REST API reference
Update the Google Cloud KMS configuration
Suggest changes
PDFs
PATCH /security/gcp-kms/{uuid}
Introduced In: 9.9
Updates the Google Cloud KMS configuration.
Optional properties
-
application_credentials- New credentials used to verify the application's identity to the Google Cloud KMS. -
proxy_type- Type of proxy (http/https) if proxy configuration is used. -
proxy_host- Proxy hostname if proxy configuration is used. -
proxy_port- Proxy port number if proxy configuration is used. -
port- Authorization server and Google Cloud KMS port number. -
proxy_username- Proxy username if proxy configuration is used. -
proxy_password- Proxy password if proxy configuration is used. -
project_id- Google Cloud project (application) ID of the deployed Google Cloud application with appropriate access to the Google Cloud KMS. -
key_ring_name- Google Cloud KMS key ring name of the deployed Google Cloud application with appropriate access to the specified Google Cloud KMS. -
key_ring_location- Google Cloud KMS key ring location. -
cloudkms_host- Google Cloud KMS host subdomain. -
oauth_host- Open authorization server host name. -
oauth_url- Open authorization URL for the access token. -
verify_host- Verify the identity of the Google Cloud KMS host name. -
`verify_ip ` - Verify identity of Google Cloud KMS IP address.
-
privileged_account- Account used to impersonate Google Cloud KMS requests.
Related ONTAP commands
-
security key-manager external gcp update-credentials -
security key-manager external gcp update-config
Parameters
| Name | Type | In | Required | Description |
|---|---|---|---|---|
uuid |
string |
path |
True |
Google Cloud KMS UUID |
return_timeout |
integer |
query |
False |
The number of seconds to allow the call to execute before returning. When doing a POST, PATCH, or DELETE operation on a single record, the default is 0 seconds. This means that if an asynchronous operation is started, the server immediately returns HTTP code 202 (Accepted) along with a link to the job. If a non-zero value is specified for POST, PATCH, or DELETE operations, ONTAP waits that length of time to see if the job completes so it can return something other than 202.
|
Request Body
| Name | Type | Description |
|---|---|---|
_links |
||
application_credentials |
string |
Google Cloud application's service account credentials required to access the specified KMS. It is a JSON file containing an email address and the private key of the service account holder. |
caller_account |
string |
Google Cloud KMS caller account email |
cloudkms_host |
string |
Google Cloud KMS host subdomain. |
ekmip_reachability |
array[ekmip_reachability] |
|
google_reachability |
Indicates whether or not the Google Cloud KMS is reachable from all nodes in the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
|
key_name |
string |
Key Identifier of Google Cloud KMS key encryption key. |
key_ring_location |
string |
Google Cloud KMS key ring location. |
key_ring_name |
string |
Google Cloud KMS key ring name of the deployed Google Cloud application. |
oauth_host |
string |
Open authorization server host name. |
oauth_url |
string |
Open authorization URL for the access token. |
port |
integer |
Authorization server and Google Cloud KMS port number. |
privileged_account |
string |
Google Cloud KMS account to impersonate. |
project_id |
string |
Google Cloud project (application) ID of the deployed Google Cloud application that has appropriate access to the Google Cloud KMS. |
proxy_host |
string |
Proxy host name. |
proxy_password |
string |
Proxy password. Password is not audited. |
proxy_port |
integer |
Proxy port number. |
proxy_type |
string |
Type of proxy. |
proxy_username |
string |
Proxy username. |
scope |
string |
Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster". |
state |
Google Cloud Key Management Services is a cloud key management service (KMS) that provides a secure store for encryption keys. This object indicates whether or not the Google Cloud KMS key protection is available on all nodes in the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
|
svm |
SVM, applies only to SVM-scoped objects. |
|
uuid |
string |
A unique identifier for the Google Cloud KMS. |
verify_host |
boolean |
Verify the identity of the Google Cloud KMS host name. |
verify_ip |
boolean |
Verify identity of Google Cloud KMS IP address. |
Example request
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"application_credentials": "{ type: service_account, project_id: project-id, private_key_id: key-id, private_key: -----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n, client_email: service-account-email, client_id: client-id, auth_uri: https://accounts.google.com/o/oauth2/auth, token_uri: https://accounts.google.com/o/oauth2/token, auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs, client_x509_cert_url: https://www.googleapis.com/robot/v1/metadata/x509/service-account-email }",
"caller_account": "myaccount@myproject.com",
"cloudkms_host": "cloudkms.googleapis.com",
"ekmip_reachability": [
{
"code": "346758",
"message": "embedded KMIP server status unavailable on node.",
"node": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "node1",
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
}
}
],
"google_reachability": {
"code": "346758",
"message": "Google Cloud KMS is not reachable from all nodes - <reason>."
},
"key_name": "cryptokey1",
"key_ring_location": "global",
"key_ring_name": "gcpapp1-keyring",
"oauth_host": "oauth2.googleapis.com",
"oauth_url": "https://oauth2.googleapis.com/token",
"port": 443,
"privileged_account": "myserviceaccount@myproject.iam.gserviceaccount.com",
"project_id": "gcpapp1",
"proxy_host": "proxy.eng.com",
"proxy_password": "proxypassword",
"proxy_port": 1234,
"proxy_type": "http",
"proxy_username": "proxyuser",
"scope": "string",
"state": {
"code": "346758",
"message": "Top-level internal key protection key (KEK) is unavailable on the following nodes with the associated reasons: Node: node1. Reason: No volumes created yet for the SVM. Wrapped KEK status will be available after creating encrypted volumes."
},
"svm": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
},
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412",
"verify_host": "",
"verify_ip": ""
}Response
Status: 200, OkResponse
Status: 202, AcceptedError
Status: DefaultONTAP Error Response Codes
| Error Code | Description |
|---|---|
65537541 |
No inputs were provided for the patch request. |
65537547 |
One or more volume encryption keys for encrypted volumes of this data SVM are stored in the key manager configured for the admin SVM. Use the REST API POST method to migrate this data SVM's keys from the admin SVM's key manager to this data SVM's key manager before running the rekey operation. |
65537605 |
Failed to establish connectivity with the cloud key management service. |
65537713 |
Internal Error. Failed to store the application credentials. |
65537714 |
The "application_credentials" field must be specified. |
65537721 |
The Google Cloud Key Management Service is not configured for the SVM. |
65537724 |
Failed to update the Google Cloud Key Management Service because invalid application credentials were provided. |
65537732 |
ONTAP 9.9.1 does not allow modification of the following fields, "project_id", "key_ring_name" and "key_ring_location". |
Also see the table of common errors in the Response body overview section of this documentation.
| Name | Type | Description |
|---|---|---|
error |
Example error
{
"error": {
"arguments": [
{
"code": "string",
"message": "string"
}
],
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}Definitions
See Definitions
href
| Name | Type | Description |
|---|---|---|
href |
string |
_links
| Name | Type | Description |
|---|---|---|
self |
node
| Name | Type | Description |
|---|---|---|
_links |
||
name |
string |
|
uuid |
string |
ekmip_reachability
Provides the connectivity status for the given SVM on the given node to all EKMIP servers configured on all nodes of the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.
| Name | Type | Description |
|---|---|---|
code |
string |
Code corresponding to the error message. Returns a 0 if a given SVM is able to communicate to the EKMIP servers of all of the nodes in the cluster. |
message |
string |
Error message set when cluster-wide EKMIP server availability from the given SVM and node is false. |
node |
||
reachable |
boolean |
Set to true if the given SVM on the given node is able to communicate to all EKMIP servers configured on all nodes in the cluster. |
google_reachability
Indicates whether or not the Google Cloud KMS is reachable from all nodes in the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.
| Name | Type | Description |
|---|---|---|
code |
string |
Code corresponding to the error message. Returns a 0 if Google Cloud KMS is reachable from all nodes in the cluster. |
message |
string |
Set to the error message when 'reachable' is false. |
reachable |
boolean |
Set to true if the Google Cloud KMS is reachable from all nodes of the cluster. |
state
Google Cloud Key Management Services is a cloud key management service (KMS) that provides a secure store for encryption keys. This object indicates whether or not the Google Cloud KMS key protection is available on all nodes in the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.
| Name | Type | Description |
|---|---|---|
cluster_state |
boolean |
Set to true when Google Cloud KMS key protection is available on all nodes of the cluster. |
code |
string |
Error code corresponding to the status message. Returns 0 if Google Cloud KMS key protection is available in all nodes of the cluster. |
message |
string |
Error message set when top-level internal key protection key (KEK) availability on cluster is false. |
svm
SVM, applies only to SVM-scoped objects.
| Name | Type | Description |
|---|---|---|
_links |
||
name |
string |
The name of the SVM. This field cannot be specified in a PATCH method. |
uuid |
string |
The unique identifier of the SVM. This field cannot be specified in a PATCH method. |
gcp_kms
| Name | Type | Description |
|---|---|---|
_links |
||
application_credentials |
string |
Google Cloud application's service account credentials required to access the specified KMS. It is a JSON file containing an email address and the private key of the service account holder. |
caller_account |
string |
Google Cloud KMS caller account email |
cloudkms_host |
string |
Google Cloud KMS host subdomain. |
ekmip_reachability |
array[ekmip_reachability] |
|
google_reachability |
Indicates whether or not the Google Cloud KMS is reachable from all nodes in the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
|
key_name |
string |
Key Identifier of Google Cloud KMS key encryption key. |
key_ring_location |
string |
Google Cloud KMS key ring location. |
key_ring_name |
string |
Google Cloud KMS key ring name of the deployed Google Cloud application. |
oauth_host |
string |
Open authorization server host name. |
oauth_url |
string |
Open authorization URL for the access token. |
port |
integer |
Authorization server and Google Cloud KMS port number. |
privileged_account |
string |
Google Cloud KMS account to impersonate. |
project_id |
string |
Google Cloud project (application) ID of the deployed Google Cloud application that has appropriate access to the Google Cloud KMS. |
proxy_host |
string |
Proxy host name. |
proxy_password |
string |
Proxy password. Password is not audited. |
proxy_port |
integer |
Proxy port number. |
proxy_type |
string |
Type of proxy. |
proxy_username |
string |
Proxy username. |
scope |
string |
Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster". |
state |
Google Cloud Key Management Services is a cloud key management service (KMS) that provides a secure store for encryption keys. This object indicates whether or not the Google Cloud KMS key protection is available on all nodes in the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
|
svm |
SVM, applies only to SVM-scoped objects. |
|
uuid |
string |
A unique identifier for the Google Cloud KMS. |
verify_host |
boolean |
Verify the identity of the Google Cloud KMS host name. |
verify_ip |
boolean |
Verify identity of Google Cloud KMS IP address. |
error_arguments
| Name | Type | Description |
|---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
returned_error
| Name | Type | Description |
|---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |