Retrieving key metadata
You can retrieve the general characteristics of a single encryption key by using IBM® Key Protect for IBM Cloud®.
While you can assign fine-grained access to a single key, the list keys API does not return keys with individual access permissions. In other words, it does not return keys that only you can access. However, calling this API returns the keys in key rings you have access to. If you have access to all keys in an instance, you see all keys. You can view keys with individual access permissions by following the instructions in Granting access to keys to view the key through IAM. Alternatively, use the API to pass the specific key ID.
Retrieving a key requires a Writer or Manager access policy. However, you might need to view only the details about a key without retrieving the key itself. For example, you might want to view the key's transition history or configuration. If you have Reader access permissions, you can use the Key Protect API to retrieve only metadata about a key.
Viewing key metadata with the API
To view detailed information about a specific key, you can make a GET call to the following endpoint.
https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/metadata
-
Retrieve your authentication credentials to work with keys in the service.
-
Retrieve the ID of the key that you would like to inspect.
The ID value is used to access detailed information about the key. You can find the ID for a key in your Key Protect instance by retrieving a list of your keys, or by accessing the Key Protect dashboard.
-
Get details about the key by running the following
curlcommand.$ curl -X GET \ "https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID_or_alias>/metadata" \ -H "accept: application/vnd.ibm.kms.key+json" \ -H "authorization: Bearer <IAM_token>" \ -H "bluemix-instance: <instance_ID>" \ -H "x-kms-key-ring: <key_ring_ID>" \ -H "correlation-id: <correlation_ID>"Replace the variables in the example request according to the following table.
| Variable | Description |
|---|---|
| region | Required. The region abbreviation, such as us-south or eu-gb, that represents the geographic area where your Key Protect instance resides. For more information, see Regional service endpoints. |
| key_ID_or_alias | Required. The unique identifier or alias for the key that you want to inspect. |
| IAM_token | Required. Your IBM Cloud access token. Include the full contents of the IAM token, including the Bearer value, in the curl request. For more information, see Retrieving an access token. |
| instance_ID | Required. The unique identifier that is assigned to your Key Protect service instance. For more information, see Retrieving an instance ID. |
| key_ring_ID | Optional. The unique identifier of the key ring that the key is a part of. If unspecified, Key Protect searches for the key in every key ring that is associated with the specified instance. Specifying the key ring ID is
recommended for a more optimized request. The key ring ID of keys that are created without an x-kms-key-ring header is default. For more information, see Grouping keys. |
| correlation_ID | Optional. The unique identifier that is used to track and correlate transactions. |
A successful GET api/v2/keys/<key_ID_or_alias>/metadata response returns details about your key. The following JSON object shows an example returned value for a standard key.
{
"metadata": {
"collectionType": "application/vnd.ibm.kms.key+json",
"collectionTotal": 1
},
"resources": [
{
"type": "application/vnd.ibm.kms.key+json",
"id": "02fd6835-6001-4482-a892-13bd2085f75d",
"name": "test-standard-key",
"aliases": [
"alias-1",
"alias-2"
],
"state": 1,
"expirationDate": "2020-03-15T03:50:12Z",
"extractable": true,
"crn": "crn:v1:bluemix:public:kms:us-south:a/f047b55a3362ac06afad8a3f2f5586ea:12e8c9c2-a162-472d-b7d6-8b9a86b815a6:key:02fd6835-6001-4482-a892-13bd2085f75d",
"imported": false,
"creationDate": "2020-03-12T03:50:12Z",
"createdBy": "...",
"algorithmType": "Deprecated",
"algorithmMetadata": {
"bitLength": "256",
"mode": "Deprecated"
},
"algorithmBitSize": 256,
"algorithmMode": "Deprecated",
"lastUpdateDate": "2020-03-12T03:50:12Z",
"dualAuthDelete": {
"enabled": false
},
"deleted": false
}
]
}
Next steps
Need to retrieve the payload value for a standard key? To learn more, see
Retrieving a key.
For a detailed description of the response parameters, see the Key Protect REST API reference doc.