Skip to main content
A newer release of this product is available.

Create a Google Cloud KMS configuration for an SVM

Contributors

POST /security/gcp-kms

Introduced In: 9.9

Configures the Google Cloud KMS configuration for the specified SVM.

Required properties

  • svm.uuid or svm.name - Existing SVM in which to create a Google Cloud KMS.

  • project_id - Google Cloud project (application) ID of the deployed Google Cloud application with appropriate access to the Google Cloud KMS.

  • key_ring_name - Google Cloud KMS key ring name of the deployed Google Cloud application with appropriate access to the specified Google Cloud KMS.

  • key_ring_location - Google Cloud KMS key ring location.

  • key_name- Key Identifier of the Google Cloud KMS key encryption key.

  • application_credentials - Google Cloud application's service account credentials required to access the specified KMS. It is a JSON file containing an email address and the private key of the service account holder.

Optional properties

  • proxy_type - Type of proxy (http/https) if proxy configuration is used.

  • proxy_host - Proxy hostname if proxy configuration is used.

  • proxy_port - Proxy port number if proxy configuration is used.

  • proxy_username - Proxy username if proxy configuration is used.

  • proxy_password - Proxy password if proxy configuration is used.

  • port - Authorization server and Google Cloud KMS port number.

  • cloudkms_host - Google Cloud KMS host subdomain.

  • oauth_host - Open authorization server host name.

  • oauth_url - Open authorization URL for the access token.

  • privileged_account - Account used to impersonate Google Cloud KMS requests.

  • security key-manager external gcp enable

Parameters

Name Type In Required Description

return_records

boolean

query

False

The default is false. If set to true, the records are returned.

  • Default value:

Request Body

Name Type Description

_links

_links

application_credentials

string

Google Cloud application's service account credentials required to access the specified KMS. It is a JSON file containing an email address and the private key of the service account holder.

caller_account

string

Google Cloud KMS caller account email

cloudkms_host

string

Google Cloud KMS host subdomain.

ekmip_reachability

array[ekmip_reachability]

google_reachability

google_reachability

Indicates whether or not the Google Cloud KMS is reachable from all nodes in the cluster. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.

key_name

string

Key Identifier of Google Cloud KMS key encryption key.

key_ring_location

string

Google Cloud KMS key ring location.

key_ring_name

string

Google Cloud KMS key ring name of the deployed Google Cloud application.

oauth_host

string

Open authorization server host name.

oauth_url

string

Open authorization URL for the access token.

port

integer

Authorization server and Google Cloud KMS port number.

privileged_account

string

Google Cloud KMS account to impersonate.

project_id

string

Google Cloud project (application) ID of the deployed Google Cloud application that has appropriate access to the Google Cloud KMS.

proxy_host

string

Proxy host name.

proxy_password

string

Proxy password. Password is not audited.

proxy_port

integer

Proxy port number.

proxy_type

string

Type of proxy.

proxy_username

string

Proxy username.

scope

string

Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster".

state

state

Google Cloud Key Management Services is a cloud key management service (KMS) that provides a secure store for encryption keys. This object indicates whether or not the Google Cloud KMS key protection is available on all nodes in the cluster. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.

svm

svm

SVM, applies only to SVM-scoped objects.

uuid

string

A unique identifier for the Google Cloud KMS.

verify_host

boolean

Verify the identity of the Google Cloud KMS host name.

verify_ip

boolean

Verify identity of Google Cloud KMS IP address.

Example request
{
  "_links": {
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "application_credentials": "{ type: service_account, project_id: project-id, private_key_id: key-id, private_key: -----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n, client_email: service-account-email, client_id: client-id, auth_uri: https://accounts.google.com/o/oauth2/auth, token_uri: https://accounts.google.com/o/oauth2/token, auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs, client_x509_cert_url: https://www.googleapis.com/robot/v1/metadata/x509/service-account-email }",
  "caller_account": "myaccount@myproject.com",
  "cloudkms_host": "cloudkms.googleapis.com",
  "ekmip_reachability": [
    {
      "code": "346758",
      "message": "embedded KMIP server status unavailable on node.",
      "node": {
        "_links": {
          "self": {
            "href": "/api/resourcelink"
          }
        },
        "name": "node1",
        "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
      }
    }
  ],
  "google_reachability": {
    "code": "346758",
    "message": "Google Cloud KMS is not reachable from all nodes - <reason>."
  },
  "key_name": "cryptokey1",
  "key_ring_location": "global",
  "key_ring_name": "gcpapp1-keyring",
  "oauth_host": "oauth2.googleapis.com",
  "oauth_url": "https://oauth2.googleapis.com/token",
  "port": 443,
  "privileged_account": "myserviceaccount@myproject.iam.gserviceaccount.com",
  "project_id": "gcpapp1",
  "proxy_host": "proxy.eng.com",
  "proxy_password": "proxypassword",
  "proxy_port": 1234,
  "proxy_type": "http",
  "proxy_username": "proxyuser",
  "scope": "string",
  "state": {
    "code": "346758",
    "message": "Top-level internal key protection key (KEK) is unavailable on the following nodes with the associated reasons: Node: node1. Reason: No volumes created yet for the SVM. Wrapped KEK status will be available after creating encrypted volumes."
  },
  "svm": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "name": "svm1",
    "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
  },
  "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412",
  "verify_host": "",
  "verify_ip": ""
}

Response

Status: 201, Created
Name Type Description

_links

_links

num_records

integer

Number of records

records

array[gcp_kms]

Example response
{
  "_links": {
    "next": {
      "href": "/api/resourcelink"
    },
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "num_records": 1,
  "records": [
    {
      "_links": {
        "self": {
          "href": "/api/resourcelink"
        }
      },
      "application_credentials": "{ type: service_account, project_id: project-id, private_key_id: key-id, private_key: -----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n, client_email: service-account-email, client_id: client-id, auth_uri: https://accounts.google.com/o/oauth2/auth, token_uri: https://accounts.google.com/o/oauth2/token, auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs, client_x509_cert_url: https://www.googleapis.com/robot/v1/metadata/x509/service-account-email }",
      "caller_account": "myaccount@myproject.com",
      "cloudkms_host": "cloudkms.googleapis.com",
      "ekmip_reachability": [
        {
          "code": "346758",
          "message": "embedded KMIP server status unavailable on node.",
          "node": {
            "_links": {
              "self": {
                "href": "/api/resourcelink"
              }
            },
            "name": "node1",
            "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
          }
        }
      ],
      "google_reachability": {
        "code": "346758",
        "message": "Google Cloud KMS is not reachable from all nodes - <reason>."
      },
      "key_name": "cryptokey1",
      "key_ring_location": "global",
      "key_ring_name": "gcpapp1-keyring",
      "oauth_host": "oauth2.googleapis.com",
      "oauth_url": "https://oauth2.googleapis.com/token",
      "port": 443,
      "privileged_account": "myserviceaccount@myproject.iam.gserviceaccount.com",
      "project_id": "gcpapp1",
      "proxy_host": "proxy.eng.com",
      "proxy_password": "proxypassword",
      "proxy_port": 1234,
      "proxy_type": "http",
      "proxy_username": "proxyuser",
      "scope": "string",
      "state": {
        "code": "346758",
        "message": "Top-level internal key protection key (KEK) is unavailable on the following nodes with the associated reasons: Node: node1. Reason: No volumes created yet for the SVM. Wrapped KEK status will be available after creating encrypted volumes."
      },
      "svm": {
        "_links": {
          "self": {
            "href": "/api/resourcelink"
          }
        },
        "name": "svm1",
        "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
      },
      "uuid": "1cd8a442-86d1-11e0-ae1c-123478563412",
      "verify_host": "",
      "verify_ip": ""
    }
  ]
}

Headers

Name Description Type

Location

Useful for tracking the resource location

string

Error

Status: Default

ONTAP Error Response Codes

Error Code Description

65537703

The Google Cloud Key Management Service is not supported for the admin Vserver.

65537704

The Google Cloud Key Management Service is not supported in MetroCluster configurations.

65537706

Internal error. Failed to the encrypt the application credentials.

65537713

Internal Error. Failed to store the application credentials.

65537719

Failed to enable the Google Cloud Key Management Service for SVM because invalid application credentials were provided.

65537720

Failed to configure Google Cloud Key Management Service for SVM because a key manager has already been configured for this SVM. Use the REST API GET method \"/api/security/gcp-kms\" to view all of the configured key managers.

65537740

The privileged account must be an email address or an empty string.

Also see the table of common errors in the Response body overview section of this documentation.

Name Type Description

error

returned_error

Example error
{
  "error": {
    "arguments": [
      {
        "code": "string",
        "message": "string"
      }
    ],
    "code": "4",
    "message": "entry doesn't exist",
    "target": "uuid"
  }
}

Definitions

See Definitions

href

Name Type Description

href

string

Name Type Description

self

href

node

Name Type Description

_links

_links

name

string

uuid

string

ekmip_reachability

Provides the connectivity status for the given SVM on the given node to all EKMIP servers configured on all nodes of the cluster. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.

Name Type Description

code

string

Code corresponding to the error message. Returns a 0 if a given SVM is able to communicate to the EKMIP servers of all of the nodes in the cluster.

message

string

Error message set when cluster-wide EKMIP server availability from the given SVM and node is false.

node

node

reachable

boolean

Set to true if the given SVM on the given node is able to communicate to all EKMIP servers configured on all nodes in the cluster.

google_reachability

Indicates whether or not the Google Cloud KMS is reachable from all nodes in the cluster. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.

Name Type Description

code

string

Code corresponding to the error message. Returns a 0 if Google Cloud KMS is reachable from all nodes in the cluster.

message

string

Set to the error message when 'reachable' is false.

reachable

boolean

Set to true if the Google Cloud KMS is reachable from all nodes of the cluster.

state

Google Cloud Key Management Services is a cloud key management service (KMS) that provides a secure store for encryption keys. This object indicates whether or not the Google Cloud KMS key protection is available on all nodes in the cluster. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.

Name Type Description

cluster_state

boolean

Set to true when Google Cloud KMS key protection is available on all nodes of the cluster.

code

string

Error code corresponding to the status message. Returns 0 if Google Cloud KMS key protection is available in all nodes of the cluster.

message

string

Error message set when top-level internal key protection key (KEK) availability on cluster is false.

svm

SVM, applies only to SVM-scoped objects.

Name Type Description

_links

_links

name

string

The name of the SVM. This field cannot be specified in a PATCH method.

uuid

string

The unique identifier of the SVM. This field cannot be specified in a PATCH method.

gcp_kms

Name Type Description

_links

_links

application_credentials

string

Google Cloud application's service account credentials required to access the specified KMS. It is a JSON file containing an email address and the private key of the service account holder.

caller_account

string

Google Cloud KMS caller account email

cloudkms_host

string

Google Cloud KMS host subdomain.

ekmip_reachability

array[ekmip_reachability]

google_reachability

google_reachability

Indicates whether or not the Google Cloud KMS is reachable from all nodes in the cluster. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.

key_name

string

Key Identifier of Google Cloud KMS key encryption key.

key_ring_location

string

Google Cloud KMS key ring location.

key_ring_name

string

Google Cloud KMS key ring name of the deployed Google Cloud application.

oauth_host

string

Open authorization server host name.

oauth_url

string

Open authorization URL for the access token.

port

integer

Authorization server and Google Cloud KMS port number.

privileged_account

string

Google Cloud KMS account to impersonate.

project_id

string

Google Cloud project (application) ID of the deployed Google Cloud application that has appropriate access to the Google Cloud KMS.

proxy_host

string

Proxy host name.

proxy_password

string

Proxy password. Password is not audited.

proxy_port

integer

Proxy port number.

proxy_type

string

Type of proxy.

proxy_username

string

Proxy username.

scope

string

Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster".

state

state

Google Cloud Key Management Services is a cloud key management service (KMS) that provides a secure store for encryption keys. This object indicates whether or not the Google Cloud KMS key protection is available on all nodes in the cluster. This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.

svm

svm

SVM, applies only to SVM-scoped objects.

uuid

string

A unique identifier for the Google Cloud KMS.

verify_host

boolean

Verify the identity of the Google Cloud KMS host name.

verify_ip

boolean

Verify identity of Google Cloud KMS IP address.

Name Type Description

next

href

self

href

error_arguments

Name Type Description

code

string

Argument code

message

string

Message argument

returned_error

Name Type Description

arguments

array[error_arguments]

Message arguments

code

string

Error code

message

string

Error message

target

string

The target parameter that caused the error.