that describes the list keys response
A collection of resources.
Possible values: 0 ≤ number of items ≤ 5000
Status Code
The list of keys was successfully retrieved.
If reason code (resouces[0].reasons[0].code) is present and is equal to 'KEY_SEARCH_TOO_BROAD', the total searchable space is more than 5000 keys. Try using a filter to reduce the seachable space.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.key+json", "collectionTotal": 2 }, "resources": [ { "type": "application/vnd.ibm.kms.key+json", "id": "fadedbee-0000-0000-0000-1234567890ab", "name": "Root-key", "aliases": [ "alias-for-this-key" ], "description": "A Key Protect key", "state": 1, "extractable": true, "keyRingID": "default", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:key:fadedbee-0000-0000-0000-1234567890ab", "imported": false, "creationDate": "2000-03-21T00:00:00Z", "createdBy": "IBMid-0000000000", "algorithmType": "Deprecated", "algorithmMetadata": { "bitLength": "256", "mode": "Deprecated" }, "algorithmBitSize": 256, "algorithmMode": "Deprecated", "lastUpdateDate": "2000-03-21T00:00:00Z", "lastRotateDate": "2000-03-21T00:00:00Z", "keyVersion": { "id": "fadedbee-0000-0000-0000-1234567890ab", "creationDate": "2000-03-21T00:00:00Z" }, "dualAuthDelete": { "enabled": true, "keySetForDeletion": true, "authExpiration": "2000-03-21T00:00:00Z" }, "deleted": false }, { "type": "application/vnd.ibm.kms.key+json", "id": "addedace-0000-0000-0000-1234567890ab", "name": "Standard-key", "aliases": [ "alias-for-this-key" ], "description": "A Key Protect key", "state": 1, "extractable": true, "keyRingID": "default", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:key:addedace-0000-0000-0000-1234567890ab", "imported": false, "creationDate": "2000-03-21T00:00:00Z", "createdBy": "IBMid-0000000000", "algorithmType": "Deprecated", "algorithmMetadata": { "bitLength": "256", "mode": "Deprecated" }, "algorithmBitSize": 256, "algorithmMode": "Deprecated", "lastUpdateDate": "2000-03-21T00:00:00Z", "dualAuthDelete": { "enabled": true, "keySetForDeletion": true, "authExpiration": "2000-03-21T00:00:00Z" }, "deleted": false }, { "type": "application/vnd.ibm.kms.key+json", "id": "beadcafe-0000-0000-0000-1234567890ab", "name": "Deleted-Standard-key", "aliases": [ "alias-for-this-key" ], "description": "A Key Protect key", "state": 5, "extractable": true, "keyRingID": "default", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:key:beadcafe-0000-0000-0000-1234567890ab", "imported": false, "creationDate": "2000-03-21T00:00:00Z", "createdBy": "IBMid-0000000000", "algorithmType": "Deprecated", "algorithmMetadata": { "bitLength": "256", "mode": "Deprecated" }, "algorithmBitSize": 256, "algorithmMode": "Deprecated", "lastUpdateDate": "2000-03-21T00:00:00Z", "dualAuthDelete": { "enabled": true, "keySetForDeletion": true, "authExpiration": "2000-03-21T00:00:00Z" }, "deleted": true, "deletionDate": "2000-03-21T00:00:00Z", "restoreAllowed": true, "restoreExpirationDate": "2000-03-21T00:00:00Z", "purgeAllowed": false, "purgeAllowedFrom": "2000-03-21T00:00:00Z", "purgeScheduledOn": "2000-03-21T00:00:00Z" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Retrieve key total
Returns the same HTTP headers as a GET request without returning the entity-body. This operation returns the number of keys in your instance in a header called Key-Total.
HEAD /api/v2/keys
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the target key ring. If unspecified, all resources in the instance that the caller has access to will be returned. When the header is specified, only resources within the specified key ring, that the caller has access to, will be returned. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Query Parameters
The state of the keys to be retrieved. States must be a list of integers from 0 to 5 delimited by commas with no whitespace or trailing commas. Valid states are based on NIST SP 800-57. States are integers and correspond to the Pre-activation = 0, Active = 1, Suspended = 2, Deactivated = 3, and Destroyed = 5 values. Usage: If you want to retrieve active and deleted keys, use
../keys?state=1,5.Allowable values: [
0,1,2,3,5]Possible values: 0 ≤ number of items ≤ 5, 0 ≤ value ≤ 5
Default:
[0,1,2,3]The type of keys to be retrieved. Filters keys based on the
extractableproperty. You can use this query parameter to search for keys whose material can leave the service. If set totrue, standard keys will be retrieved. If set tofalse, root keys will be retrieved. If omitted, both root and standard keys will be retrieved. Usage: If you want to retrieve standard keys, use../keys?extractable=true.When provided, returns the list of keys that match the queried properties. Each key property to be filtered on is specified as the property name itself, followed by an “=“ symbol, and then the value to filter on, followed by a space if there are more properties to filter only. Note: Anything between
<and>in the examples or descriptions represent placeholder to specify the value Basic format:= = - The value to filter on may contain a value related to the property itself, or an operator followed by a value accepted by the operator - Only one operator and value, or one value is accepted per property at a time Format with operator/value pair: = : Up to three of the same property may be specified at a time. The key properties that can be filtered at this time are: creationDate- Date in RFC 3339 format in double-quotes: “2000-03-21T00:00:00Z”
deletionDate- Date in RFC 3339 format in double-quotes: “2000-03-21T00:00:00Z”
expirationDate- Date in RFC 3339 format in double-quotes: “2000-03-21T00:00:00Z”
extractable- Boolean true or false without quotes, case-insensitive
lastRotateDate- Date in RFC 3339 format in double-quotes: “2000-03-21T00:00:00Z”
lastUpdateDate- Date in RFC 3339 format in double-quotes: “2000-03-21T00:00:00Z”
state- A list of comma-separated integers with no space in between: 0,1,2,3,5 Comparison operations (operators) that can be performed on date values are:
lte:<value>Less than or equal to -lt:<value>Less than -gte:<value>Greater than or equal to -gt:<value>Greater than A special keyword for date,none(case-insensitive), may be used to retreive keys that do not have that property. This is useful forlastRotateDate, where only keys that have never been rotated can be retreived. Examples:lastRotateDate="2022-02-15T00:00:00Z"Filter keys that were last rotated on February 15, 2022 -lastRotateDate=gte:"2022-02-15T00:00:00Z"Filter keys that were last rotated after or on February 15, 2022 -lastRotateDate=gte:"2022-02-15T00:00:00Z" lastRotateDate=lt:"2022-03-15T00:00:00Z"Filter keys that were last rotated after or on February 15, 2022 but before (not including) March 15, 2022 -lastRotateDate="2022-02-15T00:00:00Z" state=0,1,2,3,5 extractable=falseFilter root keys that were last rotated on February 15, 2022, with any state Note: When you filter bystateorextractablein this query parameter, you will not be able to use the deprecatedstateorextractableindependent query parameter. You will get a 400 response code if you specify a value for one of the two properties in both this filter query parameter and the deprecated independent query of the same name (the same applies vice versa).
Possible values: 0 ≤ length ≤ 512, Value must match regular expression
^.{0,512}$
curl -I HEAD https://<region>.kms.cloud.ibm.com/api/v2/keys -H 'accept: application/vnd.ibm.kms.key+json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
Response
Response Headers
The number of keys in your service instance.
Possible values: value ≥ 0
Status Code
The metadata was successfully retrieved.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. Learn more.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
Create a key with policy overrides
Creates a new key with specified key material and key policies. This API overrides the policy configurations set at instance level with policies provided in the payload.
Key Protect designates the resource as a root key or a standard key based on the extractable value that you specify.
A successful POST /keys_with_policy_overrides operation adds the key and key policies to the service and returns the
details of the request in the response entity-body, if the Prefer header
is set to return=representation.
POST /api/v2/keys_with_policy_overrides
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$Alters server behavior for POST or DELETE operations. A header with
return=minimalcauses the service to return only the key identifier as metadata. A header containingreturn=representationreturns both the key material and metadata in the response entity-body. If the key has been designated as a root key, the system cannot return the key material. Note: During POST operations, Key Protect may not immediately return the key material due to key generation time. To retrieve the key material, you can perform a subsequentGET /keys/{id}request.Allowable values: [
return=representation,return=minimal]Possible values: 14 ≤ length ≤ 21
The ID of the key ring that the specified key belongs to. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$Default:
default
The base request for creating a new key with policies.
{
"metadata": {
"collectionType": "application/vnd.ibm.kms.key+json",
"collectionTotal": 1
},
"resources": [
{
"type": "application/vnd.ibm.kms.key+json",
"name": "Root-key",
"description": "A Key Protect key"
}
]
}A collection of resources.
Possible values: number of items = 1
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/keys_with_policy_overrides -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.key+json' -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.key+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.key+json", "name": "Root-key", "description": "A Key Protect key", "extractable": false, "dualAuthDelete": { "enabled": true }, "rotation":{ "enabled": true, "interval_month": 6 } } ] }'
Response
Properties associated with a key response.
A collection of resources.
Possible values: number of items = 1
Status Code
The key was successfully created.
The key is either missing a required field or it may contain an invalid or malformed input.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. Learn more.
There are three possible causes for HTTP 404 while trying to create a key, specifying a reason code (resouces[0].reasons[0].code) as follows:
KEY_RING_NOT_FOUND_ERR: The key cannot be created because the key ring does not exist. Note the default key ring name is "default." INSTANCE_NOT_FOUND_ERR: The key cannot be created because the instance does not exist. IMPORT_TOKEN_NOT_FOUND_ERR: The key cannot be created because the import token does not exist.
The import token that was used to encrypt this key has reached its
maxAllowedRetrievalsorexpirationDate, and it is no longer available for operations. To create a new import token, usePOST /import_token. In very rare cases, the import token may expire before its expiration time. Ensure that your client application is configured with a retry mechanism for catching and responding to409conflict exceptions. KEY_ALIAS_QUOTA_ERR: The alias quota for this key has been reached. KEY_ALIAS_NOT_UNIQUE_ERR: One or more aliases are already associated with a key in the instance. KEY_CREATE_IMPORT_ACCESS_ERR: KeyCreateImportAccess instance policy is enabled. Key Protect only permits the creation or import of keys in your Key Protect instance that follow the key creation and import settings listed on the keyCreateImportAccess policy. IMPORT_TOKEN_EXPIRED_ERR: The key cannot be created because the import token has expired.Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.key+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.key+json", "id": "fadedbee-0000-0000-0000-1234567890ab", "name": "Root-key", "aliases": [ "alias-for-this-key" ], "description": "A Key Protect key", "state": 1, "keyRingID": "default", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:key:fadedbee-0000-0000-0000-1234567890ab", "imported": false, "creationDate": "2000-03-21T00:00:00Z", "createdBy": "IBMid-0000000000", "algorithmType": "Deprecated", "algorithmMetadata": { "bitLength": "256", "mode": "Deprecated" }, "algorithmBitSize": 256, "algorithmMode": "Deprecated", "lastUpdateDate": "2000-03-21T00:00:00Z", "keyVersion": { "id": "fadedbee-0000-0000-0000-1234567890ab", "creationDate": "2000-03-21T00:00:00Z" }, "rotation": { "interval_month": 3 }, "dualAuthDelete": { "enabled": true, "keySetForDeletion": true, "authExpiration": "2000-03-21T00:00:00Z" }, "deleted": false } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: The key is missing a required field." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. [Learn more](/docs/key-protect?topic=key-protect-integrate-services#grant-access)" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: The import token that was used to encrypt this key has reached its 'maxAllowedRetrievals' or 'expirationDate', and it is no longer available for key operations. To create a new import token, use 'POST /import_token'." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Retrieve a key
Retrieves a key and its details by specifying the ID or alias of the key.
GET /api/v2/keys/{id}Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$
curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias> -H 'accept: application/vnd.ibm.kms.key+json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication key, err := api.GetKey(context.Background(), <key_ID_or_alias>) if err != nil { fmt.Println("Error while retrieving the key: ", err) return } b, _ := json.MarshalIndent(key, "", " ") fmt.Println(string(b)) }
// Initialize the Key Protect client as specified in Authentication const getKeyParams = Object.assign({}, envConfigs); getKeyParams.id = "<key_id>"; const response = keyProtectClient.getKey(getKeyParams); console.log('Get key result: '); console.log(response.result.resources[0]);
import os import keyprotect from keyprotect import bxauth # Initialize the Key Protect client as specified in Authentication key = kp.get("<key_id>") print("%s\t%s" % (key["id"], key["name"]))
public static List<KeyWithPayload> getKey(String keyId) { GetKeyOptions getKeyOptionsModel = new GetKeyOptions.Builder() .bluemixInstance("<instance_id>") .id(keyId) .build(); Response<GetKey> response = testClient.getKey(getKeyOptionsModel).execute(); List<KeyWithPayload> key = response.getResult().getResources(); return key; }
Response
The base schema for retrieving keys.
The metadata that describes the resource array.
A collection of resources.
Possible values: number of items = 1
Status Code
The key was successfully retrieved. If the key was previously deleted,
keyVersion.creationDateis omitted from the request response.The key could not be retrieved due to a malformed, invalid, or missing ID.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. Learn more.
The key could not be found. Verify that the key ID specified is valid.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.key+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.key+json", "id": "fadedbee-0000-0000-0000-1234567890ab", "name": "Standard-key", "aliases": [ "alias-for-this-key" ], "description": "A Key Protect key", "state": 1, "extractable": true, "keyRingID": "default", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:key:fadedbee-0000-0000-0000-1234567890ab", "imported": false, "creationDate": "2000-03-21T00:00:00Z", "createdBy": "IBMid-0000000000", "algorithmType": "Deprecated", "algorithmMetadata": { "bitLength": "256", "mode": "Deprecated" }, "algorithmBitSize": 256, "algorithmMode": "Deprecated", "keyVersion": { "id": "fadedbee-0000-0000-0000-1234567890ab", "creationDate": "2000-03-21T00:00:00Z" }, "dualAuthDelete": { "enabled": true, "keySetForDeletion": true, "authExpiration": "2000-03-21T00:00:00Z" }, "deleted": false, "payload": "x089YbmN9GSvpxEKe0LaqA==" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: The key could not be retrieved due to a malformed, invalid, or missing ID." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. [Learn more](/docs/key-protect?topic=key-protect-integrate-services#grant-access)" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: The key could not be found. Verify that the key ID specified is valid." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Invoke an action on a key
Note: This API has been deprecated and transitioned to
individual request paths. Existing actions using this API will continue
to be supported, but new actions will no longer be added to it. We
recommend, if possible, aligning your request URLs to the new API path.
The generic format of actions is now the following:
/api/v2/keys/<key_ID>/actions/<action> where key_ID is the key you
want to operate on/with and action is the same action that was passed
as a query parameter previously.
Invokes an action on a specified key. This method supports the following actions:
disable: Disable operations for a keyenable: Enable operations for a keyrestore: Restore a root keyrewrap: Use a root key to rewrap or reencrypt a data encryption keyrotate: Create a new version of a root keysetKeyForDeletion: Authorize deletion for a key with a dual authorization policyunsetKeyForDeletion: Remove an authorization for a key with a dual authorization policyunwrap: Use a root key to unwrap or decrypt a data encryption keywrap: Use a root key to wrap or encrypt a data encryption key
Note: If you unwrap a wrapped data encryption key (WDEK) that was not wrapped by the latest version of the key, the service also returns the a new WDEK, wrapped with the latest version of the key as the ciphertext field. The recommendation is to store and use that WDEK, although older WDEKs will continue to work.
POST /api/v2/keys/{id}Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$Alters server behavior for POST or DELETE operations. A header with
return=minimalcauses the service to return only the key identifier as metadata. A header containingreturn=representationreturns both the key material and metadata in the response entity-body. If the key has been designated as a root key, the system cannot return the key material. Note: During POST operations, Key Protect may not immediately return the key material due to key generation time. To retrieve the key material, you can perform a subsequentGET /keys/{id}request.Allowable values: [
return=representation,return=minimal]Possible values: 14 ≤ length ≤ 21
Path Parameters
The v4 UUID that uniquely identifies the key.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Query Parameters
The action to perform on the specified key.
Allowable values: [
disable,enable,restore,rewrap,rotate,setKeyForDeletion,unsetKeyForDeletion,unwrap,wrap]Possible values: 4 ≤ length ≤ 19
The base request for key actions.
Wrap key
{
"plaintext": "<data_key>",
"aad": [
"<additional_data>",
"<additional_data>"
]
}The data encryption key (DEK) used in wrap actions when the query parameter is set to
wrap. The system returns a base64 encoded plaintext in the response entity-body when you perform anunwrapaction on a key. To wrap an existing DEK, provide a base64 encoded plaintext during awrapaction. To generate a new DEK, omit theplaintextproperty. Key Protect generates a random plaintext (32 bytes) that is rooted in an HSM and then wraps that value. Note: When you unwrap a wrapped data encryption key (WDEK) by using a rotated root key, the service returns a new ciphertext in the response entity-body. Each ciphertext remains available forunwrapactions. If you unwrap a DEK with a previous ciphertext, the service also returns the latest ciphertext in the response. Use the latest ciphertext for future unwrap operations.Possible values: 0 ≤ length ≤ 4096, Value must match regular expression
^.{0,4096}$The additional authentication data (AAD) used to further secure the key. If you supply AAD when you make a
wrapcall, you must specify the same AAD during a subsequentunwrapcall.Possible values: 0 ≤ number of items ≤ 126, 0 ≤ length ≤ 255, Value must match regular expression
^.{0,255}$
Response
Properties that are associated with the response body of a wrap action.
The data encryption key (DEK) used in wrap actions when the query parameter is set to
wrap. The system returns a base64 encoded plaintext in the response entity-body when you perform anunwrapaction on a key. To wrap an existing DEK, provide a base64 encoded plaintext during awrapaction. To generate a new DEK, omit theplaintextproperty. Key Protect generates a random plaintext (32 bytes) that is rooted in an HSM and then wraps that value. Note: When you unwrap a wrapped data encryption key (WDEK) by using a rotated root key, the service returns a new ciphertext in the response entity-body. Each ciphertext remains available forunwrapactions. If you unwrap a DEK with a previous ciphertext, the service also returns the latest ciphertext in the response. Use the latest ciphertext for future unwrap operations.Possible values: 0 ≤ length ≤ 4096, Value must match regular expression
^.{0,4096}$The wrapped data encryption key (WDEK) that you can export to your app or service. The ciphertext contains the DEK wrapped by the latest version of the key (WDEK). It is recommended to store and use this WDEK in future calls to Key Protect. The value is base64 encoded.
Possible values: 4 ≤ length ≤ 7184, Value must match regular expression
^.{4,7184}$The key version that was used to wrap the DEK. This key version is associated with the
ciphertextvalue that was used in the request.- keyVersion
The ID of the key version.
Example:
fadedbee-0000-0000-0000-1234567890ab
Status Code
Successful key operation.
The imported key was successfully restored.
Successful key operation.
Your authentication data or key is invalid, or the entity-body is missing a required field.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. Learn more.
The key could not be found.
The key is not in an appropriate state, so the KeyAction has failed.
The requested key was previously deleted and is no longer available. Delete references to this key.
The ciphertext provided for the unwrap operation was not wrapped by this key.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "plaintext": "tF9ss0W9HQUVkddcjSeGg/MqZFs2CVh/FFKLPLLnOwY=", "ciphertext": "eyJjaXBoZXJ0ZXh0Ijoic1ZZRnZVcjdQanZXQ0tFakMwRFFWZktqQ3AyRmtiOFJOSDJSTkpZRzVmU1hWNDJScD\\ RDVythU0h3Y009IiwiaGFzaCI6IjVWNzNBbm9XdUxxM1BvZEZpd1AxQTdQMUZrTkZOajVPMmtmMkNxdVBxL0NRdFlOZnBvemp\\ iYUxjRDNCSWhxOGpKZ2JNR0xhMHB4dDA4cTYyc0RJMGRBPT0iLCJpdiI6Ilc1T2tNWFZuWDFCTERDUk51M05EUlE9PSIsInZl\\ cnNpb24iOiIzLjAuMCIsImhhbmRsZSI6IjRkZjg5ZGVlLWU3OTMtNGY5Ny05MGNjLTc1ZWQ5YjZlNWM4MiJ9", "keyVersion": { "id": "fadedbee-0000-0000-0000-1234567890ab" } }{ "metadata": { "collectionType": "application/vnd.ibm.kms.key+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.key+json", "id": "fadedbee-0000-0000-0000-1234567890ab", "name": "Root-key", "aliases": [ "alias-for-this-key" ], "description": "A Key Protect key", "state": 1, "extractable": false, "keyRingID": "default", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:key:fadedbee-0000-0000-0000-1234567890ab", "imported": true, "creationDate": "2000-03-21T00:00:00Z", "createdBy": "IBMid-0000000000", "algorithmType": "Deprecated", "algorithmMetadata": { "bitLength": "256", "mode": "Deprecated" }, "algorithmBitSize": 256, "algorithmMode": "Deprecated", "lastUpdateDate": "2000-03-21T00:00:00Z", "keyVersion": { "id": "fadedbee-0000-0000-0000-1234567890ab", "creationDate": "2000-03-21T00:00:00Z" }, "dualAuthDelete": { "enabled": true, "keySetForDeletion": true, "authExpiration": "2000-03-21T00:00:00Z" }, "deleted": false } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: Your authentication data or key is invalid, or the entity-body is missing a required field." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. [Learn more](/docs/key-protect?topic=key-protect-integrate-services#grant-access)" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: The key could not be found. KEY_NOT_FOUND_ERR: Key does not exist" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: The key is not in an appropriate state, so the KeyAction has failed." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Gone: The requested key was previously deleted and is no longer available. Delete references to this key." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unprocessable Entity: The ciphertext provided for the unwrap operation was not wrapped by this key." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Update (patch) a key
Update attributes of a key. Currently only the following attributes are applicable for update: - keyRingID Note: If provided, the X-Kms-Key-Ring header should specify the key's current key ring. To change the key ring of the key, specify the new key ring in the request body.
PATCH /api/v2/keys/{id}Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID that uniquely identifies the key.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
The base request for patch key.
{
"keyRingID": "new-key-ring-id"
}The target key ring to move the targeted key to.
Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
curl -X PATCH https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias> -H 'accept: application/vnd.ibm.kms.key+json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.key+json' -d '{ "keyRingID": "new-key-ring" }'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication keyDetails, err := api.SetKeyRing(context.Background(), <key_ID>, <new_key_ring_name>) if err != nil { fmt.Println("Error while updating the key: ", err) return } b, _ := json.MarshalIndent(keyDetails, "", " ",) fmt.Println(string(b)) }
Response
The base schema for patch key response body.
The metadata that describes the resource array.
An array of resources.
Possible values: number of items = 1
Status Code
Successful key update.
The request is missing a required field.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
There are two possible causes for HTTP 404 while trying to update a key, specifying a reason code (resouces[0].reasons[0].code) as follows: KEY_NOT_FOUND_ERR: The key could not be found. KEY_RING_NOT_FOUND_ERR: Key could not be updated, key ring specified does not exist.
The requested key was previously deleted and is no longer available. Delete references to this key.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.key+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.key+json", "id": "fadedbee-0000-0000-0000-1234567890ab", "name": "Root-key", "aliases": [ "alias-for-this-key" ], "description": "A Key Protect key", "state": 1, "extractable": false, "keyRingID": "new-key-ring-id", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:key:fadedbee-0000-0000-0000-1234567890ab", "imported": false, "creationDate": "2000-03-21T00:00:00Z", "createdBy": "IBMid-0000000000", "algorithmType": "Deprecated", "algorithmMetadata": { "bitLength": "256", "mode": "Deprecated" }, "algorithmBitSize": 256, "algorithmMode": "Deprecated", "lastUpdateDate": "2000-03-21T00:00:00Z", "keyVersion": { "id": "fadedbee-0000-0000-0000-1234567890ab", "creationDate": "2000-03-21T00:00:00Z" }, "dualAuthDelete": { "enabled": true, "keySetForDeletion": true, "authExpiration": "2000-03-21T00:00:00Z" }, "deleted": false } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: The request is missing a required field." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: Key could not be restored. See 'reasons' for more details.", "reasons": [ { "code": "KEY_NOT_FOUND_ERR", "message": "Key does not exist", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Gone: The requested key was previously deleted and is no longer available. Delete references to this key." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Delete a key
Deletes a key by specifying the ID or alias of the key.
By default, Key Protect requires a single authorization to delete keys. For added protection, you can enable a dual authorization policy to safely delete keys from your service instance.
Important: After a key has been deleted, any data that is encrypted by the key becomes inaccessible, though this can be reversed if the key is restored within the 30-day time frame. After 30 days, key metadata, registrations, and policies are available for up to 90 days, at which point the key becomes eligible to be purged. Note that once a key is no longer restorable and has been purged, its associated data can no longer be accessed.
Note: By default, Key Protect blocks the deletion of a key that's
protecting a cloud resource, such as a Cloud Object Storage bucket. Use
GET keys/{id}/registrations to verify if the key has an active
registration to a resource. To delete the key and its associated
registrations, set the optional force parameter to true.
DELETE /api/v2/keys/{id}Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$Alters server behavior for POST or DELETE operations. A header with
return=minimalcauses the service to return only the key identifier as metadata. A header containingreturn=representationreturns both the key material and metadata in the response entity-body. If the key has been designated as a root key, the system cannot return the key material. Note: During POST operations, Key Protect may not immediately return the key material due to key generation time. To retrieve the key material, you can perform a subsequentGET /keys/{id}request.Allowable values: [
return=representation,return=minimal]Possible values: 14 ≤ length ≤ 21
Path Parameters
The v4 UUID that uniquely identifies the key.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Query Parameters
If set to
true, Key Protect forces deletion on a key that is protecting a cloud resource, such as a Cloud Object Storage bucket. The action removes any registrations that are associated with the key. Note: If a key is protecting a cloud resource that has a retention policy, Key Protect cannot delete the key. UseGET keys/{id}/registrationsto review registrations between the key and its associated cloud resources. To enable deletion, contact an account owner to remove the retention policy on each resource that is associated with this key.Default:
false
curl -X DELETE https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias> -H 'accept: application/vnd.ibm.kms.key+json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication force := false // set this to true if force-delete is needed delKey, err := client.DeleteKey(context.Background(), key.ID, kp.ReturnRepresentation, kp.ForceOpt{Force: force}) if err != nil { fmt.Println("Error while deleting the key: ", err) return } b, _ := json.MarshalIndent(delKey, "", " ") fmt.Println(string(b)) }
// Initialize the Key Protect client as specified in Authentication const deleteKeyParams = Object.assign({}, envConfigs); deleteKeyParams.id = "<key_ID_or_alias>"; deleteKeyParams.prefer = 'return=representation'; const response = keyProtectClient.deleteKey(deleteKeyParams); console.log('Delete key response status: ' + response.status);
import os import keyprotect from keyprotect import bxauth # Initialize the Key Protect client as specified in Authentication deletedKey = kp.delete("<key_id>") print("Deleted key '%s'" % key_id)
public static DeleteKey deleteKey(String keyId, Boolean forceDelete) { Boolean deleteForceParam = false; if (forceDelete != null) { deleteForceParam = forceDelete; } DeleteKeyOptions deleteKeyOptionsModel = new DeleteKeyOptions.Builder() .bluemixInstance("<instance_id>") .id(keyId) .force(deleteForceParam) .build(); Response<DeleteKey> response = testClient.deleteKey(deleteKeyOptionsModel).execute(); DeleteKey result = response.getResult(); return result; // null result on success }
Response
The base schema for deleting keys.
The metadata that describes the resource array.
A collection of resources.
Possible values: number of items = 1
Status Code
The key was successfully deleted. The status code is the only response, unless the
preferparameter containsreturn=representation.The key was successfully deleted. No content. The status code is the only response, unless the
preferparameter containsreturn=representation.The key cannot be deleted due to a malformed, invalid, or missing ID.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. Learn more.
The key could not be found.
There are three possible causes for HTTP 409 while trying to delete a key, specifying a reason code (resouces[0].reasons[0].code) as follows:
AUTHORIZATIONS_NOT_MET: The key cannot be deleted because it failed the dual authorization request. Before you delete this key, make sure dual authorization procedures are followed. See the topic, Deleting keys using dual authorization.
PROTECTED_RESOURCE_ERR: The key cannot be deleted because the key has one or more associated resources. See the topic, Considerations before deleting and purging a key.
PREV_KEY_DEL_ERR: The key cannot be deleted because it's protecting a cloud resource that has a retention policy. Before you delete this key, contact an account owner to remove the retention policy on each resource that is associated with the key. See the topic, Considerations before deleting and purging a key.
The requested key was previously deleted and is no longer available. Delete references to this key.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.key+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.key+json", "id": "fadedbee-0000-0000-0000-1234567890ab", "name": "Root-key", "aliases": [ "alias-for-this-key" ], "description": "A Key Protect key", "state": 5, "extractable": false, "keyRingID": "default", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:key:fadedbee-0000-0000-0000-1234567890ab", "imported": false, "creationDate": "2000-03-21T00:00:00Z", "createdBy": "IBMid-0000000000", "algorithmType": "Deprecated", "algorithmMetadata": { "bitLength": "256", "mode": "Deprecated" }, "algorithmBitSize": 256, "algorithmMode": "Deprecated", "lastUpdateDate": "2000-03-21T00:00:00Z", "lastRotateDate": "2000-03-21T00:00:00Z", "dualAuthDelete": { "enabled": true, "keySetForDeletion": true, "authExpiration": "2000-03-21T00:00:00Z" }, "deleted": true, "deletionDate": "2000-03-21T00:00:00Z", "deletedBy": "IBMid-0000000000", "restoreAllowed": true, "restoreExpirationDate": "2000-03-21T00:00:00Z", "purgeAllowed": false, "purgeAllowedFrom": "2000-03-21T00:00:00Z", "purgeScheduledOn": "2000-03-21T00:00:00Z" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: The key cannot be deleted due to a malformed, invalid, or missing ID." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. [Learn more](/docs/key-protect?topic=key-protect-integrate-services#grant-access)" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: The key could not be found. KEY_NOT_FOUND_ERR: Key does not exist" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Key could not be deleted. See 'reasons' for more details.", "reasons": [ { "code": "PREV_KEY_DEL_ERR", "message": "The key cannot be deleted because it's protecting a cloud resource that has a retention policy. Before you delete this key, contact an account owner to remove the retention policy on each resource that is associated with the key.", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Gone: The requested key was previously deleted and is no longer available. Delete references to this key." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Retrieve key metadata
Retrieves the details of a key by specifying the ID of the key.
GET /api/v2/keys/{id}/metadataRequest
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$
curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/metadata -H 'accept: application/vnd.ibm.kms.key+json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication keyMetadata, err := api.GetKeyMetadata(context.Background(), <key_ID|alias>) if err != nil { fmt.Println("Error while retrieving key metadata: ", err) return } b, _ := json.MarshalIndent(keyMetadata, "", " ") fmt.Println(string(b)) }
public static GetKeyMetadata getKeyMetadata(String keyId) { GetKeyMetadataOptions getKeyMetadataOptionsModel = new GetKeyMetadataOptions.Builder() .id(keyId) .bluemixInstance("<instance_id>") .build(); Response<GetKeyMetadata> response = testClient.getKeyMetadata(getKeyMetadataOptionsModel).execute(); GetKeyMetadata metadata = response.getResult(); return metadata; }
Response
The base schema for retrieving key metadata.
The metadata that describes the resource array.
A collection of resources.
Possible values: number of items = 1
Status Code
The key metadata was successfully retrieved.
The key metadata could not be retrieved due to a malformed, invalid, or missing ID or alias.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. Learn more.
The key metadata for the key with specified ID could not be found.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.key+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.key+json", "id": "fadedbee-0000-0000-0000-1234567890ab", "name": "Standard-key", "aliases": [ "alias-for-this-key" ], "description": "A Key Protect key", "state": 1, "extractable": true, "keyRingID": "default", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:key:fadedbee-0000-0000-0000-1234567890ab", "imported": false, "creationDate": "2000-03-21T00:00:00Z", "createdBy": "IBMid-0000000000", "algorithmType": "Deprecated", "algorithmMetadata": { "bitLength": "256", "mode": "Deprecated" }, "algorithmBitSize": 256, "algorithmMode": "Deprecated", "lastUpdateDate": "2000-03-21T00:00:00Z", "dualAuthDelete": { "enabled": true, "keySetForDeletion": true, "authExpiration": "2000-03-21T00:00:00Z" }, "deleted": false } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: The key metadata could not be retrieved due to a malformed, invalid, or missing ID." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. [Learn more](/docs/key-protect?topic=key-protect-integrate-services#grant-access)" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Key metadata could not be retrieved. See 'reasons' for more details.", "reasons": [ { "code": "KEY_NOT_FOUND", "message": "Key does not exist", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Purge a deleted key
Purges all key metadata and registrations associated with the specified key. This method requires setting the KeyPurge permission that is not enabled by default. Purging a key can only be applied to a key in the Destroyed (5) state. After a key is deleted, there is a wait period of up to four hours before purge key operation is allowed. Important: When you purge a key, you permanently shred its contents and associated data. The action cannot be reversed.
DELETE /api/v2/keys/{id}/purgeRequest
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$Alters server behavior for POST or DELETE operations. A header with
return=minimalcauses the service to return only the key identifier as metadata. A header containingreturn=representationreturns both the key material and metadata in the response entity-body. If the key has been designated as a root key, the system cannot return the key material. Note: During POST operations, Key Protect may not immediately return the key material due to key generation time. To retrieve the key material, you can perform a subsequentGET /keys/{id}request.Allowable values: [
return=representation,return=minimal]Possible values: 14 ≤ length ≤ 21
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$
curl -X DELETE https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/purge -H 'accept: application/vnd.ibm.kms.key+json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication purgedKey, err := api.PurgeKey(context.Background(), <key_ID>, kp.ReturnRepresentation) if err != nil { fmt.Println("Error while purging key : ", err) return } b, _ := json.MarshalIndent(purgedKey, "", " ") fmt.Println(string(b)) }
Response
The base schema for purged key.
The metadata that describes the resource array.
A collection of resources.
Possible values: number of items = 1
Status Code
The key was successfully purged.
The key was successfully purged. No content.
The key cannot be purged due to a malformed ID.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. Learn more.
The key could not be found.
There are two possible causes for HTTP 409 while trying to delete a key, specifying a reason code (resouces[0].reasons[0].code) as follows: REQ_TOO_EARLY_ERR: The key could not be purged due to wait period of four hours has not been reached. KEY_ACTION_INVALID_STATE_ERR: The key could not be purged because it is not in the Destroyed (5) state.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.key+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.key+json", "id": "fadedbee-0000-0000-0000-1234567890ab", "name": "Root-key", "aliases": [ "alias-for-this-key" ], "description": "A Key Protect key", "state": 5, "extractable": false, "keyRingID": "default", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:key:fadedbee-0000-0000-0000-1234567890ab", "imported": false, "creationDate": "2000-03-21T00:00:00Z", "createdBy": "IBMid-0000000000", "algorithmType": "Deprecated", "algorithmMetadata": { "bitLength": "256", "mode": "Deprecated" }, "algorithmBitSize": 256, "algorithmMode": "Deprecated", "lastUpdateDate": "2000-03-21T00:00:00Z", "lastRotateDate": "2000-03-21T00:00:00Z", "dualAuthDelete": { "enabled": true, "keySetForDeletion": true, "authExpiration": "2000-03-21T00:00:00Z" }, "deleted": true, "deletionDate": "2000-03-21T00:00:00Z", "deletedBy": "IBMid-0000000000", "purgeAllowed": true, "purgeAllowedFrom": "2000-03-21T00:00:00Z", "purgeScheduledOn": "2000-03-21T00:00:00Z" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: The key cannot be purged due to a malformed ID." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. [Learn more](/docs/key-protect?topic=key-protect-integrate-services#grant-access)" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: The key could not be found. KEY_NOT_FOUND_ERR: Key does not exist" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Key could not be purged. See 'reasons' for more details.", "reasons": [ { "code": "KEY_INVALID_STATE_ERR", "message": "Key is not in a valid state.", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$Alters server behavior for POST or DELETE operations. A header with
return=minimalcauses the service to return only the key identifier as metadata. A header containingreturn=representationreturns both the key material and metadata in the response entity-body. If the key has been designated as a root key, the system cannot return the key material. Note: During POST operations, Key Protect may not immediately return the key material due to key generation time. To retrieve the key material, you can perform a subsequentGET /keys/{id}request.Allowable values: [
return=representation,return=minimal]Possible values: 14 ≤ length ≤ 21
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$
The base request parameters for restore key action.
{
"metadata": {
"collectionType": "application/vnd.ibm.kms.key+json",
"collectionTotal": 1
},
"resources": [
{
"payload": "x089YbmN9GSvpxEKe0LaqA=="
}
]
}{
"metadata": {
"collectionType": "application/vnd.ibm.kms.key+json",
"collectionTotal": 1
},
"resources": [
{
"payload": "x089YbmN9GSvpxEKe0LaqA==",
"encryptionAlgorithm": "RSAES_OAEP_SHA_256",
"encryptedNonce": "DVy/Dbk37X8gSVwRA5U6vrHdWQy8T2ej+riIVw==",
"iv": "puQrzDX7gU1TcTTx"
}
]
}A collection of resources.
Possible values: number of items = 1
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/restore -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.key_action_restore+json' -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.key_action_restore+json", "collectionTotal": 1 }, "resources": [ { "payload": "<key_material>" } ] }'curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID>/restore -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.key_action_restore+json' -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.key_action_restore+json", "collectionTotal": 1 }, "resources": [ { "payload": "<encrypted_key_material>", "encryptedNonce": "<encrypted_nonce>", "iv": "<iv>", "encryptionAlgorithm": "RSAES_OAEP_SHA_256" } ] }'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication restoredKey, err := api.RestoreKey(context.Background(), <key_ID>) if err != nil { fmt.Println("Error while restoring key: ", err) return } b, _ := json.MarshalIndent(restoredKey, "", " ") fmt.Println(string(b)) }
public static KeyActionOneOfResponse restoreKey(String keyId) { InputStream inputStream = null; ActionOnKeyOptions restoreKeyOptionsModel = null; Response<KeyActionOneOfResponse> response = null; KeyActionOneOfResponse responseObj = null; try { // Only imported root keys can be restored; if the file conforms to the // SecureRestoreKeyRequestBody format, include the encryption method, // encrypted payload, encrypted nonce, and initialization vector. inputStream = new FileInputStream("/path/to/file.txt"); restoreKeyOptionsModel = new ActionOnKeyOptions.Builder() .id(keyId) .bluemixInstance("<INSTANCE_ID>") .action("restore") .keyActionOneOf(inputStream) .prefer("return=minimal") .build(); } catch(FileNotFoundException e) { System.out.println("File not found: " + e.toString()); return responseObj; } response = testClient.actionOnKey(restoreKeyOptionsModel).execute(); responseObj = response.getResult(); return responseObj; }
Response
Properties associated with a key response.
A collection of resources.
Possible values: number of items = 1
Status Code
The key was successfully restored.
The request is missing a required field.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
The key could not be found.
There are three possible causes for HTTP 409 while trying to restore a key, specifying a reason code (resouces[0].reasons[0].code) as follows: KEY_ACTION_INVALID_STATE_ERR: The requested key is not in the
Destroyed(5) state. REQ_TOO_EARLY_ERR: Key could not be restored. The key was updated recently, wait and try again. Restoring a key is only allowed when 30 seconds after key is deleted has passed. KEY_RING_RESOURCE_QUOTA_ERR: Key could not be restored. The resource quota for key rings in this instance has been reached and key rings cannot be created.Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.key+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.key+json", "id": "fadedbee-0000-0000-0000-1234567890ab", "name": "Root-key", "aliases": [ "alias-for-this-key" ], "description": "A Key Protect key", "state": 1, "extractable": false, "keyRingID": "default", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:key:fadedbee-0000-0000-0000-1234567890ab", "imported": true, "creationDate": "2000-03-21T00:00:00Z", "createdBy": "IBMid-0000000000", "algorithmType": "Deprecated", "algorithmMetadata": { "bitLength": "256", "mode": "Deprecated" }, "algorithmBitSize": 256, "algorithmMode": "Deprecated", "lastUpdateDate": "2000-03-21T00:00:00Z", "keyVersion": { "id": "fadedbee-0000-0000-0000-1234567890ab", "creationDate": "2000-03-21T00:00:00Z" }, "dualAuthDelete": { "enabled": true, "keySetForDeletion": true, "authExpiration": "2000-03-21T00:00:00Z" }, "deleted": false } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: The request is missing a required field." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: Key could not be restored. See 'reasons' for more details.", "reasons": [ { "code": "KEY_NOT_FOUND_ERR", "message": "Key does not exist", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: Key could not be restored. See 'reasons' for more details.", "reasons": [ { "code": "KEY_ACTION_INVALID_STATE_ERR", "message": "Key is not in a valid state.", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
List key versions
Retrieves all versions of a root key by specifying the ID or alias of the key.
When you rotate a root key, you generate a new version of the key. If you're using the root key to protect resources across IBM Cloud, the registered cloud services that you associate with the key use the latest key version to wrap your data. Learn more.
GET /api/v2/keys/{id}/versionsRequest
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$
Query Parameters
The number of key versions to retrieve. By default,
GET /versionsreturns the first 200 key versions. To retrieve a different set of key versions, uselimitwithoffsetto page through your available resources. The maximum value forlimitis 5,000. Usage: If you have a key with 20 versions in your instance, and you want to retrieve only the first 5 versions, use../versions?limit=5.Possible values: 1 ≤ value ≤ 5000
Default:
200The number of key versions to skip. By specifying
offset, you retrieve a subset of key versions that starts with theoffsetvalue. Useoffsetwithlimitto page through your available resources. Usage: If you have a key with 100 versions in your instance, and you want to retrieve versions 26 through 50, use../versions?offset=25&limit=25.Possible values: value ≥ 0
Default:
0If set to
true, returnstotalCountin the response metadata for use with pagination. ThetotalCountvalue returned specifies the total number of key versions that match the request, disregarding limit and offset. The default is set to false. Usage: To return thetotalCountvalue for use with pagination, use../versions?totalCount=true.If set to
true, returns the key versions of a key in any state. Usage: If you have deleted a key and still want to retrieve its key versions use../versions?allKeyStates=true.Default:
false
curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/versions -H 'accept: application/vnd.ibm.kms.key.version+json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
public static List<KeyVersion> getKeyVersions(String keyId) { GetKeyVersionsOptions getKeyVersionsOptionsModel = new GetKeyVersionsOptions.Builder() .id(keyId) .bluemixInstance("<instance_id>") .build(); Response<ListKeyVersions> response = testClient.getKeyVersions(getKeyVersionsOptionsModel ).execute(); List<KeyVersion> details = response.getResult().getResources(); return details; }
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication limit := uint32(2) offset := uint32(0) totalCount := true listkeyVersionsOptions := &kp.ListKeyVersionsOptions{ Limit : &limit, Offset : &offset, TotalCount : &totalCount, } keyVersions, err := client.ListKeyVersions(ctx, "key_id_or_alias", listkeyVersionsOptions) if err != nil { fmt.Println(err) } fmt.Println(keyVersions) }
Response
Properties associated with a registration response.
An array of resources.
Possible values: 0 ≤ number of items ≤ 5000
Status Code
The list of key versions was successfully retrieved.
The request is missing a required field.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
The key could not be found.
The key is not in an active state.
The requested key was previously deleted and is no longer available. Delete references to this key.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.key+json", "collectionTotal": 2, "totalCount": 4 }, "resources": [ { "id": "fadedbee-0000-0000-0000-1234567890ab", "creationDate": "2000-03-21T00:00:00Z" }, { "id": "addedace-0000-0000-0000-1234567890ab", "creationDate": "2000-03-21T00:00:00Z" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: The request is missing a required field." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: The key could not be found. KEY_NOT_FOUND_ERR: Key does not exist" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: The key is not in an active state." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Gone: The requested key was previously deleted and is no longer available. Delete references to this key." } ] }
Wrap a key
Use a root key to wrap or encrypt a data encryption key. When present, the ciphertext contains the DEK wrapped by the latest version of the key (WDEK). It is recommended to store and use this WDEK in future calls to Key Protect.
POST /api/v2/keys/{id}/actions/wrapRequest
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$
The base request for wrap key action.
{
"plaintext": "<data_key>",
"aad": [
"<additional_data>",
"<additional_data>"
]
}The data encryption key (DEK) used in wrap actions when the query parameter is set to
wrap. The system returns a base64 encoded plaintext in the response entity-body when you perform anunwrapaction on a key. To wrap an existing DEK, provide a base64 encoded plaintext during awrapaction. To generate a new DEK, omit theplaintextproperty. Key Protect generates a random plaintext (32 bytes) that is rooted in an HSM and then wraps that value. Note: When you unwrap a wrapped data encryption key (WDEK) by using a rotated root key, the service returns a new ciphertext in the response entity-body. Each ciphertext remains available forunwrapactions. If you unwrap a DEK with a previous ciphertext, the service also returns the latest ciphertext in the response. Use the latest ciphertext for future unwrap operations.Possible values: 0 ≤ length ≤ 4096, Value must match regular expression
^.{0,4096}$The additional authentication data (AAD) used to further secure the key. If you supply AAD when you make a
wrapcall, you must specify the same AAD during a subsequentunwrapcall.Possible values: 0 ≤ number of items ≤ 126, 0 ≤ length ≤ 255, Value must match regular expression
^.{0,255}$
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/actions/wrap -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.key_action_wrap+json'curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID>/actions/wrap -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.key_action_wrap+json' -d '{ "plaintext": "<data_key>", "aad": ["<additional_data>", "<additional_data>"] }'
package main import ( "context" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication aad := []string{"<additional_data>", "<additional_data>"} plaintext := []byte(<data_key>) ciphertext, err := api.Wrap(context.Background(), <key_ID>, plaintext, &aad) if err != nil { fmt.Println("Error wrapping the key: ", err) return } fmt.Println(string(ciphertext)) }
// Initialize the Key Protect client as specified in Authentication // Wrap and unwrap base64 encoded plaintext using key const samplePlaintext = 'dGhpcyBpcyBhIGJhc2U2NCBzdHJpbmcK'; // base64 encoded plaintext const wrapKeyParams = Object.assign({}, envConfigs); wrapKeyParams.id = "<key_ID_or_alias>"; wrapKeyParams.keyActionWrapBody = { plaintext: samplePlaintext, }; const response = keyProtectClient.wrapKey(wrapKeyParams); console.log('Wrap key response cipher: ' + response.result.ciphertext); const ciphertextResult = response.result.ciphertext; // saved for the unwrap example
import os import keyprotect from keyprotect import bxauth # Initialize the Key Protect client as specified in Authentication key = kp.create(name="MyRootKey", root=True) # payload should be a bytestring message = b'This is an important test message.' wrapped = kp.wrap(key.get('id'), message) ciphertext = wrapped.get("ciphertext")
Response
Properties that are associated with the response body of a wrap action.
The data encryption key (DEK) used in wrap actions when the query parameter is set to
wrap. The system returns a base64 encoded plaintext in the response entity-body when you perform anunwrapaction on a key. To wrap an existing DEK, provide a base64 encoded plaintext during awrapaction. To generate a new DEK, omit theplaintextproperty. Key Protect generates a random plaintext (32 bytes) that is rooted in an HSM and then wraps that value. Note: When you unwrap a wrapped data encryption key (WDEK) by using a rotated root key, the service returns a new ciphertext in the response entity-body. Each ciphertext remains available forunwrapactions. If you unwrap a DEK with a previous ciphertext, the service also returns the latest ciphertext in the response. Use the latest ciphertext for future unwrap operations.Possible values: 0 ≤ length ≤ 4096, Value must match regular expression
^.{0,4096}$The wrapped data encryption key (WDEK) that you can export to your app or service. The ciphertext contains the DEK wrapped by the latest version of the key (WDEK). It is recommended to store and use this WDEK in future calls to Key Protect. The value is base64 encoded.
Possible values: 4 ≤ length ≤ 7184, Value must match regular expression
^.{4,7184}$The key version that was used to wrap the DEK. This key version is associated with the
ciphertextvalue that was used in the request.- keyVersion
The ID of the key version.
Example:
fadedbee-0000-0000-0000-1234567890ab
Status Code
The key was successfully wrapped.
The request is malformed or illegal.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
The key could not be found.
The key is not in the
Active(1) state.The requested key was previously deleted and is no longer available. The key may be restored within thirty (30) days of deletion using
POST /keys/{id}/restore.Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "plaintext": "tF9ss0W9HQUVkddcjSeGg/MqZFs2CVh/FFKLPLLnOwY=", "ciphertext": "eyJjaXBoZXJ0ZXh0Ijoic1ZZRnZVcjdQanZXQ0tFakMwRFFWZktqQ3AyRmtiOFJOSDJSTkpZRzVmU1hWNDJScD\\ RDVythU0h3Y009IiwiaGFzaCI6IjVWNzNBbm9XdUxxM1BvZEZpd1AxQTdQMUZrTkZOajVPMmtmMkNxdVBxL0NRdFlOZnBvemp\\ iYUxjRDNCSWhxOGpKZ2JNR0xhMHB4dDA4cTYyc0RJMGRBPT0iLCJpdiI6Ilc1T2tNWFZuWDFCTERDUk51M05EUlE9PSIsInZl\\ cnNpb24iOiIzLjAuMCIsImhhbmRsZSI6IjRkZjg5ZGVlLWU3OTMtNGY5Ny05MGNjLTc1ZWQ5YjZlNWM4MiJ9", "keyVersion": { "id": "fadedbee-0000-0000-0000-1234567890ab" } }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: Wrap with key could not be performed. See 'reasons' for more details.", "reasons": [ { "code": "INVALID_FIELD_ERR", "message": "The field 'plaintext' must be a base64 encoded key material.", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "field", "name": "plaintext" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: Wrap with key could not be performed. See 'reasons' for more details.", "reasons": [ { "code": "KEY_NOT_FOUND_ERR", "message": "Key does not exist.", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: Wrap with key could not be performed. See 'reasons' for more details.", "reasons": [ { "code": "KEY_ACTION_INVALID_STATE_ERR", "message": "Key is not in a valid state.", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Gone: Wrap with key could not be performed. See 'reasons' for more details.", "reasons": [ { "code": "KEY_DELETED_ERR", "message": "Key has already been deleted. Delete references to this key.", "status": 410, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Unwrap a key
Use a root key to unwrap or decrypt a data encryption key.
Note: When you unwrap a wrapped data encryption key (WDEK) by using
a rotated root key, the service returns a new ciphertext in the response
entity-body. Each ciphertext remains available for unwrap actions. If
you unwrap a DEK with a previous ciphertext, the service also returns
the latest ciphertext and latest key version in the response. Use the
latest ciphertext for future unwrap operations.
POST /api/v2/keys/{id}/actions/unwrapRequest
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$
The base request for unwrap key action.
{
"ciphertext": "<encrypted_data_key>",
"aad": [
"<additional_data>",
"<additional_data>"
]
}The wrapped data encryption key (WDEK) that you can export to your app or service. The ciphertext contains the DEK wrapped by the latest version of the key (WDEK). It is recommended to store and use this WDEK in future calls to Key Protect. The value is base64 encoded.
Possible values: 4 ≤ length ≤ 7184, Value must match regular expression
^.{4,7184}$The additional authentication data (AAD) used to further secure the key. If you supply AAD when you make a
wrapcall, you must specify the same AAD during a subsequentunwrapcall.Possible values: 0 ≤ number of items ≤ 126, 0 ≤ length ≤ 255, Value must match regular expression
^.{0,255}$
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/actions/unwrap -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.key_action_unwrap+json' -d '{ "ciphertext": "<encrypted_data_key>", "aad": ["<additional_data>", "<additional_data>"] }'
package main import ( "context" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication aad := []string{"<additional_data>", "<additional_data>"} ciphertext := []byte(<encrypted_data_key>) pt2, err := api.Unwrap(context.Background(), <key_ID>, ciphertext, &aad) if err != nil { fmt.Println("Error while unwrapping DEK: ", err) return } b, _ := json.MarshalIndent(pt2, "", " ") fmt.Println(string(b)) }
// Initialize the Key Protect client as specified in Authentication const unwrapKeyParams = Object.assign({}, envConfigs); unwrapKeyParams.id = "<key_ID_or_alias>"; unwrapKeyParams.keyActionUnwrapBody = { ciphertext: ciphertextResult, // encrypted result from wrap key response }; const response = keyProtectClient.unwrapKey(unwrapKeyParams); console.log('Unwrap key response result: ' + response.result.plaintext); // validate that result is same as above
import os import keyprotect from keyprotect import bxauth # Continue from example for wrap key # key = kp.create(name="MyRootKey", root=True) # message = b'This is a really important message.' unwrapped = kp.unwrap(key.get('id'), ciphertext) assert message == unwrapped
Response
Properties that are associated with the response body of an unwrap action.
The data encryption key (DEK) used in wrap actions when the query parameter is set to
wrap. The system returns a base64 encoded plaintext in the response entity-body when you perform anunwrapaction on a key. To wrap an existing DEK, provide a base64 encoded plaintext during awrapaction. To generate a new DEK, omit theplaintextproperty. Key Protect generates a random plaintext (32 bytes) that is rooted in an HSM and then wraps that value. Note: When you unwrap a wrapped data encryption key (WDEK) by using a rotated root key, the service returns a new ciphertext in the response entity-body. Each ciphertext remains available forunwrapactions. If you unwrap a DEK with a previous ciphertext, the service also returns the latest ciphertext in the response. Use the latest ciphertext for future unwrap operations.Possible values: 0 ≤ length ≤ 4096, Value must match regular expression
^.{0,4096}$The wrapped data encryption key (WDEK) that you can export to your app or service. The ciphertext contains the DEK wrapped by the latest version of the key (WDEK). It is recommended to store and use this WDEK in future calls to Key Protect. The value is base64 encoded.
Possible values: 4 ≤ length ≤ 7184, Value must match regular expression
^.{4,7184}$The key version that was used to wrap the DEK. This key version is associated with the
ciphertextvalue that was used in the request.- keyVersion
The ID of the key version.
Example:
fadedbee-0000-0000-0000-1234567890ab
The latest key version that was used to rewrap the DEK. This key version is associated with the
ciphertextvalue that's returned in the response.- rewrappedKeyVersion
The ID of the key version.
Example:
fadedbee-0000-0000-0000-1234567890ab
Status Code
Successfully unwrapped key.
The request is malformed or illegal.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
The key could not be found.
The key is not in the
Active(1) orDeactivated(3) state.The requested key was previously deleted and is no longer available. The key may be restored within thirty (30) days of deletion using
POST /keys/{id}/restore.The ciphertext provided was not wrapped by this key.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "plaintext": "tF9ss0W9HQUVkddcjSeGg/MqZFs2CVh/FFKLPLLnOwY=", "keyVersion": { "id": "fadedbee-0000-0000-0000-1234567890ab" } }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: Unwrap with key could not be performed. See 'reasons' for more details.", "reasons": [ { "code": "MISSING_FIELD_ERR", "message": "The field 'ciphertext' is required.", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "field", "name": "name" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: Unwrap with key could not be performed. See 'reasons' for more details.", "reasons": [ { "code": "KEY_NOT_FOUND_ERR", "message": "Key does not exist", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: Wrap action could not be performed with the key. See 'reasons' for more details.", "reasons": [ { "code": "KEY_ACTION_INVALID_STATE_ERR", "message": "Key is not in a valid state", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Gone: Unwrap with key could not be performed. See 'reasons' for more details.", "reasons": [ { "code": "KEY_DELETED_ERR", "message": "Key has already been deleted. Delete references to this key.", "status": 410, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unprocessable Entity: Unwrap with key could not be performed. See 'reasons' for more details.", "reasons": [ { "code": "UNPROCESSABLE_CIPHERTEXT_ERR", "message": "The provided ciphertext is invalid or corrupted.", "status": 422, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Rewrap a key
Use a root key to rewrap or reencrypt a data encryption key.
POST /api/v2/keys/{id}/actions/rewrapRequest
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$
The base request for rewrap key action.
{
"ciphertext": "<encrypted_data_key>",
"aad": [
"<additional_data>",
"<additional_data>"
]
}The wrapped data encryption key (WDEK) that you want to re-encrypt by using the latest key version. When present, the ciphertext contains the DEK wrapped by the latest version of the key (WDEK). It is recommended to use store and use this WDEK in future calls to Key Protect. The value must be base64 encoded.
Possible values: 4 ≤ length ≤ 7184, Value must match regular expression
^.{4,7184}$The additional authentication data (AAD) used to further secure the key. If you supply AAD when you make a
wrapcall, you must specify the same AAD during a subsequentunwrapcall.Possible values: 0 ≤ number of items ≤ 126, 0 ≤ length ≤ 255, Value must match regular expression
^.{0,255}$
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/actions/rewrap -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.key_action_rewrap+json' -d '{ "ciphertext": "<encrypted_data_key>", "aad": ["<additional_data>", "<additional_data>"] }'
Response
Properties that are associated with the response body of an rewrap action.
The wrapped data encryption key (WDEK) that you can export to your app or service. The ciphertext contains the DEK wrapped by the latest version of the key (WDEK). It is recommended to store and use this WDEK in future calls to Key Protect. The value is base64 encoded.
Possible values: 4 ≤ length ≤ 7184, Value must match regular expression
^.{4,7184}$The key version that was used to wrap the DEK. This key version is associated with the
ciphertextvalue that was used in the request.- keyVersion
The ID of the key version.
Example:
fadedbee-0000-0000-0000-1234567890ab
The latest key version that was used to rewrap the DEK. This key version is associated with the
ciphertextvalue that's returned in the response.- rewrappedKeyVersion
The ID of the key version.
Example:
fadedbee-0000-0000-0000-1234567890ab
Status Code
The key was successfully rewrapped.
The request is malformed or illegal.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
The key could not be found.
The key is not in the
Active(1) orDeactivated(3) state.The requested key was previously deleted and is no longer available. The key may be restored within thirty (30) days of deletion using
POST /keys/{id}/restore.The ciphertext provided was not wrapped by this key.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "ciphertext": "eyJjaXBoZXJ0ZXh0Ijoic1ZZRnZVcjdQanZXQ0tFakMwRFFWZktqQ3AyRmtiOFJOSDJSTkpZRzVmU1hWNDJScD\\ RDVythU0h3Y009IiwiaGFzaCI6IjVWNzNBbm9XdUxxM1BvZEZpd1AxQTdQMUZrTkZOajVPMmtmMkNxdVBxL0NRdFlOZnBvemp\\ iYUxjRDNCSWhxOGpKZ2JNR0xhMHB4dDA4cTYyc0RJMGRBPT0iLCJpdiI6Ilc1T2tNWFZuWDFCTERDUk51M05EUlE9PSIsInZl\\ cnNpb24iOiIzLjAuMCIsImhhbmRsZSI6IjRkZjg5ZGVlLWU3OTMtNGY5Ny05MGNjLTc1ZWQ5YjZlNWM4MiJ9", "keyVersion": { "id": "fadedbee-0000-0000-0000-1234567890ab" }, "rewrappedKeyVersion": { "id": "addedace-0000-0000-0000-1234567890ab" } }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: Rewrap with key could not be performed. See 'reasons' for more details.", "reasons": [ { "code": "INVALID_FIELD_ERR", "message": "The field 'ciphertext' must be the original base64 encoded ciphertext from the wrap operation.", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "field", "name": "ciphertext" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: Rewrap with key could not be performed. See 'reasons' for more details.", "reasons": [ { "code": "KEY_NOT_FOUND_ERR", "message": "Key does not exist", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: Rewrap with key could not be performed. See 'reasons' for more details.", "reasons": [ { "code": "KEY_ACTION_INVALID_STATE_ERR", "message": "Key is not in a valid state.", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Gone: Rewrap with key could not be performed. See 'reasons' for more details.", "reasons": [ { "code": "KEY_DELETED_ERR", "message": "Key has already been deleted. Delete references to this key.", "status": 410, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unprocessable Entity: Rewrap with key could not be performed. See 'reasons' for more details.", "reasons": [ { "code": "UNPROCESSABLE_CIPHERTEXT_ERR", "message": "The provided ciphertext is invalid or corrupted", "status": 422, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$Alters server behavior for POST or DELETE operations. A header with
return=minimalcauses the service to return only the key identifier as metadata. A header containingreturn=representationreturns both the key material and metadata in the response entity-body. If the key has been designated as a root key, the system cannot return the key material. Note: During POST operations, Key Protect may not immediately return the key material due to key generation time. To retrieve the key material, you can perform a subsequentGET /keys/{id}request.Allowable values: [
return=representation,return=minimal]Possible values: 14 ≤ length ≤ 21
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$
The base request for rotate key action.
Rotate key
{
"payload": "aQFr+ry+ThyyHsV0QnyVOg=="
}The key material that you want to import into the service for rotating an existing root key. This value is required for a
rotateaction if you initially imported the key material when you created the key. To rotate an imported root key, provide a base64 encoded payload in the request entity-body. To rotate a root key that was initially generated by Key Protect, omit thepayloadproperty and pass in an empty request entity-body.Possible values: 0 ≤ length ≤ 10000, Value must match regular expression
^.{0,10000}$
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/actions/rotate -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID>/actions/rotate -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.key_action_rotate+json' -d '{ "payload": "<new_key_material>" }'curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID>/actions/rotate -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.key_action_rotate+json' -d '{ "payload": "<encrypted_new_key_material>", "encryptedNonce": "<encrypted_nonce>", "iv": "<iv>", "encryptionAlgorithm": "RSAES_OAEP_SHA_256" }'
package main import ( "context" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication // Set the payload to a base64 encoded string if your key is an imported root key // Skip setting payload if your key is a generated root key payload := "<new_key_material>" err = api.Rotate(context.Background(), <key_ID> , payload) if err != nil { fmt.Println("Error rotating the key: ", err) return } fmt.Println("Key successfully rotated") }
Response
Status Code
The key was successfully rotated. No content.
The request is malformed or illegal.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
There are three possible causes for HTTP 404 while trying to rotate a key, specifying a reason code (resouces[0].reasons[0].code) as follows: KEY_NOT_FOUND_ERR: The key could not be found. INSTANCE_NOT_FOUND_ERR: Key could not be rotated, specified instance does not exist. IMPORT_TOKEN_NOT_FOUND_ERR: Key could not be rotated, import_token does not exist.
There are four possible causes for HTTP 409 while trying to rotate a key, specifying a reason code (resouces[0].reasons[0].code) as follows: KEY_ACTION_INVALID_STATE_ERR: The requested key is not in the
Active(1) orDeactivated(3) state. KEY_ROTATION_NOT_PERMITTED: Key could not be rotated, this key has been rotated within the last hour, only one rotate action per hour is permitted. KEY_CREATE_IMPORT_ACCESS_ERR: Instance policy does not allow this action. IMPORT_TOKEN_EXPIRED_ERR: Key could not be rotated, the import token has expired.The requested key was previously deleted and is no longer available. The key may be restored within thirty (30) days of deletion using
POST /keys/{id}/restore.Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: Key could not be rotated. See 'reasons' for more details.", "reasons": [ { "code": "INVALID_FIELD_ERR", "message": "The field 'payload' must be: a base64 encoded value", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "field", "name": "payload" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: Key could not be rotated. See 'reasons' for more details.", "reasons": [ { "code": "KEY_NOT_FOUND_ERR", "message": "Key does not exist", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: Key could not be rotated. See 'reasons' for more details.", "reasons": [ { "code": "KEY_ACTION_INVALID_STATE_ERR", "message": "Key is not in a valid state", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Gone: Key could not be rotated. See 'reasons' for more details.", "reasons": [ { "code": "KEY_DELETED_ERR", "message": "Key has already been deleted. Delete references to this key.", "status": 410, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Set a key for deletion
Authorize deletion for a key with a dual authorization policy.
POST /api/v2/keys/{id}/actions/setKeyForDeletionRequest
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/actions/setKeyForDeletion -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication err := api.InitiateDualAuthDelete(context.Background(), <key_ID>) if err != nil { fmt.Println("Error while initiating dual auth delete for key: ", err) return } fmt.Println("Key successfully initiated for dual auth delete") }
Response
Status Code
The key was successfully set for deletion. No content.
The request is missing a required field.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
There are two possible causes for HTTP 404 while trying to set a key for deletion, specifying a reason code (resouces[0].reasons[0].code) as follows: KEY_NOT_FOUND_ERR: The key could not be found. DUAL_AUTH_POLICY_NOT_FOUND_ERR: Dual authorization policy is not enabled for this key.
The key does not have a dual-authorization delete policy.
The requested key was previously deleted and is no longer available. The key may be restored within thirty (30) days of deletion using
POST /keys/{id}/restore.Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: The request is missing a required field." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: Key deletion could not be scheduled. See 'reasons' for more details.", "reasons": [ { "code": "KEY_NOT_FOUND_ERR", "message": "Key does not exist", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: Key deletion could not be scheduled. See 'reasons' for more details.", "reasons": [ { "code": "NOT_DUAL_AUTH_ERR", "message": "The key is not dual auth enabled and cannot be set for deletion.", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Gone: Key deletion could not be scheduled. See 'reasons' for more details.", "reasons": [ { "code": "KEY_DELETED_ERR", "message": "Key has already been deleted. Delete references to this key.", "status": 410, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Unset a key for deletion
Remove an authorization for a key with a dual authorization policy.
POST /api/v2/keys/{id}/actions/unsetKeyForDeletionRequest
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/actions/unsetKeyForDeletion -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication err := api.CancelDualAuthDelete(context.Background(), <key_ID>) if err != nil { fmt.Println("Error while cancelling dual auth delete for key: ", err) return } fmt.Println("Key successfully cancelled for dual auth delete") }
Response
Status Code
The key was successfully unset for deletion. No content.
The request is missing a required field.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
There are two possible causes for HTTP 404 while trying to unset a key for deletion, specifying a reason code (resouces[0].reasons[0].code) as follows: KEY_NOT_FOUND_ERR: The key could not be found. DUAL_AUTH_POLICY_NOT_FOUND_ERR: Dual authorization policy is not enabled for this key.
The key does not have a dual-authorization delete policy.
The requested key was previously deleted and is no longer available. The key may be restored within thirty (30) days of deletion using
POST /keys/{id}/restore.Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: The request is missing a required field." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: Key deletion could not be cancelled. See 'reasons' for more details.", "reasons": [ { "code": "KEY_NOT_FOUND_ERR", "message": "Key does not exist", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: Key deletion could not be cancelled. See 'reasons' for more details.", "reasons": [ { "code": "NOT_DUAL_AUTH_ERR", "message": "The key is not dual auth enabled and cannot be set for deletion", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Gone: Key deletion could not be cancelled. See 'reasons' for more details.", "reasons": [ { "code": "KEY_DELETED_ERR", "message": "Key has already been deleted. Delete references to this key.", "status": 410, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/actions/enable -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication err := api.EnableKey(context.Background(), <key_ID>) if err != nil { fmt.Println("Error while enabling the key: ", err) return } fmt.Println("Key successfully enabled") }
Response
Status Code
The key was successfully enabled. No content.
The request is malformed or illegal.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
The key could not be found.
There are two possible causes for HTTP 409 while trying to enable a key, specifying a reason code (resouces[0].reasons[0].code) as follows: KEY_ACTION_INVALID_STATE_ERR: The requested key is not in the
Suspended(2) state or the state of the key has changed within the last 30 seconds. REQ_TOO_EARLY_ERR: Key could not be enabled, as the key was updated recently. After key is disabled, the event must fully propagate before enabling key operations. Wait and try again.The requested key was previously deleted and is no longer available. The key may be restored within thirty (30) days of deletion using
POST /keys/{id}/restore.Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: Key could not be enabled. See 'reasons' for more details.", "reasons": [ { "code": "KEY_ROOT_REQ_ERR", "message": "Requested action can only be completed with a root key.", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: Key could not be enabled. See 'reasons' for more details.", "reasons": [ { "code": "KEY_NOT_FOUND_ERR", "message": "Key does not exist.", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: Key could not be enabled. See 'reasons' for more details.", "reasons": [ { "code": "KEY_ACTION_INVALID_STATE_ERR", "message": "Key is not in a valid state", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Gone: Key could not be enabled. See 'reasons' for more details.", "reasons": [ { "code": "KEY_DELETED_ERR", "message": "Key has already been deleted. Delete references to this key.", "status": 410, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/actions/disable -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication err := api.DisableKey(context.Background(), <key_ID>) if err != nil { fmt.Println("Error while disabling the key: ", err) return } fmt.Println("Key successfully disabled") }
Response
Status Code
The key was successfully disabled. No content.
The request is malformed or illegal.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
The key could not be found.
The requested key is not in the
Active(1) state.The requested key was previously deleted and is no longer available. The key may be restored within thirty (30) days of deletion using
POST /keys/{id}/restore.Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: Key could not be disabled. See 'reasons' for more details.", "reasons": [ { "code": "KEY_ROOT_REQ_ERR", "message": "Requested action can only be completed with a root key.", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: Key could not be disabled. See 'reasons' for more details.", "reasons": [ { "code": "KEY_NOT_FOUND_ERR", "message": "Key does not exist", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: Key could not be disabled. See 'reasons' for more details.", "reasons": [ { "code": "KEY_ACTION_INVALID_STATE_ERR", "message": "Key is not in a valid state", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Gone: Key could not be disabled. See 'reasons' for more details.", "reasons": [ { "code": "KEY_DELETED_ERR", "message": "Key has already been deleted. Delete references to this key.", "status": 410, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Sync associated resources
Initiate a manual data synchronization request to the associated
resources of a key. Regular key lifecycle events automatically notify
integrated services of any change. However, in the case a service does
not respond to a key lifecycle event notification after four hours, the
sync API may be used to initiate a renotification to the integrated
services that manage the associated resources linked to the key.
Note: The services that manage the associated resources linked to
the key are responsible for maintaining current records of the key
state and version. Key Protect does not have the ability to force data
synchronization for other services, which may take up to four hours to
complete. The sync API is meant to initiate a request for all
associated resources to synchronize their key records with the
information returned from the Key Protect API.
POST /api/v2/keys/{id}/actions/syncRequest
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/actions/sync -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
Response
Status Code
The sync of associate resources for a key has been initiated. No content.
The request is malformed or illegal.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
There are two possible causes for HTTP 404 for the synchronization request, the reason code (resources[0].reasons[0].code) as follows: KEY_NOT_FOUND: The specified key could not be found. NOT_SUPPORTED_IN_SATELLITE_LOCATION: The synchronization request for the specified key is not supported in this location.
The key has been synced or updated (i.e. rotated, restored, disabled, enabled, deleted) within the last hour.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: Associated resources could not be synced. See 'reasons' for more details.", "reasons": [ { "code": "KEY_ROOT_REQ_ERR", "message": "Requested action can only be completed with a root key.", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: Associated resources could not be synced. See 'reasons' for more details.", "reasons": [ { "code": "KEY_NOT_FOUND_ERR", "message": "Key does not exist", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: Associated resources could not be synced. See 'reasons' for more details.", "reasons": [ { "code": "REQ_TOO_EARLY_ERR", "message": "The key was updated recently. Wait and try again.", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Set key policies
Creates or updates one or more policies for the specified key.
You can set policies for a key, such as an
automatic rotation policy
or a
dual authorization policy
to protect against the accidental deletion of keys. Use
PUT /keys/{id}/policies to create new policies for a key or update an
existing policy.
PUT /api/v2/keys/{id}/policiesRequest
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$
Query Parameters
The type of policy that is associated with the specified key.
Allowable values: [
dualAuthDelete,rotation]Possible values: 8 ≤ length ≤ 14
The base request for key policy create or update.
{
"metadata": {
"collectionType": "application/vnd.ibm.kms.policy+json",
"collectionTotal": 1
},
"resources": [
{
"type": "application/vnd.ibm.kms.policy+json",
"dualAuthDelete": {
"enabled": true
}
}
]
}A collection of resources.
Possible values: number of items = 1
curl -X PUT https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/policies -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.policy+json' -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 2 }, "resources": [ { "type": "application/vnd.ibm.kms.policy+json", "rotation": { "enabled": <true|false>, "interval_month": <rotation_interval> } }, { "type": "application/vnd.ibm.kms.policy+json", "dualAuthDelete": { "enabled": <true|false> } } ] }'curl -X PUT https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID>/policies?policy=dualAuthDelete -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.policy+json' -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.policy+json", "dualAuthDelete": { "enabled": <true|false> } } ] }'curl -X PUT https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID>/policies?policy=rotation -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.policy+json' -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.policy+json", "rotation": { "enabled": <true|false>, "interval_month": <rotation_interval> } } ] }'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication // Pass setRotationPolicy as true if setting rotation policy otherwise false // Pass setDualAuthDeletePolicy as true if setting dual authorization policy otherwise false // Pass dualAuthEnabled as true to enable or false to disable the dual auth delete policy. policies, err := api.SetPolicies(context.Background(), <key_ID>, <setRotationPolicy>, <rotation_interval>, <setDualAuthDeletePolicy>, <dualAuthEnabled>) if err != nil { fmt.Println("Error while setting the policies: ", err) return } b, _ := json.MarshalIndent(policies, "", " ") fmt.Println(string(b)) }package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication policy, err := api.SetRotationPolicy(context.Background(), <key_ID>, <rotation_interval>) if err != nil { fmt.Println("Error while setting rotation policy: ", err) return } b, _ := json.MarshalIndent(policy, "", " ") fmt.Println(string(b)) }package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication // Pass enabled as true to set the policy and false to unset the policy policy, err := api.SetDualAuthDeletePolicy(context.Background(), <key_ID>, <enabled>) if err != nil { fmt.Println("Error while setting dual auth delete policy: ", err) return } b, _ := json.MarshalIndent(policy, "", " ") fmt.Println(string(b)) }
Response
The base schema for retrieving a dual authorization key policy.
A collection of resources.
Possible values: 0 ≤ number of items ≤ 1
- resources
The v4 UUID used to uniquely identify the policy resource, as specified by RFC 4122.
Specifies the MIME type that represents the policy resource. Currently, only the default is supported.
Possible values: [
application/vnd.ibm.kms.policy+json]Possible values: length = 35
Example:
application/vnd.ibm.kms.policy+jsonThe Cloud Resource Name (CRN) that uniquely identifies your cloud resources.
Example:
crn:v1:bluemix:public:kms:<region>:a/<account-id>:<service-instance>:policy:<policy-id>The date the policy was created. The date format follows RFC 3339.
Example:
2000-03-21T00:00:00ZThe unique identifier for the resource that created the policy.
Possible values: 5 ≤ length ≤ 100, Value must match regular expression
^.{5,100}$Updates when the policy is replaced or modified. The date format follows RFC 3339.
Example:
2000-03-21T00:00:00ZThe unique identifier for the resource that updated the policy.
Possible values: 5 ≤ length ≤ 100, Value must match regular expression
^.{5,100}$
Status Code
The policy or policies were successfully created or updated.
The policy or policies were successfully created or updated. No content.
The policy or policies cannot be created or updated due to a malformed, invalid, or missing ID.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. Learn more.
The requested key was previously deleted and is no longer available. Delete references to this key.
The key with specified ID is invalid for use with policies.
A key must be a root key (non-extractable) in the Activated (1) state.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 2 }, "resources": [ { "id": "feddecaf-0000-0000-0000-1234567890ab", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:policy:feddecaf-0000-0000-0000-1234567890ab", "rotation": { "enabled": true, "interval_month": 3 }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdateDate": "2000-03-21T00:00:00Z" }, { "id": "beadcafe-0000-0000-0000-1234567890ab", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:policy:beadcafe-0000-0000-0000-1234567890ab", "dualAuthDelete": { "enabled": true }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdateDate": "2000-03-21T00:00:00Z" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "id": "feddecaf-0000-0000-0000-1234567890ab", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:policy:feddecaf-0000-0000-0000-1234567890ab", "dualAuthDelete": { "enabled": true }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdateDate": "2000-03-21T00:00:00Z" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "id": "beadcafe-0000-0000-0000-1234567890ab", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:policy:beadcafe-0000-0000-0000-1234567890ab", "rotation": { "enabled": true, "interval_month": 3 }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdateDate": "2000-03-21T00:00:00Z" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. [Learn more](/docs/key-protect?topic=key-protect-integrate-services#grant-access)" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Gone: The requested key was previously deleted and is no longer available. Delete references to this key." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Key policy could not be created. See `reasons` for more details.", "reasons": [ { "code": "KEY_INVALID_STATE_ERR", "message": "Key is not in a valid state", "status": 422, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
List key policies
Retrieves a list of policies that are associated with a specified key.
You can set policies for a key, such as an
automatic rotation policy
or a
dual authorization policy
to protect against the accidental deletion of keys. Use
GET /keys/{id}/policies to browse the policies that exist for a
specified key.
GET /api/v2/keys/{id}/policiesRequest
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$
Query Parameters
The type of policy that is associated with the specified key.
Allowable values: [
dualAuthDelete,rotation]Possible values: 8 ≤ length ≤ 14
curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/policies -H 'accept: application/vnd.ibm.kms.policy+json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID>/policies?policy=dualAuthDelete -H 'accept: application/vnd.ibm.kms.policy+json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID>/policies?policy=rotation -H 'accept: application/vnd.ibm.kms.policy+json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication policies, err := api.GetPolicies(context.Background(), <key_ID>) if err != nil { fmt.Println("Error while getting policies: ", err) return } b, _ := json.MarshalIndent(policies, "", " ") fmt.Println(string(b)) }package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication policy, err := api.GetRotationPolicy(context.Background(), <key_ID>) if err != nil { fmt.Println("Error while getting rotation policy: ", err) return } b, _ := json.MarshalIndent(policy, "", " ") fmt.Println(string(b)) }package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication policy, err := api.GetDualAuthDeletePolicy(context.Background(), <key_ID>) if err != nil { fmt.Println("Error while getting dual auth delete policy: ", err) return } b, _ := json.MarshalIndent(policy, "", " ") fmt.Println(string(b)) }
Response
The base schema for retrieving a dual authorization key policy.
A collection of resources.
Possible values: 0 ≤ number of items ≤ 1
- resources
The v4 UUID used to uniquely identify the policy resource, as specified by RFC 4122.
Specifies the MIME type that represents the policy resource. Currently, only the default is supported.
Possible values: [
application/vnd.ibm.kms.policy+json]Possible values: length = 35
Example:
application/vnd.ibm.kms.policy+jsonThe Cloud Resource Name (CRN) that uniquely identifies your cloud resources.
Example:
crn:v1:bluemix:public:kms:<region>:a/<account-id>:<service-instance>:policy:<policy-id>The date the policy was created. The date format follows RFC 3339.
Example:
2000-03-21T00:00:00ZThe unique identifier for the resource that created the policy.
Possible values: 5 ≤ length ≤ 100, Value must match regular expression
^.{5,100}$Updates when the policy is replaced or modified. The date format follows RFC 3339.
Example:
2000-03-21T00:00:00ZThe unique identifier for the resource that updated the policy.
Possible values: 5 ≤ length ≤ 100, Value must match regular expression
^.{5,100}$
Status Code
The policy resources were successfully retrieved.
The request is missing a required field or contains invalid values.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. Learn more.
The key could not be found.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 2 }, "resources": [ { "id": "feddecaf-0000-0000-0000-1234567890ab", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:policy:feddecaf-0000-0000-0000-1234567890ab", "rotation": { "enabled": true, "interval_month": 3 }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdateDate": "2000-03-21T00:00:00Z" }, { "id": "beadcafe-0000-0000-0000-1234567890ab", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:policy:beadcafe-0000-0000-0000-1234567890ab", "dualAuthDelete": { "enabled": true }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdateDate": "2000-03-21T00:00:00Z" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "id": "feddecaf-0000-0000-0000-1234567890ab", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:policy:feddecaf-0000-0000-0000-1234567890ab", "dualAuthDelete": { "enabled": true }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdateDate": "2000-03-21T00:00:00Z" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "id": "beadcafe-0000-0000-0000-1234567890ab", "crn": "crn:v1:bluemix:public:kms:<region>:<account-ID>:<instance-ID>:policy:beadcafe-0000-0000-0000-1234567890ab", "rotation": { "enabled": true, "interval_month": 3 }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdateDate": "2000-03-21T00:00:00Z" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. [Learn more](/docs/key-protect?topic=key-protect-integrate-services#grant-access)" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: The key could not be found. KEY_NOT_FOUND_ERR: Key does not exist" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Set instance policies
Creates or updates one or more policies for the specified service instance.
Note: When you set an instance policy, Key Protect associates the policy information with keys that you add to the instance after the policy is updated. This operation does not affect existing keys in the instance.
PUT /api/v2/instance/policies
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Query Parameters
The type of policy that is associated with the specified instance.
Allowable values: [
allowedNetwork,dualAuthDelete,allowedIP,keyCreateImportAccess,metrics,rotation]Possible values: 7 ≤ length ≤ 21
The base request for the create or update of instance level policies.
{
"metadata": {
"collectionType": "application/vnd.ibm.kms.policy+json",
"collectionTotal": 1
},
"resources": [
{
"policy_type": "allowedNetwork",
"policy_data": {
"enabled": true,
"attributes": {
"allowed_network": "private-only"
}
}
}
]
}A collection of resources.
Possible values: number of items = 1
- resources
The type of policy to be set.
Allowable values: [
allowedNetwork]Possible values: length = 14
Example:
allowedNetwork
curl -X PUT https://<region>.kms.cloud.ibm.com/api/v2/instance/policies -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.policy+json' -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 6 }, "resources": [ { "policy_type": "allowedNetwork", "policy_data": { "enabled": <true|false>, "attributes": { "allowed_network": "<public-and-private|private-only>" } } }, { "policy_type": "dualAuthDelete", "policy_data": { "enabled": <true|false> } }, { "policy_type": "allowedIP", "policy_data": { "enabled": <true|false>, "attributes": { "allowed_ip": ["X.X.X.X/N", "X.X.X.X/N"] } } }, { "policy_type": "keyCreateImportAccess", "policy_data": { "enabled": <true|false>, "attributes": { "create_root_key": <true|false>, "create_standard_key": <true|false>, "import_root_key": <true|false>, "import_standard_key": <true|false>, "enforce_token": <true|false> } } }, { "policy_type": "metrics", "policy_data": { "enabled": <true|false> } }, { "policy_type": "rotation", "policy_data": { "enabled": <true|false>, "attributes": { "interval_month": <rotation_interval> } } } ] }'curl -X PUT https://<region>.kms.cloud.ibm.com/api/v2/instance/policies?policy=allowedNetwork -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.policy+json' -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "policy_type": "allowedNetwork", "policy_data": { "enabled": <true|false>, "attributes": { "allowed_network": "<public-and-private|private-only>" } } } ] }'curl -X PUT https://<region>.kms.cloud.ibm.com/api/v2/instance/policies?policy=dualAuthDelete -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.policy+json' -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "policy_type": "dualAuthDelete", "policy_data": { "enabled": <true|false> } } ] }'curl -X PUT https://<region>.kms.cloud.ibm.com/api/v2/instance/policies?policy=metrics -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.policy+json' -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "policy_type": "metrics", "policy_data": { "enabled": <true|false> } } ] }'curl -X PUT https://<region>.kms.cloud.ibm.com/api/v2/instance/policies?policy=allowedIP -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.policy+json' -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "policy_type": "allowedIP", "policy_data": { "enabled": <true|false>, "attributes": { "allowed_ip": ["X.X.X.X/N", "X.X.X.X/N"] } } } ] }'curl -X PUT https://<region>.kms.cloud.ibm.com/api/v2/instance/policies?policy=keyCreateImportAccess -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.policy+json' -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "policy_type": "keyCreateImportAccess", "policy_data": { "enabled": <true|false>, "attributes": { "create_root_key": <true|false>, "create_standard_key": <true|false>, "import_root_key": <true|false>, "import_standard_key": <true|false>, "enforce_token": <true|false> } } } ] }'curl -X PUT https://<region>.kms.cloud.ibm.com/api/v2/instance/policies?policy=rotation -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.policy+json' -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "policy_type": "rotation", "policy_data": { "enabled": <true|false>, "attributes": { "interval_month": <rotation_interval> } } } ] }'
package main import ( "context" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication // Pass multiple_policies as an object of kp.MultiplePolicies setting // the policies accordingly. multiple_policies := kp.MultiplePolicies{ DualAuthDelete: &kp.BasicPolicyData{ Enabled: <true|false> }, AllowedNetwork: &kp.AllowedNetworkPolicyData{ Enabled: <true|false>, Network: "<public-and-private|private-only>", }, AllowedIP: &kp.AllowedIPPolicyData{ Enabled: <true|false>, IPAddresses: <[]string{<ip_subnet1>,<ip_subnet2>}> } Metrics: &kp.BasicPolicyData{ Enabled: <true|false> }. KeyCreateImportAccess: &kp.KeyCreateImportAccessInstancePolicy{ Enabled: <true|false>, CreateRootKey: <true|false>, CreateStandardKey: <true|false>, ImportRootKey: <true|false>, ImportStandardKey: <true|false>, EnforceToken: <true|false> } } err = api.SetPolicies(context.Background(), multiple_policies) if err != nil { fmt.Println("Error while setting policies: ", err) return } fmt.Println("Instance policies set successfully") }package main import ( "context" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication allowedIPs := []string{<ip_subnet1>,<ip_subnet2>} err = api.SetAllowedIPInstancePolicy(context.Background(), <true|false>, allowedIPs) if err != nil { fmt.Println("Error while setting allowed IP policy: ", err) return } fmt.Println("Allowed IP instance policy set successfully") }package main import ( "context" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication networkType := "<private-only|public-and-private>" err = api.SetAllowedNetworkInstancePolicy(context.Background(), <true|false>, networkType) if err != nil { fmt.Println("Error while setting allowed network policy: ", err) return } fmt.Println("Allowed network instance policy set successfully") }package main import ( "context" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication err = api.SetDualAuthInstancePolicy(context.Background(), <true|false>) if err != nil { fmt.Println("Error while setting dual authorization policy: ", err) return } fmt.Println("Dual auth instance policy set successfully") }package main import ( "context" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication // Pass true to set the policy or false to unset the policy attributes := map[string]bool{ kp.CreateRootKey: <true|false>, kp.CreateStandardKey: <true|false>, kp.ImportRootKey: <true|false>, kp.ImportStandardKey: <true|false>, kp.EnforceToken: <true|false>, } err = api.SetKeyCreateImportAccessInstancePolicy(context.Background(), <true|false>, attributes) if err != nil { fmt.Println("Error while setting key create import access policy: ", err) return } fmt.Println("Key create import access instance policy set successfully") }package main import ( "context" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication err = api.SetMetricsInstancePolicy(context.Background(), <true|false>) if err != nil { fmt.Println("Error while setting metrics policy: ", err) return } fmt.Println("Metrics instance policy set successfully") }package main import ( "context" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication intervalMonth := 3 enable := true err := client.SetRotationInstancePolicy(context.Background(), enable, &intervalMonth) if err != nil { fmt.Println(err) } rotationInstancePolicy, err := client.GetRotationInstancePolicy(context.Background()) if err != nil { fmt.Println(err) } fmt.Println(rotationInstancePolicy) }
Response
Status Code
The policy or policies were successfully created or updated. No content.
The policy or policies cannot be created or updated due to a malformed or invalid request.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
There are two possible causes for HTTP 403 while trying to set instance policies, specifying a reason code (resouces[0].reasons[0].code) as follows: FEATURE_RESTRICTED_ERR: Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. CONFIG_RULE_CONFLICT_ERR: Instance policy could not be created, requested change is not compliant with configuration rules.
The requested key was previously deleted and is no longer available. Delete references to this key.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Gone: The requested key was previously deleted and is no longer available. Delete references to this key." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
List instance policies
Retrieves a list of policies that are associated with a specified service instance.
You can manage advanced preferences for keys in your service instance by
creating instance-level policies. Use GET /instance/policies to browse
the policies that are associated with the specified instance. Currently,
dual authorization policies are supported.
GET /api/v2/instance/policies
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Query Parameters
The type of policy that is associated with the specified instance.
Allowable values: [
allowedNetwork,dualAuthDelete,allowedIP,keyCreateImportAccess,metrics,rotation]Possible values: 7 ≤ length ≤ 21
curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/instance/policies -H 'accept: application/vnd.ibm.kms.policy+json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/instance/policies?policy=allowedNetwork -H 'accept: application/vnd.ibm.kms.policy+json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/instance/policies?policy=dualAuthDelete -H 'accept: application/vnd.ibm.kms.policy+json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/instance/policies?policy=allowedIP -H 'accept: application/vnd.ibm.kms.policy+json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/instance/policies?policy=keyCreateImportAccess -H 'accept: application/vnd.ibm.kms.policy+json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/instance/policies?policy=metrics -H 'accept: application/vnd.ibm.kms.policy+json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/instance/policies?policy=rotation -H 'accept: application/vnd.ibm.kms.policy+json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication policies, err := api.GetInstancePolicies(context.Background()) if err != nil { fmt.Println("Error while getting policies: ", err) return } b, _ := json.MarshalIndent(policies, "", " ") fmt.Println(string(b)) }package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication policy, err := api.GetAllowedIPInstancePolicy(context.Background()) if err != nil { fmt.Println("Error while getting allowed IP policy: ", err) return } b, _ := json.MarshalIndent(policy, "", " ") fmt.Println(string(b)) }package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication policy, err := api.GetAllowedNetworkInstancePolicy(context.Background()) if err != nil { fmt.Println("Error while getting allowed network policy: ", err) return } b, _ := json.MarshalIndent(policy, "", " ") fmt.Println(string(b)) }package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication policy, err := api.GetDualAuthInstancePolicy(context.Background()) if err != nil { fmt.Println("Error while getting dual auth policy: ", err) return } b, _ := json.MarshalIndent(policy, "", " ") fmt.Println(string(b)) }package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication policy, err := api.GetKeyCreateImportAccessInstancePolicy(context.Background()) if err != nil { fmt.Println("Error while getting key create import access policy: ", err) return } b, _ := json.MarshalIndent(policy, "", " ") fmt.Println(string(b)) }package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication policy, err := api.GetMetricsInstancePolicy(context.Background()) if err != nil { fmt.Println("Error while getting metrics policy: ", err) return } b, _ := json.MarshalIndent(policy, "", " ") fmt.Println(string(b)) }
Response
Properties that are associated with retrieving an instance level allowed network policy.
A collection of resources.
Possible values: number of items = 1
- resources
The type of policy to be retrieved.
User defined metadata that is associated with the
allowedNetworkinstance policy type.- policy_data
If set to
true, Key Protect enables the specified policy for your service instance. If set tofalse, Key Protect disables the specified policy for your service instance, and the policy will no longer affect Key Protect actions. Note: If a policy with attributes is disabled, all attributes are reset and are not retained.Example:
trueData associated with the policy type
allowed_network.- attributes
If set to
public-and-private, Key Protect allows the instance to be accessible through public and private endpoints. If set toprivate-only, Key Protect restricts the instance to only be accessible through a private endpoint.Possible values: [
public-and-private,private-only]Possible values: 12 ≤ length ≤ 18
The date the policy was created. The date format follows RFC 3339.
Example:
2000-03-21T00:00:00ZThe unique identifier for the resource that created the policy.
Possible values: 5 ≤ length ≤ 100, Value must match regular expression
^.{5,100}$The unique identifier for the resource that updated the policy.
Possible values: 5 ≤ length ≤ 100, Value must match regular expression
^.{5,100}$Updates when the policy is replaced or modified. The date format follows RFC 3339.
Example:
2000-03-21T00:00:00Z
Status Code
The policy resources were successfully retrieved.
The request is missing a required field or contains invalid values.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. Learn more.
The key could not be found.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 6 }, "resources": [ { "policy_type": "allowedNetwork", "policy_data": { "enabled": true, "attributes": { "allowed_network": "private-only" } }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z" }, { "policy_type": "dualAuthDelete", "policy_data": { "enabled": true }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z" }, { "policy_type": "metrics", "policy_data": { "enabled": true }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z" }, { "policy_type": "allowedIP", "policy_data": { "enabled": true, "attributes": { "allowed_ip": [ "X.X.X.X/N", "X.X.X.X/N" ] } }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z" }, { "policy_type": "keyCreateImportAccess", "policy_data": { "enabled": true, "attributes": { "create_root_key": true, "create_standard_key": true, "import_root_key": true, "import_standard_key": true, "enforce_token": false } }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z" }, { "policy_type": "rotation", "policy_data": { "enabled": true, "attributes": { "interval_month": 3 } }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "policy_type": "allowedNetwork", "policy_data": { "enabled": true, "attributes": { "allowed_network": "private-only" } }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "policy_type": "dualAuthDelete", "policy_data": { "enabled": true }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "policy_type": "allowedIP", "policy_data": { "enabled": true, "attributes": { "allowed_ip": [ "X.X.X.X/N", "X.X.X.X/N" ] } }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "policy_type": "keyCreateImportAccess", "policy_data": { "enabled": true, "attributes": { "create_root_key": true, "create_standard_key": true, "import_root_key": true, "import_standard_key": true, "enforce_token": false } }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "policy_type": "metrics", "policy_data": { "enabled": true }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "policy_type": "rotation", "policy_data": { "enabled": true, "attributes": { "interval_month": 3 } }, "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. [Learn more](/docs/key-protect?topic=key-protect-integrate-services#grant-access)" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: The key could not be found. KEY_NOT_FOUND_ERR: Key does not exist" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Retrieve allowed IP port
Retrieves the private endpoint port associated with your service instance's active allowed IP policy. If the instance does not contain an active allowed IP policy, no information will be returned.
GET /api/v2/instance/allowed_ip_port
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/instance/allowed_ip_port -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.allowed_ip_port+json'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication port, err := api.GetAllowedIPPrivateNetworkPort(context.Background()) if err != nil { fmt.Println("Error while getting allowed IP private port: ", err) return } fmt.Printf("Port number: %d", port) }
Response
Properties associated with the port associated with an instance with an allowed IP policy.
The metadata that describes the resource array.
A collection of resources.
Possible values: number of items = 1
Status Code
The allowed IP port information was successfully retrieved.
The request is missing a required field or contains invalid values.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. Learn more.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.allowed_ip_metadata+json", "collectionTotal": 1 }, "resources": [ { "private_endpoint_port": 8888 } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. [Learn more](/docs/key-protect?topic=key-protect-integrate-services#grant-access)" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Create an import token
Creates an import token that you can use to encrypt and import root keys into the service. Learn more.
When you call POST /import_token, Key Protect creates an RSA key-pair
from its HSMs. The service encrypts and stores the private key in the
HSM, and returns the corresponding public key when you call
GET /import_token. You can create only one import token per service
instance.
POST /api/v2/import_token
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key belongs to. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$Default:
default
The base request to create an import token.
The time in seconds from the creation of an import token that determines how long its associated public key remains valid. The minimum value is
300seconds (5 minutes), and the maximum value is86400(24 hours). The default value is600(10 minutes).Possible values: 300 ≤ value ≤ 86400
Default:
600The number of times that an import token can be retrieved within its expiration time before it is no longer accessible.
Possible values: 1 ≤ value ≤ 500
Default:
1
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/import_token -H 'accept: application/vnd.ibm.collection+json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/json' -d '{ "expiration": "<expiration_time>", "maxAllowedRetrievals": <use_count> }'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication importToken, err := api.CreateImportToken(context.Background(), <expiration_time>, <use_count>) if err != nil { fmt.Println("Error while creating import token: ", err) return } b, _ := json.MarshalIndent(importToken, "", " ") fmt.Println(string(b)) }
Response
Properties that are associated with import tokens.
The time in seconds from the creation of an import token that determines how long its associated public key remains valid. The minimum value is
300seconds (5 minutes), and the maximum value is86400(24 hours). The default value is600(10 minutes).Possible values: 300 ≤ value ≤ 86400
The number of times that an import token can be retrieved within its expiration time before it is no longer accessible.
Possible values: 1 ≤ value ≤ 500
The date the import token was created. The date format follows RFC 3339.
Possible values: length = 20
Example:
2000-03-21T00:00:00ZThe date the import token expires. The date format follows RFC 3339.
Possible values: length = 20
Example:
2000-03-21T00:00:00ZThe number of retrievals that are available for the import token before it is no longer accessible.
Possible values: value ≥ 1
Status Code
The import token was successfully created.
The import token cannot be created due to a malformed or invalid request.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. Learn more.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "creationDate": "2000-03-21T00:00:00Z", "expirationDate": "2000-03-21T00:00:00Z", "maxAllowedRetrievals": 10, "remainingRetrievals": 10 }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. [Learn more](/docs/key-protect?topic=key-protect-integrate-services#grant-access)" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Retrieve an import token
Retrieves the import token that is associated with your service instance.
When you call GET /import_token, Key Protect returns the public key
that you can use to encrypt and import key material to the service,
along with details about the key.
Note: After you reach the maxAllowedRetrievals or expirationDate
for the import token, the import token and its associated public key can
no longer be used for key operations. To create a new import token, use
POST /import_token.
GET /api/v2/import_token
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key belongs to. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$Default:
default
curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/import_token -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/vnd.ibm.kms.import_token+json'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication importToken, err := api.GetImportTokenTransportKey(context.Background()) if err != nil { fmt.Println("Error while getting import token: ", err) return } b, _ := json.MarshalIndent(importToken, "", " ") fmt.Println(string(b)) }
Response
The base schema for retrieving an import token.
The time in seconds from the creation of an import token that determines how long its associated public key remains valid. The minimum value is
300seconds (5 minutes), and the maximum value is86400(24 hours). The default value is600(10 minutes).Possible values: 300 ≤ value ≤ 86400
The number of times that an import token can be retrieved within its expiration time before it is no longer accessible.
Possible values: 1 ≤ value ≤ 500
The date the import token was created. The date format follows RFC 3339.
Possible values: length = 20
Example:
2000-03-21T00:00:00ZThe date the import token expires. The date format follows RFC 3339.
Possible values: length = 20
Example:
2000-03-21T00:00:00ZThe number of retrievals that are available for the import token before it is no longer accessible.
Possible values: value ≥ 1
The public encryption key that you can use to encrypt key material before you import it into the service. This value is a PEM-encoded public key in PKIX format. Because PEM encoding is a binary format, the value is base64 encoded.
Possible values: length = 1068, Value must match regular expression
^.{1068}$The nonce value that is used to verify a key import request. Encrypt and provide the encrypted nonce value when you use
POST /keysto securely import a key to the service.Possible values: length = 16
Status Code
The import token was successfully retrieved.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. Learn more.
There are two possible causes for HTTP 404 while trying to retrieve an import token, specifying a reason code (resouces[0].reasons[0].code) as follows: IMPORT_TOKEN_NOT_FOUND_ERR: An import token was not found in the specified service instance. To create an import token, use
POST /import_token. INSTANCE_NOT_FOUND_ERR: Import token could not be retrieved, instance does not exist.The import token has reached its
maxAllowedRetrievalsorexpirationDate, and it is no longer available for use. To create a new import token, usePOST /import_token.In very rare cases, the import token may expire before its expiration time. Ensure that your client application is configured with a retry mechanism for catching and responding to
409conflict exceptions.Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "creationDate": "2000-03-21T00:00:00Z", "expirationDate": "2000-03-21T00:00:00Z", "maxAllowedRetrievals": 10, "remainingRetrievals": 9, "payload": "QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUE=", "nonce": "8zJE9pKVdXVe/nLb" }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Your service is not authorized to make this request. Ensure that an authorization exists between your service and Key Protect. [Learn more](/docs/key-protect?topic=key-protect-integrate-services#grant-access)" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not found: An import token was not found in the specified service instance. To create an import token, use 'POST /import_token'." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: The import token has reached its 'maxAllowedRetrievals' or 'expirationDate'. To create a new import token, use 'POST /import_token'." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Create a registration
Service to service calls only. Creates a registration between a root key and a cloud resource, such as a Cloud Object Storage bucket. The key is identified by its ID, and the cloud resource is identified by its Cloud Resource Name (CRN).
POST /api/v2/keys/{id}/registrations/{urlEncodedResourceCRN}Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$The URL encoded Cloud Resource Name (CRN) that uniquely identifies the cloud resource. At minimum, provide a CRN that includes the
service-instancesegment.Possible values: 9 ≤ length ≤ 400, Value must match regular expression
^(((?!((%3a)|(%3A))).)*((%3a|%3A))){9}(((?!((%3a)|(%3A))).)*)$Example:
crn%3av1%3abluemix%3apublic%3acloud-object-storage%3aglobal%3aa%2f00000000000000000000000000000000%3afeddecaf-0000-0000-0000-1234567890ab%3a%3abucket
The base request for creating a registration.
{
"metadata": {
"collectionType": "application/vnd.ibm.kms.registration_input+json",
"collectionTotal": 1
},
"resources": [
{
"preventKeyDeletion": false,
"description": "A resource registration on a Key Protect key"
}
]
}The metadata that describes the resource array.
A collection of resources.
Possible values: number of items = 1
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/registrations/<url_encoded_CRN> -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/json' -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.registration_input+json", "collectionTotal": 1 }, "resources": [ { "preventKeyDeletion": "false", "description": "A resource registration on a Key Protect key" } ] }'
Response
Properties associated with a registration response.
The metadata that describes the resource array.
A collection of resources.
Possible values: number of items = 1
Status Code
A registration with identical properties (
keyId,resourceCrn,preventKeyDeletion,description, andregistrationMetadata) was previously created between the specified key and cloud resource.A new registration was successfully created.
The registration could not be created due to a malformed
urlEncodedResourceCRN, an invalid or missing request body, or an invalid key ID.Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
You are not authorized to make this request due to missing authorization between the service instance and Key Protect instance, requiring a service-to-service call, or a mismatch between the cloud service CRN and the resource CRN.
The key with specified ID could not be found.
A registration with different properties already exists between the specified key and cloud resource.
The key with specified ID is invalid for use with registrations.
A key must be a root key (non-extractable) in the Activated (1) state.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.registration+json", "collectionTotal": 1 }, "resources": [ { "keyId": "fadedbee-0000-0000-0000-1234567890ab", "keyName": "Root-key", "resourceCrn": "crn:v1:bluemix:public:<service-name>:<location>:a/<account-id>:<service-instance>:<resource-type>:<resource>", "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z", "description": "A resource registration on a Key Protect key", "preventKeyDeletion": false, "keyVersion": { "id": "fadedbee-0000-0000-0000-1234567890ab", "creationDate": "2000-03-21T00:00:00Z" } } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.registration+json", "collectionTotal": 1 }, "resources": [ { "keyId": "fadedbee-0000-0000-0000-1234567890ab", "keyName": "Root-key", "resourceCrn": "crn:v1:bluemix:public:<service-name>:<location>:a/<account-id>:<service-instance>:<resource-type>:<resource>", "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z", "description": "A resource registration on a Key Protect key", "preventKeyDeletion": false, "keyVersion": { "id": "fadedbee-0000-0000-0000-1234567890ab", "creationDate": "2000-03-21T00:00:00Z" } } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Registration could not be created. See 'reasons' for more details.", "reasons": [ { "code": "INVALID_PARAM_ERR", "message": "The param 'urlEncodedResourceCRN' must be: specified to no more than 10 segments", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "urlEncodedResourceCRN" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Caller is not authorized to make this request.", "reasons": [ { "code": "RESOURCE_OWNER_ERR", "message": "The resource queried does not belong to the service.", "status": 403, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Registration could not be created. See 'reasons' for more details.", "reasons": [ { "code": "KEY_NOT_FOUND", "message": "Key does not exist", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Registration could not be created. See 'reasons' for more details.", "reasons": [ { "code": "REGISTRATION_DUP_ERR", "message": "Registration already exists", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Registration could not be created. See 'reasons' for more details.", "reasons": [ { "code": "KEY_INVALID_STATE_ERR", "message": "Key is not in a valid state", "status": 422, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Update a registration
Service to service calls only. Updates an existing registration based on the properties that you specify.
When you call PATCH /registrations, Key Protect updates only the
properties that you specify in the request entity-body. To replace the
registration, use PUT /registrations. The preventKeyDeletion policy should
only be set if a WORM policy must be satisfied (as would be needed for this example:
https://www.ibm.com/docs/en/spectrum-scale/5.0.1?topic=ics-how-write-once-read-many-worm-storage-works).
Do not set this policy by default.
PATCH /api/v2/keys/{id}/registrations/{urlEncodedResourceCRN}Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$The URL encoded Cloud Resource Name (CRN) that uniquely identifies the cloud resource. At minimum, provide a CRN that includes the
service-instancesegment.Possible values: 9 ≤ length ≤ 400, Value must match regular expression
^(((?!((%3a)|(%3A))).)*((%3a|%3A))){9}(((?!((%3a)|(%3A))).)*)$Example:
crn%3av1%3abluemix%3apublic%3acloud-object-storage%3aglobal%3aa%2f00000000000000000000000000000000%3afeddecaf-0000-0000-0000-1234567890ab%3a%3abucket
The base request for updating a registration.
{
"metadata": {
"collectionType": "application/vnd.ibm.kms.registration_input+json",
"collectionTotal": 1
},
"resources": [
{
"preventKeyDeletion": false,
"description": "A resource registration on a Key Protect key"
}
]
}The metadata that describes the resource array.
A collection of resources.
Possible values: number of items = 1
curl -X PATCH https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/registrations/<url_encoded_CRN> -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/json' -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.registration_input+json", "collectionTotal": 1 }, "resources": [ { "preventKeyDeletion": "false" } ] }'
Response
Properties associated with a registration response.
The metadata that describes the resource array.
A collection of resources.
Possible values: number of items = 1
Status Code
The registration was successfully updated.
The registration could not be updated due to a malformed
urlEncodedResourceCRN, an invalid or missing request body, or an invalid key ID.Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
You are not authorized to make this request due to missing authorization between the service instance and Key Protect instance, requiring a service-to-service call, or a mismatch between the cloud service CRN and the resource CRN.
The registration or key could not be found. Verify that the specified key ID and CRN are valid.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.registration+json", "collectionTotal": 1 }, "resources": [ { "keyId": "fadedbee-0000-0000-0000-1234567890ab", "keyName": "Root-key", "resourceCrn": "crn:v1:bluemix:public:<service-name>:<location>:a/<account-id>:<service-instance>:<resource-type>:<resource>", "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z", "description": "A resource registration on a Key Protect key", "preventKeyDeletion": false, "keyVersion": { "id": "fadedbee-0000-0000-0000-1234567890ab", "creationDate": "2000-03-21T00:00:00Z" } } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Registration could not be updated. See 'reasons' for more details.", "reasons": [ { "code": "INVALID_PARAM_ERR", "message": "The param 'urlEncodedResourceCRN' must be specified to no more than 10 segments.", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "urlEncodedResourceCRN" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Caller is not authorized to make this request.", "reasons": [ { "code": "RESOURCE_OWNER_ERR", "message": "The resource queried does not belong to the service.", "status": 403, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Registration could not be updated. See 'reasons' for more details.", "reasons": [ { "code": "REGISTRATION_NOT_FOUND_ERR", "message": "Registration does not exist", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Replace a registration
Service to service calls only. Replace an existing registration between a root key and a cloud resource. The key is identified by its ID, and the cloud resource is identified by its Cloud Resource Name (CRN).
When you call PUT /registrations, Key Protect replaces the existing
registration with the properties that you provide in the request
entity-body.
PUT /api/v2/keys/{id}/registrations/{urlEncodedResourceCRN}Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$The URL encoded Cloud Resource Name (CRN) that uniquely identifies the cloud resource. At minimum, provide a CRN that includes the
service-instancesegment.Possible values: 9 ≤ length ≤ 400, Value must match regular expression
^(((?!((%3a)|(%3A))).)*((%3a|%3A))){9}(((?!((%3a)|(%3A))).)*)$Example:
crn%3av1%3abluemix%3apublic%3acloud-object-storage%3aglobal%3aa%2f00000000000000000000000000000000%3afeddecaf-0000-0000-0000-1234567890ab%3a%3abucket
The base request for replacing a registration.
{
"metadata": {
"collectionType": "application/vnd.ibm.kms.registration_input+json",
"collectionTotal": 1
},
"resources": [
{
"preventKeyDeletion": false,
"description": "A resource registration on a Key Protect key",
"registrationMetadata": "Registration metadata",
"keyVersionId": "fadedbee-0000-0000-0000-1234567890ab"
}
]
}The metadata that describes the resource array.
A collection of resources.
Possible values: number of items = 1
curl -X PUT https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/registrations/<url_encoded_CRN> -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/json' -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.registration_input+json", "collectionTotal": 1 }, "resources": [ { "preventKeyDeletion": "false", "description": "A resource registration on a Key Protect key", "keyVersionId": "<key version ID>" } ] }'
Response
Properties associated with a registration response.
The metadata that describes the resource array.
A collection of resources.
Possible values: number of items = 1
Status Code
The registration was successfully replaced.
The registration could not be replaced due to a malformed
urlEncodedResourceCRN, an invalid or missing request body, or an invalid key ID.Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
You are not authorized to make this request due to missing authorization between the service instance and Key Protect instance, requiring a service-to-service call, or a mismatch between the cloud service CRN and the resource CRN.
The registration or key could not be found. Verify that the specified key ID and CRN are valid.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.registration+json", "collectionTotal": 1 }, "resources": [ { "keyId": "fadedbee-0000-0000-0000-1234567890ab", "keyName": "Root-key", "resourceCrn": "crn:v1:bluemix:public:<service-name>:<location>:a/<account-id>:<service-instance>:<resource-type>:<resource>", "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z", "description": "A resource registration on a Key Protect key", "preventKeyDeletion": false, "keyVersion": { "id": "fadedbee-0000-0000-0000-1234567890ab", "creationDate": "2000-03-21T00:00:00Z" } } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Registration could not be replaced. See 'reasons' for more details.", "reasons": [ { "code": "INVALID_PARAM_ERR", "message": "The param 'urlEncodedResourceCRN' must be specified to no more than 10 segments.", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "urlEncodedResourceCRN" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Caller is not authorized to make this request.", "reasons": [ { "code": "RESOURCE_OWNER_ERR", "message": "The resource queried does not belong to the service.", "status": 403, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Registration could not be replaced. See 'reasons' for more details.", "reasons": [ { "code": "REGISTRATION_NOT_FOUND_ERR", "message": "Registration does not exist", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Delete a registration
Service to service calls only. Deletes an existing registration between a root key and a cloud resource.
This action permanently removes the registration from the Key Protect database.
DELETE /api/v2/keys/{id}/registrations/{urlEncodedResourceCRN}Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$Alters server behavior for POST or DELETE operations. A header with
return=minimalcauses the service to return only the key identifier as metadata. A header containingreturn=representationreturns both the key material and metadata in the response entity-body. If the key has been designated as a root key, the system cannot return the key material. Note: During POST operations, Key Protect may not immediately return the key material due to key generation time. To retrieve the key material, you can perform a subsequentGET /keys/{id}request.Allowable values: [
return=representation,return=minimal]Possible values: 14 ≤ length ≤ 21
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$The URL encoded Cloud Resource Name (CRN) that uniquely identifies the cloud resource. At minimum, provide a CRN that includes the
service-instancesegment.Possible values: 9 ≤ length ≤ 400, Value must match regular expression
^(((?!((%3a)|(%3A))).)*((%3a|%3A))){9}(((?!((%3a)|(%3A))).)*)$Example:
crn%3av1%3abluemix%3apublic%3acloud-object-storage%3aglobal%3aa%2f00000000000000000000000000000000%3afeddecaf-0000-0000-0000-1234567890ab%3a%3abucket
curl -X DELETE https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/registrations/<url_encoded_CRN> -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
Response
Properties associated with a registration response.
The metadata that describes the resource array.
A collection of resources.
Possible values: number of items = 1
Status Code
The registration was successfully deleted.
The registration was successfully deleted. No content.
The registration could not be deleted due to a malformed
urlEncodedResourceCRN, an invalid or missing request body, or an invalid key ID.Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
You are not authorized to make this request due to missing authorization between the service instance and Key Protect instance, requiring a service-to-service call, or a mismatch between the cloud service CRN and the resource CRN.
The registration or key could not be found. Verify that the specified key ID and CRN are valid.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.registration+json", "collectionTotal": 1 }, "resources": [ { "keyId": "fadedbee-0000-0000-0000-1234567890ab", "keyName": "Root-key", "resourceCrn": "crn:v1:bluemix:public:<service-name>:<location>:a/<account-id>:<service-instance>:<resource-type>:<resource>", "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00.000Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00.000Z", "description": "A resource registration on a Key Protect key", "preventKeyDeletion": false, "keyVersion": { "id": "fadedbee-0000-0000-0000-1234567890ab", "creationDate": "2000-03-21T00:00:00.000Z" } } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Registration could not be deleted. See 'reasons' for more details.", "reasons": [ { "code": "INVALID_PARAM_ERR", "message": "The param 'urlEncodedResourceCRN' must be: specified to no more than 10 segments", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "urlEncodedResourceCRN" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Caller is not authorized to make this request.", "reasons": [ { "code": "RESOURCE_OWNER_ERR", "message": "The resource queried does not belong to the service.", "status": 403, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Registration could not be deleted. See 'reasons' for more details.", "reasons": [ { "code": "REGISTRATION_NOT_FOUND_ERR", "message": "Registration does not exist", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Deactivate a registration
Deprecated. Invokes an action, such as a deactivate operation, on a registration with the specified key ID and CRN.
When a customer deletes a root key that is associated with a cloud
resource, the registration between the resources moves to the
Suspended state. As an integrated service, use
POST /keys/{id}/registrations?action=deactivate to acknowledge the
deletion. This action moves the registration to a Deactivated state.
POST /api/v2/keys/{id}/registrationsRequest
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$Alters server behavior for POST or DELETE operations. A header with
return=minimalcauses the service to return only the key identifier as metadata. A header containingreturn=representationreturns both the key material and metadata in the response entity-body. If the key has been designated as a root key, the system cannot return the key material. Note: During POST operations, Key Protect may not immediately return the key material due to key generation time. To retrieve the key material, you can perform a subsequentGET /keys/{id}request.Allowable values: [
return=representation,return=minimal]Possible values: 14 ≤ length ≤ 21
Path Parameters
The v4 UUID that uniquely identifies the key.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Query Parameters
The action to perform on the specified key.
Allowable values: [
deactivate]Possible values: length = 10
The base request for registration actions.
{
"metadata": {
"collectionType": "application/vnd.ibm.kms.resource_crn+json",
"collectionTotal": 1
},
"resources": [
{
"resourceCrn": "crn:v1:bluemix:public:<service-name>:<location>:a/<account-id>:<service-instance>:<resource-type>:<resource>"
}
]
}A collection of resources.
Possible values: number of items = 1
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID>/registrations?action=deactivate -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/json' -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.crn+json", "collectionTotal": 1 }, "resources": [ { "resourceCrn": "<CRN that is associated with the specified deleted key ID to deactivate>" } ] }'
Response
The base schema for the request body of deactivate registration.
The metadata that describes the resource array.
A collection of resources.
Possible values: number of items = 1
Status Code
The requested action was successfully performed on the registration.
The requested action was successfully performed on the registration. No content.
The requested action could not be performed due to an invalid or missing request body, or invalid key ID.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
You are not authorized to make this request due to missing authorization between the service instance and Key Protect instance, requiring a service-to-service call, or a mismatch between the cloud service CRN and the resource CRN.
The registration or key could not be found. Verify that the specified key ID and CRN are valid.
The action could not be performed on the registration because it is in an invalid state.
For action
deactivate, the registration must be in theSuspended(2) state.Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.resource_crn+json", "collectionTotal": 1 }, "resources": [ { "resourceCrn": "crn:v1:bluemix:public:<service-name>:<location>:a/<account-id>:<service-instance>:<resource-type>:<resource>" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Action could not be performed on registration. See 'reasons' for more details.", "reasons": [ { "code": "INVALID_FIELD_ERR", "message": "The field 'resourceCrn' must be:", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "urlEncodedResourceCRNQuery" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Caller is not authorized to make this request.", "reasons": [ { "code": "RESOURCE_OWNER_ERR", "message": "The resource queried does not belong to the service.", "status": 403, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Action could not be performed on registration. See 'reasons' for more details.", "reasons": [ { "code": "REGISTRATION_NOT_FOUND_ERR", "message": "Registration does not exist", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Action could not be performed on registration. See 'reasons' for more details.", "reasons": [ { "code": "REG_INVALID_STATE_ERR", "message": "Request action cannot be performed on the registration in its current state.", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
List registrations for a key
Retrieves a list of registrations that are associated with a specified root key.
When you use a root key to protect an IBM Cloud resource, such as a
Cloud Object Storage bucket, Key Protect creates a registration between
the resource and root key. You can use GET /keys/{id}/registrations to
understand which cloud resources are protected by the key that you
specify.
GET /api/v2/keys/{id}/registrationsRequest
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID that uniquely identifies the key.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Query Parameters
The number of registrations to retrieve. By default returns the first 200 registrations. To retrieve a different set of registrations, use
limitwithoffsetto page through your available resources. The maximum value forlimitis 5,000. Usage: If you have 20 registrations that are associated with a key, and you want to retrieve only the first 5 registrations, use../registrations?limit=5.Possible values: 1 ≤ value ≤ 5000
Default:
200The number of registrations to skip. By specifying
offset, you retrieve a subset of registrations that starts with theoffsetvalue. Useoffsetwithlimitto page through your available resources. Usage: If you have 100 registrations that are associated with a key, and you want to retrieve registrations 26 through 50, use../registrations?offset=25&limit=25.Possible values: value ≥ 0
Default:
0Filters for resources that are associated with a specified Cloud Resource Name (CRN) by using URL encoded wildcard characters (
*). The parameter should contain all CRN segments and must be URL encoded. Supports a prefix search when you specify*on the last CRN segment. Usage: To list registrations that are associated with all resources in<service-instance>, use a URL encoded version of the following string:crn:v1:bluemix:public:<service-name>:<location>:a/<account>:<service-instance>:*:*. To search for subresources, use the following CRN format:crn:v1:bluemix:public:<service-name>:<location>:a/<account>:<service-instance>:<resource-type>:<resource>/<subresource>. For more examples, see CRN query examples.Possible values: 9 ≤ length ≤ 4000, Value must match regular expression
^(((?!((%3a)|(%3A))).)*((%3a|%3A))){9}(((?!((%3a)|(%3A))).)*)$Example:
crn%3Av1%3Abluemix%3Apublic%3Adatabases-for-postgresql%3Aus-south%3Aa%2F00000000000000000000000000000000%3Afeddecaf-0000-0000-0000-1234567890ab%3A*%3A*Filters registrations based on the
preventKeyDeletionproperty. You can use this query parameter to search for registered cloud resources that are non-erasable due to a retention policy. This policy should only be set if a WORM policy (https://www.ibm.com/docs/en/spectrum-scale/5.0.1?topic=ics-how-write-once-read-many-worm-storage-works) must be satisfied. Do not set this policy by default. Usage: To search for registered cloud resources that have a retention policy, use../registrations?preventKeyDeletion=true.If set to
true, returnstotalCountin the response metadata for use with pagination. ThetotalCountvalue returned specifies the total number of registrations that match the request, disregarding limit and offset. Usage: To return thetotalCountvalue for use with pagination, use../registrations?totalCount=true.
curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/registrations -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication registrations, err := api.ListRegistrations(context.Background(), <keyID>, "") if err != nil { fmt.Println("Error while getting registrations: ", err) return } b, _ := json.MarshalIndent(registrations, "", " ") fmt.Println(string(b)) }
Response
Properties associated with a list registration response which may include total registration count.
The metadata that describes the resource array.
A collection of resources.
Possible values: 0 ≤ number of items ≤ 5000
Status Code
The list of registrations was successfully retrieved.
The list of registrations could not be retrieved due to a malformed
urlEncodedResourceCRN, an invalid or missing request body, or an invalid key ID.Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
You are not authorized to make this request due to missing authorization between the service instance and Key Protect instance, requiring a service-to-service call, or a mismatch between the cloud service CRN and the resource CRN.
The key with specified ID could not be found.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.registration+json", "collectionTotal": 2, "totalCount": 4 }, "resources": [ { "keyId": "fadedbee-0000-0000-0000-1234567890ab", "keyName": "Root-key", "resourceCrn": "crn:v1:bluemix:public:cloud-object-storage:global:a/<account-id>:<service-instance>:bucket:<bucket-name>", "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z", "description": "Registration between a bucket and root key", "preventKeyDeletion": false, "keyVersion": { "id": "addedace-0000-0000-0000-1234567890ab", "creationDate": "2000-03-21T00:00:00Z" } }, { "keyId": "fadedbee-0000-0000-0000-1234567890ab", "keyName": "Root-key", "resourceCrn": "crn:v1:bluemix:public:cloud-object-storage:global:a/<account-id>:<service-instance>:bucket:<other-bucket-name>", "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z", "description": "Registration between the root key and a different bucket", "preventKeyDeletion": false, "keyVersion": { "id": "addedace-0000-0000-0000-1234567890ab", "creationDate": "2000-03-21T00:00:00Z" } } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Registration could not be deleted. See 'reasons' for more details.", "reasons": [ { "code": "INVALID_PARAM_ERR", "message": "The param 'urlEncodedResourceCRNQuery' must be: specified to at least the service instance.", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "urlEncodedResourceCRNQuery" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Caller is not authorized to make this request.", "reasons": [ { "code": "RESOURCE_OWNER_ERR", "message": "The resource queried does not belong to the service.", "status": 403, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Registration could not be created. See 'reasons' for more details.", "reasons": [ { "code": "KEY_NOT_FOUND", "message": "Key does not exist.", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
List registrations for any key
Retrieves a list of registrations that match the Cloud Resource Name (CRN) query that you specify.
When you use a root key to protect an IBM Cloud resource, such as a
Cloud Object Storage bucket, Key Protect creates a registration between
the resource and root key. You can use GET /keys/registrations to
understand which cloud resources are protected by keys in your Key
Protect service instance.
GET /api/v2/keys/registrations
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the target key ring. If unspecified, all resources in the instance that the caller has access to will be returned. When the header is specified, only resources within the specified key ring, that the caller has access to, will be returned. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Query Parameters
Filters for resources that are associated with a specified Cloud Resource Name (CRN) by using URL encoded wildcard characters (
*). The parameter should contain all CRN segments and must be URL encoded. If provided, the parameter should not contain (*) in the first eight segments. If this parameter is not provided, registrations for all keys in the requested Key Protect instance are returned.Possible values: 9 ≤ length ≤ 4000, Value must match regular expression
^(((?!((%3a)|(%3A))).)*((%3a|%3A))){9}(((?!((%3a)|(%3A))).)*)$Example:
crn%3Av1%3Abluemix%3Apublic%3Adatabases-for-postgresql%3Aus-south%3Aa%2F00000000000000000000000000000000%3Afeddecaf-0000-0000-0000-1234567890ab%3A*%3A*The number of registrations to retrieve. By default returns the first 200 registrations. To retrieve a different set of registrations, use
limitwithoffsetto page through your available resources. The maximum value forlimitis 5,000. Usage: If you have 20 registrations that are associated with a key, and you want to retrieve only the first 5 registrations, use../registrations?limit=5.Possible values: 1 ≤ value ≤ 5000
Default:
200The number of registrations to skip. By specifying
offset, you retrieve a subset of registrations that starts with theoffsetvalue. Useoffsetwithlimitto page through your available resources. Usage: If you have 100 registrations that are associated with a key, and you want to retrieve registrations 26 through 50, use../registrations?offset=25&limit=25.Possible values: value ≥ 0
Default:
0Filters registrations based on the
preventKeyDeletionproperty. You can use this query parameter to search for registered cloud resources that are non-erasable due to a retention policy. This policy should only be set if a WORM policy (https://www.ibm.com/docs/en/spectrum-scale/5.0.1?topic=ics-how-write-once-read-many-worm-storage-works) must be satisfied. Do not set this policy by default. Usage: To search for registered cloud resources that have a retention policy, use../registrations?preventKeyDeletion=true.If set to
true, returnstotalCountin the response metadata for use with pagination. ThetotalCountvalue returned specifies the total number of registrations that match the request, disregarding limit and offset. Usage: To return thetotalCountvalue for use with pagination, use../registrations?totalCount=true.
curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/keys/registrations?urlEncodedResourceCRNQuery=<url_encoded_resource_CRN_query> -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication registrations, err := api.ListRegistrations(context.Background(), "", <crn>) if err != nil { fmt.Println("Error while getting registrations: ", err) return } b, _ := json.MarshalIndent(registrations, "", " ") fmt.Println(string(b)) }
Response
Properties associated with a list registration response which may include total registration count.
The metadata that describes the resource array.
A collection of resources.
Possible values: 0 ≤ number of items ≤ 5000
Status Code
The list of registrations was successfully retrieved.
The list of registrations could not be retrieved due to a malformed
urlEncodedResourceCRNQuery, an invalid or missing request body, or a mismatch between the cloud service CRN and the resource CRN.Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
You are not authorized to make this request due to missing authorization between the service instance and Key Protect instance, requiring a service-to-service call, or a mismatch between the cloud service CRN and the resource CRN.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.registration+json", "collectionTotal": 2, "totalCount": 4 }, "resources": [ { "keyId": "fadedbee-0000-0000-0000-1234567890ab", "keyName": "Root-key", "resourceCrn": "crn:v1:bluemix:public:cloud-object-storage:global:a/<account-id>:<service-instance>:bucket:<bucket-name>", "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z", "description": "Registration between a bucket and root key", "preventKeyDeletion": false, "keyVersion": { "id": "addedace-0000-0000-0000-1234567890ab", "creationDate": "2000-03-21T00:00:00Z" } }, { "keyId": "beadcafe-0000-0000-0000-1234567890ab", "keyName": "Root-key", "resourceCrn": "crn:v1:bluemix:public:cloud-object-storage:global:a/<account-id>:<service-instance>:bucket:<other-bucket-name>", "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z", "updatedBy": "IBMid-0000000000", "lastUpdated": "2000-03-21T00:00:00Z", "description": "Registration between a bucket and root key", "preventKeyDeletion": false, "keyVersion": { "id": "beadcafe-0000-0000-0000-1234567890ab", "creationDate": "2000-03-21T00:00:00Z" } } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Registration could not be deleted. See 'reasons' for more details.", "reasons": [ { "code": "INVALID_PARAM_ERR", "message": "The param 'urlEncodedResourceCRNQuery' must be: specified to at least the service instance.", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "urlEncodedResourceCRNQuery" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Caller is not authorized to make this request.", "reasons": [ { "code": "RESOURCE_OWNER_ERR", "message": "The resource queried does not belong to the service.", "status": 403, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Acknowledge key events
Service to service calls only. Acknowledges a key lifecycle event.
When a customer performs an action on a root key, Key Protect uses
Hyperwarp to notify the cloud services that are registered with the key.
To acknowledge the Hyperwarp event, registered services must call
POST /api/v2/event_ack.
POST /api/v2/event_ack
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key belongs to. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$Default:
default
The base request for acknowledging a key action events.
{
"metadata": {
"collectionType": "application/vnd.ibm.kms.event_acknowledge+json",
"collectionTotal": 1
},
"resources": [
{
"eventId": "feddecaf-0000-0000-0000-1234567890ab",
"adopterKeyState": "DEK_ENABLED",
"timestamp": "2000-03-21T00:00:00Z",
"keyStateData": {
"keyVersion": "fadedbee-0000-0000-0000-1234567890ab"
}
}
]
}{
"metadata": {
"collectionType": "application/vnd.ibm.kms.event_acknowledge+json",
"collectionTotal": 2
},
"resources": [
{
"eventId": "feddecaf-0000-0000-0000-1234567890ab",
"adopterKeyState": "DEK_ENABLED",
"timestamp": "2000-03-21T00:00:00Z",
"keyStateData": {
"keyVersion": "fadedbee-0000-0000-0000-1234567890ab"
}
},
{
"eventId": "addedace-0000-0000-0000-1234567890ab",
"adopterKeyState": "DEK_ENABLED",
"timestamp": "2000-03-21T00:00:00Z"
},
{
"eventId": "beadcafe-0000-0000-0000-1234567890ab",
"adopterKeyState": "DEK_DISABLED",
"timestamp": "2000-03-21T00:00:00Z"
}
]
}The metadata that describes the resource array.
A collection of resources.
Possible values: 1 ≤ number of items ≤ 1000
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/event_ack -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/json' -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.event_acknowledge+json", "collectionTotal": 1 }, "resources": [ { "eventId": "<event_ID>", "adopterKeyState": "DEK_ENABLED", "timestamp": "2000-03-21T00:00:00Z", "keyStateData": { "keyVersion": "<key_version>" } } ] }'
Response
Status Code
The acknowledgement for the list of key events was performed successfully. No content.
The event acknowledgement could not be performed due to an invalid or missing request body.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
There are two possible causes for HTTP 404 for the event acknowledgement request, the reason code (resources[0].reasons[0].code) as follows: KEY_NOT_FOUND: The key for the specified event could not be found. NOT_SUPPORTED_IN_SATELLITE_LOCATION: The event acknowledgement is not supported in this location.
Too many requests. Wait a few minutes and try again.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Event acknowledgement could not be performed for this service. See 'reasons' for more details.", "reasons": [ { "code": "MISSING_FIELD_ERR", "message": "The field 'timestamp' must be: a valid RFC3339 timestamp", "status": 400, "moreInfo": "https://test.cloud.ibm.com/apidocs/key-protect", "target": { "type": "field", "name": "timestamp" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: Event acknowledgement could not be performed for this service. See 'reasons' for more details.", "reasons": [ { "code": "EVENT_NOT_FOUND", "message": "Event does not exist", "status": 404, "moreInfo": "https://test.cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests. Wait a few minutes and try again." } ] }
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$A human-readable alias that uniquely identifies a key. Each alias is unique only within the given instance and is not reserved across the Key Protect service. Each key can have up to five aliases. There is no limit to the number of aliases per instance. The length of the alias can be between 2 - 90 characters, inclusive. An alias must be alphanumeric and cannot contain spaces or special characters other than '-' or '_'. Also, the alias cannot be a version 4 UUID and must not be a Key Protect reserved name:
allowed_ip,key,keys,metadata,policy,policies,registration,registrations,ring,rings,rotate,wrap,unwrap,rewrap,version,versions.Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9_-]*$
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/aliases/<alias> -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/json'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication keyAlias, err := api.CreateKeyAlias(context.Background(), <alias_name>, <keyID_or_alias>) if err != nil { fmt.Println("Error while creating key alias name: ", err) return } b, _ := json.MarshalIndent(keyAlias, "", " ") fmt.Println(string(b)) }
public static List<KeyAliasResource> createKeyAlias(String keyId_or_alias, String keyAlias) { List<KeyAliasResource> responseObj = null; try { // Construct an instance of the CreateKeyAliasOptions model CreateKeyAliasOptions createKeyAliasOptionsModel = new CreateKeyAliasOptions.Builder() .id(keyId_or_alias) .alias(keyAlias) .bluemixInstance("<instance_id>") .build(); // Invoke operation with valid options model Response<KeyAlias> response = testClient.createKeyAlias(createKeyAliasOptionsModel).execute(); responseObj = response.getResult().getResources(); } catch (ClassCastException e) { System.out.println("Error: " + e.toString()); return responseObj; // null if error } return responseObj; // key alias resource }
Response
Properties associated with a specific key alias.
The metadata that describes the resource array.
A collection of resources.
Possible values: number of items = 1
Status Code
An identical alias was previously created for the specified key.
A new alias was successfully created.
The alias could not be created due to a malformed
aliasor an invalid key ID.Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
There are two possible causes for HTTP 404 while trying to create an alias, specifying a reason code (resouces[0].reasons[0].code) as follows: KEY_NOT_FOUND_ERR: The key with specified ID could not be found. INSTANCE_NOT_FOUND_ERR: Key alias could not be created, instance does not exist.
There are three possible causes for HTTP 409 while trying to create an alias, specifying a reason code (resouces[0].reasons[0].code) as follows:
KEY_ALIAS_QUOTA_ERR: The alias quota for this key or instance has been reached and alias can not be created.
KEY_RING_RESOURCE_QUOTA_ERR: Key alias could not be created, the resource quota for key rings in this instance has been reached and alais can not be created.
KEY_ALIAS_NOT_UNIQUE_ERR: The alias is already associated with a key in the specified instance.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.alias+json", "collectionTotal": 1 }, "resources": [ { "keyId": "fadedbee-0000-0000-0000-1234567890ab", "alias": "my-alias", "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.alias+json", "collectionTotal": 1 }, "resources": [ { "keyId": "fadedbee-0000-0000-0000-1234567890ab", "alias": "my-alias", "createdBy": "IBMid-0000000000", "creationDate": "2000-03-21T00:00:00Z" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Alias could not be created. See 'reasons' for more details.", "reasons": [ { "code": "INVALID_PATH_PARAM_ERR", "message": "The path_param 'alias' must be: alphanumeric, and no spaces or special characters other than '-' or '_', and can not be a version 4 UUID.", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "aliases" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Alias could not be created. See 'reasons' for more details.", "reasons": [ { "code": "KEY_NOT_FOUND", "message": "Key does not exist", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Key alias could not be created. See 'reasons' for more details.", "reasons": [ { "code": "KEY_ALIAS_NOT_UNIQUE_ERR", "message": "One or more aliases are already associated with a key in the instance.", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Delete an alias
Deletes an alias from the associated key.
Delete alias does not delete the key.
DELETE /api/v2/keys/{id}/aliases/{alias}Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The ID of the key ring that the specified key is a part of. When the header is not specified, Key Protect will perform a key ring lookup. For a more optimized request, specify the key ring on every call. The key ring ID of keys that are created without an
X-Kms-Key-Ringheader is:default.Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Path Parameters
The v4 UUID or alias that uniquely identifies the key.
Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9-_]{2,90}$A human-readable alias that uniquely identifies a key. Each alias is unique only within the given instance and is not reserved across the Key Protect service. Each key can have up to five aliases. There is no limit to the number of aliases per instance. The length of the alias can be between 2 - 90 characters, inclusive. An alias must be alphanumeric and cannot contain spaces or special characters other than '-' or '_'. Also, the alias cannot be a version 4 UUID and must not be a Key Protect reserved name:
allowed_ip,key,keys,metadata,policy,policies,registration,registrations,ring,rings,rotate,wrap,unwrap,rewrap,version,versions.Possible values: 2 ≤ length ≤ 90, Value must match regular expression
^[a-zA-Z0-9_-]*$
curl -X DELETE https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/aliases/<alias> -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/json'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication err := api.DeleteKeyAlias(context.Background(), <alias_name>, <keyID_or_alias>) if err != nil { fmt.Println("Error while deleting key alias name: ", err) return } fmt.Println("Key alias successfully deleted") }
public static String deleteKeyAlias (String keyId_or_alias, String keyAlias) { // Construct an instance of the DeleteKeyAliasOptions model DeleteKeyAliasOptions deleteKeyAliasOptionsModel = new DeleteKeyAliasOptions.Builder() .id(keyId_or_alias) .alias(keyAlias) .bluemixInstance("<instance_id>") .build(); // Invoke operation with valid options model try { return testClient.deleteKeyAlias(deleteKeyAliasOptionsModel).execute().toString() + " success"; } catch (ClassCastException e){ return e.toString(); } }
Response
Status Code
An alias was successfully deleted. No content.
The alias could not be deleted due to a malformed
aliasor an invalid key ID.Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
There are two possible causes for HTTP 404 while trying to delete an alias, specifying a reason code (resouces[0].reasons[0].code) as follows: ALIAS_NOT_FOUND_ERR: The alias with specified key ID could not be found. INSTANCE_NOT_FOUND_ERR: Key alias could not be deleted, instance does not exist.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Alias could not be deleted. See 'reasons' for more details.", "reasons": [ { "code": "INVALID_PATH_PARAM_ERR", "message": "The param 'alias' must be: alphanumeric, and no spaces or special characters other than '-' or '_', and can not be a version 4 UUID.", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "aliases" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Alias could not be deleted. See 'reasons' for more details.", "reasons": [ { "code": "ALIAS_NOT_FOUND", "message": "Alias does not exist", "status": 404, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Query Parameters
The number of key rings to retrieve. By default,
GET /key_ringsreturns 100 key rings including the default key ring. To retrieve a different set of key rings, uselimitwithoffsetto page through your available resources. The maximum value forlimitis 5,000. Usage: If you have 20 key rings in your instance, and you want to retrieve only the first 5 key rings, use../key_rings?limit=5.Possible values: value ≥ 0
Default:
100The number of key rings to skip. By specifying
offset, you retrieve a subset of key rings that starts with theoffsetvalue. Useoffsetwithlimitto page through your available resources. Usage: If you have 20 key rings in your instance, and you want to retrieve keys 10 through 20, use../keys?offset=10&limit=10.Possible values: value ≥ 0
Default:
0If set to
true, returnstotalCountin the response metadata for use with pagination. ThetotalCountvalue returned specifies the total number of key rings that match the request, disregarding limit and offset. The default is set to false. Usage: To return thetotalCountvalue for use with pagination, use../key_rings?totalCount=true.
curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/key_rings -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication keyRings, err := api.GetKeyRings(context.Background()) if err != nil { fmt.Println("Error while getting key rings: ", err) return } b, _ := json.MarshalIndent(keyRings, "", " ") fmt.Println(string(b)) }
public static ListKeyRingsWithTotalCount getKeyRings () { ListKeyRingsWithTotalCount result = null; // Construct an instance of the ListKeyRingsWithTotalCountOptions model ListKeyRingsWithTotalCountOptions listKeyRingsWithTotalCountOptionsModel = new ListKeyRingsWithTotalCountOptions.Builder() .bluemixInstance("<instance_id>") .build(); try { // Invoke operation with valid options model Response<ListKeyRingsWithTotalCount> response = testClient.listKeyRingsWithTotalCount(listKeyRingsWithTotalCountOptionsModel).execute(); return response.getResult(); } catch (ClassCastException e) { return result; } }
Response
The base schema for listing key rings.
The metadata that describes the resource array.
A collection of resources.
Possible values: 0 ≤ number of items ≤ 5000
Status Code
The list of key rings was successfully retrieved.
The request is missing a required field.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.key_ring+json", "collectionTotal": 3, "totalCount": 4 }, "resources": [ { "id": "default" }, { "id": "example-key-ring", "creationDate": "2000-03-21T00:00:00Z", "createdBy": "IBMid-0000000000" }, { "id": "key-ring-name-2", "creationDate": "2000-03-21T00:00:00Z", "createdBy": "IBMid-0000000000" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: The request is missing a required field." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Create a key ring
Create a key ring in the instance with the specified name. The key ring ID default is a reserved key ring ID and cannot be created nor destroyed. The default key ring is an initial key ring that is generated with each newly created instance. All keys not associated with an otherwise specified key ring exist within the default key ring.
POST /api/v2/key_rings/{key-ring-id}Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Path Parameters
The ID that identifies the key ring. Each ID is unique only within the given instance and is not reserved across the Key Protect service.
Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/key_rings/<key_ring_id> -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication err := api.CreateKeyRing(context.Background(), <id>) if err != nil { fmt.Println("Error while creating key ring: ", err) return } fmt.Println("Key ring successfully created") }
public static KeyRing createKeyRing (String keyRingId) { KeyRing result = null; // Construct an instance of the CreateKeyRingOptions model CreateKeyRingOptions createKeyRingOptionsModel = new CreateKeyRingOptions.Builder() .keyRingId(keyRingId) .bluemixInstance("<instance_id>") .build(); try { // Invoke operation with valid options model Response<KeyRing> response = testClient.createKeyRing(createKeyRingOptionsModel).execute(); System.out.println("Prelim: " + response.toString()); result = response.getResult(); return result; } catch (ClassCastException e) { return result; } }
Response
Status Code
The key ring was successfully created.
The key ring already exists. No content.
The key ring could not be created due to invalid request data.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Key ring resource quota has been reached.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Key ring could not be created. See `reasons` for more details.", "reasons": [ { "code": "INVALID_PATH_PARAM_ERR", "message": "The path_param `id` must be: a string matching pattern `^[a-zA-Z0-9-]*$`.", "status": 400, "moreInfo": "https://test.cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "key-ring-id" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Key ring could not be created. See `reasons` for more details.", "reasons": [ { "code": "KEY_RING_RESOURCE_QUOTA_ERR", "message": "The resource quota for key rings in this instance has been reached/exceeded and key rings cannot be created.", "status": 409, "moreInfo": "https://test.cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Delete key ring
Delete the key ring from the instance. The key ring ID default cannot be destroyed.
DELETE /api/v2/key_rings/{key-ring-id}Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Path Parameters
The ID that identifies the key ring. Each ID is unique only within the given instance and is not reserved across the Key Protect service.
Possible values: 2 ≤ length ≤ 100, Value must match regular expression
^[a-zA-Z0-9-]*$
Query Parameters
Force delete the key ring. All keys in the key ring are required to be deleted (in state
5) before this action can be performed. If the key ring to be deleted contains keys, they will be moved to thedefaultkey ring which requires thekms.secrets.patchIAM action.Default:
false
curl -X DELETE https://<region>.kms.cloud.ibm.com/api/v2/key_rings/<key_ring_id> -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
package main import ( "context" "encoding/json" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { // Initialize the Key Protect client as specified in Authentication err := api.DeleteKeyRing(context.Background()) if err != nil { fmt.Println("Error while deleting key ring: ", err) return } fmt.Println("Key ring successfully deleted") }
public static String deleteKeyRing (String keyRingId) { // Construct an instance of the DeleteKeyRingOptions model DeleteKeyRingOptions deleteKeyRingOptionsModel = new DeleteKeyRingOptions.Builder() .keyRingId(keyRingId) .bluemixInstance("<instance_id>") .build(); try { // Invoke operation with valid options model return testClient.deleteKeyRing(deleteKeyRingOptionsModel).execute().toString() + " success"; } catch (ClassCastException e) { return e.toString(); } }
Response
Status Code
The key ring was successfully deleted. No content.
The key ring could not be deleted due to invalid request data.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
There are two possible causes for HTTP 409 while trying to delete a key ring, specifying a reason code (resouces[0].reasons[0].code) as follows: KEY_RING_NOT_EMPTY_ERR: The specified key ring contains at least one key (in any state). KEY_RING_KEYS_NOT_DELETED_ERR: (If
forceis set totrue) The specified key ring contains at least one non-deleted key.Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Key ring could not be created. See `reasons` for more details.", "reasons": [ { "code": "INVALID_PATH_PARAM_ERR", "message": "The path_param `id` must be: a string matching pattern `^[a-zA-Z0-9-]*$`.", "status": 400, "moreInfo": "https://test.cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "key-ring-id" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Key ring could not be created. See `reasons` for more details.", "reasons": [ { "code": "KEY_RING_NOT_EMPTY_ERR", "message": "The specified key ring contains at least one key (in any state).", "status": 409, "moreInfo": "https://test.cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Query Parameters
The number of KMIP Adapters to retrieve. By default,
GET /kmip_adaptersreturns the first 100 KMIP Adapters. To retrieve a different set of KMIP adapters, uselimitwithoffsetto page through your available resources. The maximum value forlimitis 200. Usage: If you have 20 KMIP Adapters, and you want to retrieve only the first 5 adapters, use../kmip_adapters?limit=5.Possible values: 1 ≤ value ≤ 200
Default:
100The number of KMIP adapters to skip. By specifying
offset, you retrieve a subset of KMIP adapters that starts with theoffsetvalue. Useoffsetwithlimitto page through your available resources. Usage: If you have 20 KMIP Adapters, and you want to retrieve adapters 11 through 15, use../kmip_adapters?offset=10&limit=5.Possible values: value ≥ 0
Default:
0If set to
true, returnstotalCountin the response metadata for use with pagination. ThetotalCountvalue returned specifies the total number of kmip adapters that match the request, disregarding limit and offset. The default is set to false. Usage: To return thetotalCountvalue for use with pagination, use../kmip_adapters?totalCount=true.The root key ID(
crk_id) in theprofile_datato filter on. This field is currently only applicable to profile"native_1.0". It will only return adapters with profile_data that contains this field. Example usage../kmip_adapters?crk_id=feddecaf-0000-0000-0000-1234567890ab.Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$Example:
feddecaf-0000-0000-0000-1234567890ab
curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>'
Response
The base schema for listing kmip adapter with total count.
The metadata that describes the resource array.
A collection of resources.
Possible values: 0 ≤ number of items ≤ 200
Status Code
Returns a list of all KMIP Adapters.
The request is missing a required field.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.kmip_adapter+json", "collectionTotal": 1, "totalCount": 3 }, "resources": [ { "id": "feddecaf-0000-0000-0000-1234567890ab", "profile": "native_1.0", "profile_data": { "crk_id": "beddecaf-0000-0000-0000-1234567890ab" }, "name": "kmip-adapter-123", "description": "our 123rd kmip adapter", "created_at": "2023-01-23T04:56:07.000Z", "created_by": "IBMid-0000000000", "updated_at": "2023-01-23T04:56:07.000Z", "updated_by": "IBMid-0000000000" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: The request is missing a required field." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Query Parameters
If set to 'true', allows an active root key containing an expiration date to be associated with the KMIP adapter.
The base schema for the request body of a POST /kmip_adapters.
The metadata that describes the resource array.
Examples:{ "collectionType": "application/vnd.ibm.kms.kmip_adapter+json", "collectionTotal": 1 }- metadata
The type of resources in the resource array.
Allowable values: [
application/vnd.ibm.kms.allowed_ip_metadata+json,application/vnd.ibm.kms.crn+json,application/vnd.ibm.kms.error+json,application/vnd.ibm.kms.event_acknowledge+json,application/vnd.ibm.kms.import_token+json,application/vnd.ibm.kms.key+json,application/vnd.ibm.kms.key_action+json,application/vnd.ibm.kms.alias+json,application/vnd.ibm.kms.key_ring+json,application/vnd.ibm.kms.policy+json,application/vnd.ibm.kms.registration_input+json,application/vnd.ibm.kms.registration+json,application/vnd.ibm.kms.resource_crn+json,application/vnd.ibm.kms.kmip_adapter+json,application/vnd.ibm.kms.kmip_client_certificate+json,application/vnd.ibm.kms.kmip_object+json]Possible values: 32 ≤ length ≤ 52
The number of elements in the resource array.
Possible values: 0 ≤ value ≤ 5000
Example:
1
A collection of resources.
Possible values: number of items = 1
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/json' -d '{ "metadata": { "collectionTotal": 1, "collectionType": "application/vnd.ibm.kms.kmip_adapter+json" }, "resources": [ { "name": "<name>", "profile": "<profile>", "profile_data": { "crk_id": "<crk_id>" } } ] }'
Response
The base schema for listing kmip adapter(s).
A collection of resources.
Possible values: 0 ≤ number of items ≤ 200
Status Code
Returns the KMIP Adapter just created.
The KMIP Adapter could not be created due to invalid request data.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
KMIP adapter could not be created due to a constraint.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.kmip_adapter+json", "collectionTotal": 1 }, "resources": [ { "id": "feddecaf-0000-0000-0000-1234567890ab", "profile": "native_1.0", "profile_data": { "crk_id": "beddecaf-0000-0000-0000-1234567890ab" }, "name": "kmip-adapter-123", "description": "our 123rd kmip adapter", "created_at": "2023-01-23T04:56:07.000Z", "created_by": "IBMid-0000000000", "updated_at": "2023-01-23T04:56:07.000Z", "updated_by": "IBMid-0000000000" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: KMIP Adapter could not be created. See 'reasons' for more details.", "reasons": [ { "code": "INVALID_FIELD_ERR", "message": "The field '<name|description>' has an invalid format. Please refer to https://cloud.ibm.com/apidocs/key-protect.", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "field", "name": "<name|description>" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: KMIP Adapter could not be created. See 'reasons' for more details.", "reasons": [ { "code": "INVALID_FIELD_ERR", "message": "The field `profile` must be one of the following: [`native_1.0`]", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "field", "name": "profile" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: KMIP Adapter could not be created. See 'reasons' for more details.", "reasons": [ { "code": "INVALID_FIELD_ERR", "message": "The field '<profile_data.crk_id>' could not be found in the provided kms instance.", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "field", "name": "<profile_data.crk_id>" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "KMIP Adapter could not be created. See 'reasons' for more details.", "reasons": [ { "code": "KMIP_ADAPTER_DUPLICATE_NAME_ERR", "message": "There is a kmip adapter in this kms instance with the same name. Please choose a different name.", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "KMIP Adapter could not be created. See 'reasons' for more details.", "reasons": [ { "code": "NATIVE_CRK_ID_NOT_FOUND_ERR", "message": "Root key in native profile body does not exist in the kms instance", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "KMIP Adapter could not be created. See 'reasons' for more details.", "reasons": [ { "code": "NATIVE_INVALID_CRK_ERR", "message": "Key id in native profile body is either not a root key or is not in active state", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Path Parameters
The name or v4 UUID of the KMIP Adapter that uniquely identifies it.
Possible values: 2 ≤ length ≤ 40, Value must match regular expression
^[a-zA-Z0-9-_]{2,40}$
curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_name> -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/json'
Response
The base schema for listing kmip adapter(s).
A collection of resources.
Possible values: 0 ≤ number of items ≤ 200
Status Code
Returns the KMIP Adapter with the given ID / name.
The KMIP Adapter could not be retrieved due to invalid request data.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
The kmip adapter with that id / name could not be found.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.kmip_adapter+json", "collectionTotal": 1 }, "resources": [ { "id": "feddecaf-0000-0000-0000-1234567890ab", "profile": "native_1.0", "profile_data": { "crk_id": "beddecaf-0000-0000-0000-1234567890ab" }, "name": "kmip-adapter-123", "description": "our 123rd kmip adapter", "created_at": "2023-01-23T04:56:07.000Z", "created_by": "IBMid-0000000000", "updated_at": "2023-01-23T04:56:07.000Z", "updated_by": "IBMid-0000000000" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "The KMIP Adapter id / name could not be validated. See `reasons` for more details.", "reasons": [ { "code": "INVALID_PATH_PARAM_ERR", "message": "The path_param `id` must be: a v4 UUID or string matching pattern ^[a-zA-Z0-9-_]{2,40}$", "status": 400, "moreInfo": "https://test.cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "id" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: KMIP Adapter(s) could not be retrieved: Please see `reasons` for more details (KMIP_ADAPTER_NOT_FOUND_ERR)", "reasons": [ { "code": "KMIP_ADAPTER_NOT_FOUND_ERR", "message": "kmip_adapter does not exist", "status": 404 } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Delete a KMIP Adapter
Deletes a KMIP Adapter, including all its client certificates, with the given id / name.
DELETE /api/v2/kmip_adapters/{id}Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Path Parameters
The name or v4 UUID of the KMIP Adapter that uniquely identifies it.
Possible values: 2 ≤ length ≤ 40, Value must match regular expression
^[a-zA-Z0-9-_]{2,40}$
curl -X DELETE https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_name> -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/json'
Response
Status Code
The KMIP Adapter was successfully deleted. No content.
The KMIP Adapter could not be deleted due to invalid request data.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
The kmip adapter with that id / name could not be found.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "The KMIP Adapter id / name could not be validated. See `reasons` for more details.", "reasons": [ { "code": "INVALID_PATH_PARAM_ERR", "message": "The path_param `id` must be: a v4 UUID or string matching pattern ^[a-zA-Z0-9-_]{2,40}$", "status": 400, "moreInfo": "https://test.cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "id" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: KMIP Adapter(s) could not be retrieved: Please see `reasons` for more details (KMIP_ADAPTER_NOT_FOUND_ERR)", "reasons": [ { "code": "KMIP_ADAPTER_NOT_FOUND_ERR", "message": "kmip_adapter does not exist", "status": 404 } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
List KMIP objects of a KMIP Adapter
List KMIP objects of a KMIP Adapter.
GET /api/v2/kmip_adapters/{adapter_id}/kmip_objectsRequest
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Path Parameters
The name or v4 UUID of the KMIP Adapter that uniquely identifies it.
Possible values: 2 ≤ length ≤ 40, Value must match regular expression
^[a-zA-Z0-9-_]{2,40}$
Query Parameters
The number of kmip objects to retrieve. By default,
GET /kmip_adapters/{id}/kmip_objectsreturns the first 100 kmip_objects. To retrieve a different set of kmip objects, uselimitwithoffsetto page through your available resources. The maximum value forlimitis 5000. Usage: If you have 20 kmip objects associated with your KMIP adapter, and you want to retrieve only the first 5 kmip objects, use../kmip_adapters/{id}/kmip_objects?limit=5.Possible values: 1 ≤ value ≤ 5000
Default:
100The number of kmip objects to skip. By specifying
offset, you retrieve a subset of kmip objects that starts with theoffsetvalue. Useoffsetwithlimitto page through your available resources. Usage: If you have 20 kmip objects associated with your KMIP adapter, and you want to retrieve kmip objects 11 through 15, use../kmip_adapters/{id}/kmip_objects?offset=10&limit=5.Possible values: value ≥ 0
Default:
0If set to
true, returnstotalCountin the response metadata for use with pagination. ThetotalCountvalue returned specifies the total number of kmip objects that match the request, disregarding limit and offset. The default is set to false. Usage: To return thetotalCountvalue for use with pagination, use../kmip_adapters/{id}/kmip_objects?totalCount=true.List of states to filter the KMIP objects on. The
defaultis set to[1,2,3,4]. States are integers and correspond to Pre-Active = 1, Active = 2, Deactivated = 3, Compromised = 4, Destroyed = 5, Destroyed Compromised = 6. Usage: To filter on multiplesstatevalues, use../kmip_adapters/{id}/kmip_objects?state=2,3.Possible values: 0 ≤ number of items ≤ 4, 1 ≤ value ≤ 6
Default:
[1,2,3,4]
curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_name>/kmip_objects -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/json'
Response
The base schema for listing kmip objects in a kmip adapter with total count.
The metadata that describes the resource array.
A collection of resources.
Possible values: 0 ≤ number of items ≤ 200
Status Code
List of KMIP objects associated with the KMIP Adapter.
The KMIP Objects could not be retrieved due to invalid request data.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
The KMIP Objects could not be retrieved because a resource could not be found.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.kmip_object+json", "collectionTotal": 2, "totalCount": 4 }, "resources": [ { "id": "feddecaf-0000-0000-0000-1234567890ab", "kmip_object_type": 2, "state": 3, "created_at": "2000-01-23T04:56:07.000Z", "created_by_kmip_client_cert_id": "beddecaf-0000-0000-0000-1234567890ab", "created_by": "IBMid-0000000001", "updated_at": "2000-02-23T08:19:00.000Z", "updated_by_kmip_client_cert_id": "beddecaf-0000-0000-0000-1234567890ab", "updated_by": "IBMid-0000000001" }, { "id": "beddecaf-0000-0000-0000-1234567890ab", "kmip_object_type": 2, "state": 5, "created_at": "2000-01-23T04:56:07.000Z", "created_by_kmip_client_cert_id": "beddecaf-0000-0000-0000-1234567890ab", "created_by": "IBMid-0000000001", "updated_at": "2000-03-25T04:56:07.000Z", "updated_by_kmip_client_cert_id": "beddecaf-0000-0000-0000-1234567890ab", "updated_by": "IBMid-0000000001", "destroyed_at": "2000-03-28T04:56:07.000Z", "destroyed_by": "IBMid-0000000001" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "The KMIP Adapter id / name could not be validated. See `reasons` for more details.", "reasons": [ { "code": "INVALID_PATH_PARAM_ERR", "message": "The path_param `adapter_id` must be: a v4 UUID or string matching pattern ^[a-zA-Z0-9-_]{2,40}$", "status": 400, "moreInfo": "https://test.cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "adapter_id" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: KMIP Object(s) could not be retrieved: Please see `reasons` for more details (KMIP_ADAPTER_NOT_FOUND_ERR)", "reasons": [ { "code": "KMIP_ADAPTER_NOT_FOUND_ERR", "message": "kmip_adapter does not exist", "status": 404 } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Retrieve a KMIP object from a KMIP Adapter
Retrieves a KMIP object from a KMIP Adapter by its id.
GET /api/v2/kmip_adapters/{adapter_id}/kmip_objects/{id}Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Path Parameters
The name or v4 UUID of the KMIP Adapter that uniquely identifies it.
Possible values: 2 ≤ length ≤ 40, Value must match regular expression
^[a-zA-Z0-9-_]{2,40}$The v4 UUID of the kmip object that uniquely identifies it.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_name>/kmip_objects/<id> -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/json'
Response
The base schema for listing kmip objects in a kmip adapter with total count.
The metadata that describes the resource array.
A collection of resources.
Possible values: 0 ≤ number of items ≤ 200
Status Code
The KMIP object associated with the given id in the KMIP Adapter.
The KMIP object could not be retrieved due to invalid request data.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
The KMIP object could not be retrieved because a resource could not be found.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.kmip_object+json", "collectionTotal": 1 }, "resources": [ { "id": "feddecaf-0000-0000-0000-1234567890ab", "kmip_object_type": 2, "state": 3, "created_at": "2000-01-23T04:56:07.000Z", "created_by_kmip_client_cert_id": "beddecaf-0000-0000-0000-1234567890ab", "created_by": "IBMid-0000000000", "updated_at": "2000-01-23T04:56:07.000Z", "updated_by_kmip_client_cert_id": "beddecaf-0000-0000-0000-1234567890ab", "updated_by": "IBMid-0000000000" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "The KMIP Adapter id / name could not be validated. See `reasons` for more details.", "reasons": [ { "code": "INVALID_PATH_PARAM_ERR", "message": "The path_param `adapter_id` must be: a v4 UUID or string matching pattern ^[a-zA-Z0-9-_]{2,40}$", "status": 400, "moreInfo": "https://test.cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "adapter_id" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "The id of the kmip object could not be validated. See `reasons` for more details.", "reasons": [ { "code": "INVALID_PATH_PARAM_ERR", "message": "The path_param `id` must be: a valid UUID", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "id" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: KMIP Object(s) could not be retrieved: Please see `reasons` for more details (KMIP_OBJECT_NOT_FOUND_ERR)", "reasons": [ { "code": "KMIP_OBJECT_NOT_FOUND_ERR", "message": "kmip_object does not exist", "status": 404 } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: KMIP Object(s) could not be retrieved: Please see `reasons` for more details (KMIP_ADAPTER_NOT_FOUND_ERR)", "reasons": [ { "code": "KMIP_ADAPTER_NOT_FOUND_ERR", "message": "kmip_adapter does not exist", "status": 404 } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Delete a KMIP object from a KMIP Adapter
Deletes a KMIP object from a KMIP Adapter given its id. Changes the state of the KMIP object to 5 (Destroyed) and erases its key material. Any data encrypted by this KMIP object will be crypto erased when the KMIP Object changes it state to 5 (Destroyed).
DELETE /api/v2/kmip_adapters/{adapter_id}/kmip_objects/{id}Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Path Parameters
The name or v4 UUID of the KMIP Adapter that uniquely identifies it.
Possible values: 2 ≤ length ≤ 40, Value must match regular expression
^[a-zA-Z0-9-_]{2,40}$The name or v4 UUID of the client certificate that uniquely identifies it.
Possible values: 2 ≤ length ≤ 40, Value must match regular expression
^[a-zA-Z0-9-_]{2,40}$
Query Parameters
Force delete the KMIP object, regardless of the object's state. All object data is eligible to be purged 90 days after deletion.
Default:
false
curl -X DELETE https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_name>/kmip_objects/<id> -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/json'
Response
Status Code
Delete succeeded and no content is returned.
The KMIP object associated with the KMIP Adapter could not be deleted due to invalid request data.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
KMIP object could not be deleted because a resource could not be found.
KMIP object could not be deleted because there is a conflict. KMIP_OBJECT_NONDELETABLE_STATE_ERR: The kmip object is not in pre-active, deactivated, or compromised state
KMIP object could not be deleted because the resource is already deleted.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "The KMIP Adapter id / name could not be validated. See `reasons` for more details.", "reasons": [ { "code": "INVALID_PATH_PARAM_ERR", "message": "The path_param `adapter_id` must be: a v4 UUID or string matching pattern ^[a-zA-Z0-9-_]{2,40}$", "status": 400, "moreInfo": "https://test.cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "adapter_id" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "The id of the kmip object could not be validated. See `reasons` for more details.", "reasons": [ { "code": "INVALID_PATH_PARAM_ERR", "message": "The path_param `id` must be: a valid UUID", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "id" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: KMIP Object could not be deleted: Please see `reasons` for more details (KMIP_OBJECT_NOT_FOUND_ERR)", "reasons": [ { "code": "KMIP_OBJECT_NOT_FOUND_ERR", "message": "kmip_object does not exist", "status": 404 } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: KMIP Object could not be deleted: Please see `reasons` for more details (KMIP_ADAPTER_NOT_FOUND_ERR)", "reasons": [ { "code": "KMIP_ADAPTER_NOT_FOUND_ERR", "message": "kmip_adapter does not exist", "status": 404 } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: KMIP Object could not be deleted: Please see `reasons` for more details (KMIP_OBJECT_NONDELETABLE_STATE_ERR)", "reasons": [ { "code": "KMIP_OBJECT_NONDELETABLE_STATE_ERR", "message": "The kmip object is not in pre-active, deactivated, or compromised state", "status": 409 } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Gone: KMIP Object could not be deleted: Please see `reasons` for more details (KMIP_OBJECT_DELETED_ERR)", "reasons": [ { "code": "KMIP_OBJECT_DELETED_ERR", "message": "The kmip object has already been deleted: Please delete references to this kmip object", "status": 410 } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
List client certificates of a KMIP Adapter
List client certificates of a KMIP Adapter.
GET /api/v2/kmip_adapters/{adapter_id}/certificatesRequest
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Path Parameters
The name or v4 UUID of the KMIP Adapter that uniquely identifies it.
Possible values: 2 ≤ length ≤ 40, Value must match regular expression
^[a-zA-Z0-9-_]{2,40}$
Query Parameters
The number of client certificates to retrieve. By default,
GET /kmip_adapters/{id}/certificatesreturns the first 100 certificates. To retrieve a different set of certificates, uselimitwithoffsetto page through your available resources. The maximum value forlimitis 200. Usage: If you have 20 certificates associated with your KMIP adapter, and you want to retrieve only the first 5 certificates, use../kmip_adapters/{id}/certificates?limit=5.Possible values: 1 ≤ value ≤ 200
Default:
100The number of client certificates to skip. By specifying
offset, you retrieve a subset of certificates that starts with theoffsetvalue. Useoffsetwithlimitto page through your available resources. Usage: If you have 20 certificates associated with your KMIP adapter, and you want to retrieve certificates 11 through 15, use../kmip_adapters/{id}/certificates?offset=10&limit=5.Possible values: value ≥ 0
Default:
0If set to
true, returnstotalCountin the response metadata for use with pagination. ThetotalCountvalue returned specifies the total number of client certificates that match the request, disregarding limit and offset. The default is set to false. Usage: To return thetotalCountvalue for use with pagination, use../kmip_adapters/{id}/certificates?totalCount=true.
curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_name>/certificates -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/json'
Response
The base schema for listing client certificates in a kmip adapter with total count.
The metadata that describes the resource array.
A collection of resources.
Possible values: 0 ≤ number of items ≤ 200
Status Code
List of client certificates associated with the KMIP Adapter.
The client certificates could not be retrieved due to invalid request data.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
The client certificates could not be retrieved because a resource could not be found.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.kmip_client_certificate+json", "collectionTotal": 2, "totalCount": 4 }, "resources": [ { "id": "feddecaf-0000-0000-0000-1234567890ab", "name": "kmip-client-certificate", "created_at": "2000-01-23T04:56:07.000Z", "created_by": "IBMid-0000000000" }, { "id": "beddecaf-0000-0000-0000-1234567890ab", "name": "kmip-client-certificate2", "created_at": "2001-01-23T04:56:07.000Z", "created_by": "IBMid-0000000001" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "The KMIP Adapter id / name could not be validated. See `reasons` for more details.", "reasons": [ { "code": "INVALID_PATH_PARAM_ERR", "message": "The path_param `adapter_id` must be: a v4 UUID or string matching pattern ^[a-zA-Z0-9-_]{2,40}$", "status": 400, "moreInfo": "https://test.cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "adapter_id" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: KMIP Client Certificate(s) could not be retrieved: Please see `reasons` for more details (KMIP_ADAPTER_NOT_FOUND_ERR)", "reasons": [ { "code": "KMIP_ADAPTER_NOT_FOUND_ERR", "message": "kmip_adapter does not exist", "status": 404 } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Add a client certificate to a KMIP Adapter
Add a client certificate to a KMIP Adapter. It might take up to 5 minutes for a KMIP call using the newly add certificate to pass authentication. A maximum of 200 client certificates can be associated with a KMIP Adapter at a time.
POST /api/v2/kmip_adapters/{adapter_id}/certificatesRequest
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Path Parameters
The name or v4 UUID of the KMIP Adapter that uniquely identifies it.
Possible values: 2 ≤ length ≤ 40, Value must match regular expression
^[a-zA-Z0-9-_]{2,40}$
Properties of a client certificate that must be provided during creation
The metadata that describes the resource array.
Examples:{ "collectionType": "application/vnd.ibm.kms.kmip_client_certificate+json", "collectionTotal": 1 }- metadata
The type of resources in the resource array.
Allowable values: [
application/vnd.ibm.kms.allowed_ip_metadata+json,application/vnd.ibm.kms.crn+json,application/vnd.ibm.kms.error+json,application/vnd.ibm.kms.event_acknowledge+json,application/vnd.ibm.kms.import_token+json,application/vnd.ibm.kms.key+json,application/vnd.ibm.kms.key_action+json,application/vnd.ibm.kms.alias+json,application/vnd.ibm.kms.key_ring+json,application/vnd.ibm.kms.policy+json,application/vnd.ibm.kms.registration_input+json,application/vnd.ibm.kms.registration+json,application/vnd.ibm.kms.resource_crn+json,application/vnd.ibm.kms.kmip_adapter+json,application/vnd.ibm.kms.kmip_client_certificate+json,application/vnd.ibm.kms.kmip_object+json]Possible values: 32 ≤ length ≤ 52
The number of elements in the resource array.
Possible values: 0 ≤ value ≤ 5000
Example:
1
A collection of resources.
Possible values: number of items = 1
curl -X POST https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_name>/certificates -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/json' -d '{ "metadata": { "collectionTotal": 1, "collectionType": "application/vnd.ibm.kms.kmip_client_certificate+json" }, "resources": [ { "name": "<name>", "certificate": "-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" } ] }'
Response
The base schema for listing client certificates in a kmip adapter.
A collection of resources.
Possible values: 0 ≤ number of items ≤ 200
Status Code
The full details of the KMIP Certificate just created
A client certificate could not be added to the KMIP Adapter due to invalid request data.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Certificate could not be created because a resource could not be found.
KMIP_CERT_QUOTA_ERR: The quota for certificates in this KMIP adapter instance has been reached. Unable to add any more certificates KMIP_CERT_DUPLICATE_NAME_ERR: There is a kmip client certificate in this kms adapter with the same name. Please choose a different name KMIP_CERT_DUPLICATE_ERR: The certificate payload is already associated with this adapter KMIP_CERT_REUSE_ERR: Another KMIP adapter reserves exclusive use of this certificate payload
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.kmip_client_certificate+json", "collectionTotal": 1 }, "resources": [ { "id": "feddecaf-0000-0000-0000-1234567890ab", "name": "kmip-client-certificate", "certificate": "-----BEGIN CERTIFICATE-----\\nAAA\\n-----END CERTIFICATE-----", "created_at": "2000-01-23T04:56:07.000Z", "created_by": "IBMid-0000000000" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Bad Request: KMIP Certificate could not be added. See 'reasons' for more details.", "reasons": [ { "code": "INVALID_FIELD_ERR", "message": "The field '<name|certificate>' has an invalid format. Please refer to https://cloud.ibm.com/apidocs/key-protect.", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "field", "name": "<name|certificate>" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: KMIP Client Certificate could not be created: Please see `reasons` for more details (KMIP_ADAPTER_NOT_FOUND_ERR)", "reasons": [ { "code": "KMIP_ADAPTER_NOT_FOUND_ERR", "message": "kmip_adapter does not exist", "status": 404 } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: KMIP Client Certificate could not be added: Please see `reasons` for more details (KMIP_CERT_DUPLICATE_ERR)", "reasons": [ { "code": "KMIP_CERT_QUOTA_ERR", "message": "The quota for certificates in this KMIP instance has been reached. Unable to add any more certificates.", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: KMIP Client Certificate could not be added: Please see `reasons` for more details (KMIP_CERT_DUPLICATE_ERR)", "reasons": [ { "code": "KMIP_CERT_DUPLICATE_NAME_ERR", "message": "There is a certificate in this kmip adapter with the same name. Please choose a different name", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: KMIP Client Certificate could not be added: Please see `reasons` for more details (KMIP_CERT_DUPLICATE_ERR)", "reasons": [ { "code": "KMIP_CERT_DUPLICATE_ERR", "message": "The certificate payload is already associated with this adapter.", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Conflict: KMIP Client Certificate could not be added: Please see `reasons` for more details (KMIP_CERT_DUPLICATE_ERR)", "reasons": [ { "code": "KMIP_CERT_REUSE_ERR", "message": "Another KMIP adapter reserves exclusive use of this certificate payload.", "status": 409, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect" } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Retrieve a client certificate from a KMIP Adapter
Retrieves a client certificate from a KMIP Adapter using its id / name.
GET /api/v2/kmip_adapters/{adapter_id}/certificates/{id}Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Path Parameters
The name or v4 UUID of the KMIP Adapter that uniquely identifies it.
Possible values: 2 ≤ length ≤ 40, Value must match regular expression
^[a-zA-Z0-9-_]{2,40}$The name or v4 UUID of the client certificate that uniquely identifies it.
Possible values: 2 ≤ length ≤ 40, Value must match regular expression
^[a-zA-Z0-9-_]{2,40}$
curl -X GET https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_name>/certificates/<certificate_name> -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/json'
Response
The base schema for listing client certificates in a kmip adapter.
A collection of resources.
Possible values: 0 ≤ number of items ≤ 200
Status Code
The full details of the KMIP Certificate with the given id / name
The client certificate associated with the KMIP Adapter could not be retrieved due to invalid request data.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Certificate could not be retrieved because a resource could not be found.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.kmip_client_certificate+json", "collectionTotal": 1 }, "resources": [ { "id": "feddecaf-0000-0000-0000-1234567890ab", "name": "kmip-client-certificate", "certificate": "-----BEGIN CERTIFICATE-----\\nAAA\\n-----END CERTIFICATE-----", "created_at": "2000-01-23T04:56:07.000Z", "created_by": "IBMid-0000000000" } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "The KMIP Adapter id / name could not be validated. See `reasons` for more details.", "reasons": [ { "code": "INVALID_PATH_PARAM_ERR", "message": "The path_param `adapter_id` must be: a v4 UUID or string matching pattern ^[a-zA-Z0-9-_]{2,40}$", "status": 400, "moreInfo": "https://test.cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "adapter_id" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "The name of the client certificate could not be validated. See `reasons` for more details.", "reasons": [ { "code": "INVALID_PATH_PARAM_ERR", "message": "The path_param `id` must be: a v4 UUID or a string matching pattern `^[a-zA-Z0-9-]*$`.", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "id" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: KMIP Client Certificate could not be retrieved: Please see `reasons` for more details (KMIP_CLIENT_CERTIFICATE_NOT_FOUND_ERR)", "reasons": [ { "code": "KMIP_CLIENT_CERTIFICATE_NOT_FOUND_ERR", "message": "kmip_client_certificate does not exist", "status": 404 } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: KMIP Client Certificate(s) could not be retrieved: Please see `reasons` for more details (KMIP_ADAPTER_NOT_FOUND_ERR)", "reasons": [ { "code": "KMIP_ADAPTER_NOT_FOUND_ERR", "message": "kmip_adapter does not exist", "status": 404 } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }
Delete a client certificate from a KMIP Adapter
Removes a client certificate from a KMIP Adapter given its id / name. It might take up to 5 minutes for a KMIP call using deleted certificate to fail authentication.
DELETE /api/v2/kmip_adapters/{adapter_id}/certificates/{id}Request
Custom Headers
The IBM Cloud instance ID that identifies your Key Protect service instance.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$The v4 UUID used to correlate and track transactions.
Possible values: length = 36, Value must match regular expression
^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
Path Parameters
The name or v4 UUID of the KMIP Adapter that uniquely identifies it.
Possible values: 2 ≤ length ≤ 40, Value must match regular expression
^[a-zA-Z0-9-_]{2,40}$The name or v4 UUID of the client certificate that uniquely identifies it.
Possible values: 2 ≤ length ≤ 40, Value must match regular expression
^[a-zA-Z0-9-_]{2,40}$
curl -X DELETE https://<region>.kms.cloud.ibm.com/api/v2/kmip_adapters/<adapter_name>/certificates/<certificate_name> -H 'accept: application/json' -H 'authorization: Bearer <IAM_token>' -H 'bluemix-instance: <instance_ID>' -H 'content-type: application/json'
Response
Status Code
Delete succeeded and no content is returned.
The client certificate associated with the KMIP Adapter could not be deleted due to invalid request data.
Your credentials are invalid or do not have the necessary permissions to make this request. Verify that the given IBM Cloud access token and instance ID are correct. If the error persists, contact the account owner to check your permissions.
Certificate could not be retrieved because a resource could not be found.
Too many requests. Wait a few minutes and try again.
IBM Key Protect is currently unavailable. Your request could not be processed. Try again later. If the problem persists, note the
correlation-IDin the response header and contact IBM Cloud support.
{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "The KMIP Adapter id / name could not be validated. See `reasons` for more details.", "reasons": [ { "code": "INVALID_PATH_PARAM_ERR", "message": "The path_param `adapter_id` must be: a v4 UUID or string matching pattern ^[a-zA-Z0-9-_]{2,40}$", "status": 400, "moreInfo": "https://test.cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "adapter_id" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "The name of the client certificate could not be validated. See `reasons` for more details.", "reasons": [ { "code": "INVALID_PATH_PARAM_ERR", "message": "The path_param `id` must be: a v4 UUID or a string matching pattern `^[a-zA-Z0-9-]*$`.", "status": 400, "moreInfo": "https://cloud.ibm.com/apidocs/key-protect", "target": { "type": "path_param", "name": "id" } } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Unauthorized: The user does not have access to the specified resource." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: KMIP Client Certificate could not be retrieved: Please see `reasons` for more details (KMIP_CLIENT_CERTIFICATE_NOT_FOUND_ERR)", "reasons": [ { "code": "KMIP_CLIENT_CERTIFICATE_NOT_FOUND_ERR", "message": "kmip_client_certificate does not exist", "status": 404 } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Not Found: KMIP Client Certificate could not be deleted: Please see `reasons` for more details (KMIP_ADAPTER_NOT_FOUND_ERR)", "reasons": [ { "code": "KMIP_ADAPTER_NOT_FOUND_ERR", "message": "kmip_adapter does not exist", "status": 404 } ] } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Too Many Requests: Wait a few minutes and try again." } ] }{ "metadata": { "collectionType": "application/vnd.ibm.kms.error+json", "collectionTotal": 1 }, "resources": [ { "errorMsg": "Internal Server Error: IBM Key Protect is currently unavailable. Your request could not be processed. Try again later." } ] }