Skip to main content
A newer release of this product is available.

Configure the AWS KMS configuration for an SVM

Contributors

POST /security/aws-kms

Introduced In: 9.12

Configures the AWS KMS configuration for the specified SVM.

Required properties

  • access_key_id - AWS access key ID of the user who has the appropriate access to AWS KMS.

  • secret_access_key - AWS secret access key for the access key ID provided.

  • svm.uuid or svm.name - Existing SVM in which to create an AWS KMS.

  • region - AWS region of the AWS KMS.

  • key_id - AWS Key ID

Optional properties

  • service - AWS service type.

  • default_domain - AWS KMS default domain.

  • host - AWS KMS host's hostname.

  • port - AWS KMS port.

  • proxy_type - Type of proxy (http, https, etc.), if proxy configuration is used.

  • proxy_host - Proxy hostname if proxy configuration is used.

  • proxy_port - Proxy port number if proxy configuration is used.

  • proxy_username - Proxy username if proxy configuration is used.

  • proxy_password - Proxy password if proxy configuration is used.

  • polling_period - Polling period in minutes.

  • encryption_context - Additional layer of authentication and logging.

  • security key-manager external aws enable

Parameters

Name Type In Required Description

return_records

boolean

query

False

The default is false. If set to true, the records are returned.

  • Default value:

Request Body

Name Type Description

_links

_links

access_key_id

string

AWS Access Key ID of the user that has appropriate access to AWS KMS.

amazon_reachability

amazon_reachability

Indicates whether or not the Amazon KMS is reachable from all nodes in the cluster. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.

default_domain

string

AWS KMS default domain.

ekmip_reachability

array[ekmip_reachability]

encryption_context

string

Additional layer of authentication and logging.

host

string

AWS KMS host's hostname.

key_id

string

AWS Key ID.

polling_period

integer

Polling period in minutes.

port

integer

AWS KMS port.

proxy_host

string

Proxy host.

proxy_password

string

Proxy password. Password is not audited.

proxy_port

integer

Proxy port.

proxy_type

string

Proxy type.

proxy_username

string

Proxy username.

region

string

AWS region of the AWS KMS.

scope

string

Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster".

secret_access_key

string

AWS Secret Access Key for the provided access key ID.

service

string

AWS service type.

skip_verify

boolean

Set to true to bypass verification of the user provided access_key_id and secret_access_key. An error will be returned if 'skip_verify' is provided but 'access_key_id' is not.

state

state

Indicates whether or not the Amazon Web Services Key Management Service (AWS KMS) key protection is available cluster-wide.

svm

svm

SVM, applies only to SVM-scoped objects.

timeout

integer

AWS Connection timeout, in seconds.

uuid

string

A unique identifier for the AWS KMS.

verify

boolean

Set to true to verify the AWS KMS host.

verify_host

boolean

Set to true to verify the AWS KMS host's hostname.

verify_ip

boolean

Set to true to verify the AWS KMS host's IP address.

Example request
{
  "_links": {
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "access_key_id": "<id_value>",
  "amazon_reachability": {
    "code": "346758",
    "message": "Amazon KMS is not reachable from all nodes - <reason>."
  },
  "default_domain": "domainName",
  "ekmip_reachability": [
    {
      "code": "346758",
      "message": "embedded KMIP server status unavailable on node.",
      "node": {
        "_links": {
          "self": {
            "href": "/api/resourcelink"
          }
        },
        "name": "node1",
        "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
      }
    }
  ],
  "encryption_context": "aws:fsx:fs-id=fs-0785c8beceb895999",
  "host": "aws-host.host.com",
  "key_id": "kmip-aws",
  "polling_period": 55,
  "port": 443,
  "proxy_host": "proxy.eng.com",
  "proxy_password": "awskze-Jwjje2-WJJPer",
  "proxy_port": 1234,
  "proxy_type": "http",
  "proxy_username": "proxyuser",
  "region": "us-east-1",
  "scope": "string",
  "secret_access_key": "<id_value>",
  "service": "dynamodb.*.amazonaws.com",
  "skip_verify": "",
  "state": {
    "code": "346758",
    "message": "AWS KMS key protection is unavailable on the following nodes: node1, node2."
  },
  "svm": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "name": "svm1",
    "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
  },
  "timeout": 20,
  "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412",
  "verify": "",
  "verify_host": 1,
  "verify_ip": ""
}

Response

Status: 201, Created
Name Type Description

_links

_links

num_records

integer

Number of records

records

array[aws_kms]

Example response
{
  "_links": {
    "next": {
      "href": "/api/resourcelink"
    },
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "num_records": 1,
  "records": [
    {
      "_links": {
        "self": {
          "href": "/api/resourcelink"
        }
      },
      "access_key_id": "<id_value>",
      "amazon_reachability": {
        "code": "346758",
        "message": "Amazon KMS is not reachable from all nodes - <reason>."
      },
      "default_domain": "domainName",
      "ekmip_reachability": [
        {
          "code": "346758",
          "message": "embedded KMIP server status unavailable on node.",
          "node": {
            "_links": {
              "self": {
                "href": "/api/resourcelink"
              }
            },
            "name": "node1",
            "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
          }
        }
      ],
      "encryption_context": "aws:fsx:fs-id=fs-0785c8beceb895999",
      "host": "aws-host.host.com",
      "key_id": "kmip-aws",
      "polling_period": 55,
      "port": 443,
      "proxy_host": "proxy.eng.com",
      "proxy_password": "awskze-Jwjje2-WJJPer",
      "proxy_port": 1234,
      "proxy_type": "http",
      "proxy_username": "proxyuser",
      "region": "us-east-1",
      "scope": "string",
      "secret_access_key": "<id_value>",
      "service": "dynamodb.*.amazonaws.com",
      "skip_verify": "",
      "state": {
        "code": "346758",
        "message": "AWS KMS key protection is unavailable on the following nodes: node1, node2."
      },
      "svm": {
        "_links": {
          "self": {
            "href": "/api/resourcelink"
          }
        },
        "name": "svm1",
        "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
      },
      "timeout": 20,
      "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412",
      "verify": "",
      "verify_host": 1,
      "verify_ip": ""
    }
  ]
}

Headers

Name Description Type

Location

Useful for tracking the resource location

string

Error

Status: Default

ONTAP Error Response Codes

Error Code Description

3735622

Certificate type not supported for create operation.

3735645

You cannot specify a value for serial as it is generated automatically.

3735657

Specifying \"-subtype\" when creating a certificate is not supported.

3735664

Specified key size is not supported in FIPS mode.

3735665

Specified hash function is not supported in FIPS mode.

3735700

Specified key size is not supported.

65536600

Nodes are out of quorum.

65537518

Failed to find a LIF with Cluster role on node. One or more nodes may be out of quorum.

65537900

Failed to enable the Amazon Web Service Key Management Service for an SVM due to an invalid secret access key.

65537901

The Amazon Web Service Key Management Service (AWSKMS) cannot be enabled because all nodes in the cluster are not running a version that supports the AWSKMS feature.

65537906

Failed to store the secret access key.

65537907

The Amazon Web Service Key Management Service is disabled on the cluster. For further assistance, contact technical support.

65537908

The Amazon Web Service Key Management Service is not supported for the admin SVM.

65537910

Failed to configure Amazon Web Service Key Management Service for an SVM because a key manager has already been configured for the SVM.

65537911

The Amazon Web Service Key Management Service is not supported in MetroCluster configurations.

65537912

The Amazon Web Service Key Management Service cannot be configured for an SVM because one or more volume encryption keys of the SVM are stored on the admin SVM.

65537926

The Amazon Web Service Key Management Service is not configured for this SVM.

Also see the table of common errors in the Response body overview section of this documentation.

Name Type Description

error

returned_error

Example error
{
  "error": {
    "arguments": [
      {
        "code": "string",
        "message": "string"
      }
    ],
    "code": "4",
    "message": "entry doesn't exist",
    "target": "uuid"
  }
}

Definitions

See Definitions

href

Name Type Description

href

string

Name Type Description

self

href

amazon_reachability

Indicates whether or not the Amazon KMS is reachable from all nodes in the cluster. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.

Name Type Description

code

string

Code corresponding to the error message. Returns a 0 if Amazon KMS is reachable from all nodes in the cluster.

message

string

Error message returned when 'reachable' is false.

reachable

boolean

Set to true if the Amazon KMS is reachable from all nodes of the cluster.

node

Name Type Description

_links

_links

name

string

uuid

string

ekmip_reachability

Provides the connectivity status for the given SVM on the given node to all EKMIP servers configured on all nodes of the cluster. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.

Name Type Description

code

string

Code corresponding to the error message. Returns a 0 if a given SVM is able to communicate to the EKMIP servers of all of the nodes in the cluster.

message

string

Error message set when cluster-wide EKMIP server availability from the given SVM and node is false.

node

node

reachable

boolean

Set to true if the given SVM on the given node is able to communicate to all EKMIP servers configured on all nodes in the cluster.

state

Indicates whether or not the Amazon Web Services Key Management Service (AWS KMS) key protection is available cluster-wide.

Name Type Description

cluster_state

boolean

Set to true when AWS KMS key protection is available on all nodes of the cluster.

code

string

Code corresponding to the message. Returns a 0 if AWS KMS key protection is available on all nodes of the cluster.

message

string

Error message set when cluster_state is false.

svm

SVM, applies only to SVM-scoped objects.

Name Type Description

_links

_links

name

string

The name of the SVM. This field cannot be specified in a PATCH method.

uuid

string

The unique identifier of the SVM. This field cannot be specified in a PATCH method.

aws_kms

Name Type Description

_links

_links

access_key_id

string

AWS Access Key ID of the user that has appropriate access to AWS KMS.

amazon_reachability

amazon_reachability

Indicates whether or not the Amazon KMS is reachable from all nodes in the cluster. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.

default_domain

string

AWS KMS default domain.

ekmip_reachability

array[ekmip_reachability]

encryption_context

string

Additional layer of authentication and logging.

host

string

AWS KMS host's hostname.

key_id

string

AWS Key ID.

polling_period

integer

Polling period in minutes.

port

integer

AWS KMS port.

proxy_host

string

Proxy host.

proxy_password

string

Proxy password. Password is not audited.

proxy_port

integer

Proxy port.

proxy_type

string

Proxy type.

proxy_username

string

Proxy username.

region

string

AWS region of the AWS KMS.

scope

string

Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster".

secret_access_key

string

AWS Secret Access Key for the provided access key ID.

service

string

AWS service type.

skip_verify

boolean

Set to true to bypass verification of the user provided access_key_id and secret_access_key. An error will be returned if 'skip_verify' is provided but 'access_key_id' is not.

state

state

Indicates whether or not the Amazon Web Services Key Management Service (AWS KMS) key protection is available cluster-wide.

svm

svm

SVM, applies only to SVM-scoped objects.

timeout

integer

AWS Connection timeout, in seconds.

uuid

string

A unique identifier for the AWS KMS.

verify

boolean

Set to true to verify the AWS KMS host.

verify_host

boolean

Set to true to verify the AWS KMS host's hostname.

verify_ip

boolean

Set to true to verify the AWS KMS host's IP address.

Name Type Description

next

href

self

href

error_arguments

Name Type Description

code

string

Argument code

message

string

Message argument

returned_error

Name Type Description

arguments

array[error_arguments]

Message arguments

code

string

Error code

message

string

Error message

target

string

The target parameter that caused the error.