Create a Google Cloud KMS configuration for an SVM
Suggest changes
PDFs
POST /security/gcp-kms
Introduced In: 9.9
Configures the Google Cloud KMS configuration for the specified SVM.
Required properties
-
svm.uuidorsvm.name- Existing SVM in which to create a Google Cloud KMS. -
project_id- Google Cloud project (application) ID of the deployed Google Cloud application with appropriate access to the Google Cloud KMS. -
key_ring_name- Google Cloud KMS key ring name of the deployed Google Cloud application with appropriate access to the specified Google Cloud KMS. -
key_ring_location- Google Cloud KMS key ring location. -
key_name- Key Identifier of the Google Cloud KMS key encryption key. -
application_credentials- Google Cloud application's service account credentials required to access the specified KMS. It is a JSON file containing an email address and the private key of the service account holder.
Optional properties
-
proxy_type- Type of proxy (http/https) if proxy configuration is used. -
proxy_host- Proxy hostname if proxy configuration is used. -
proxy_port- Proxy port number if proxy configuration is used. -
proxy_username- Proxy username if proxy configuration is used. -
proxy_password- Proxy password if proxy configuration is used. -
port- Authorization server and Google Cloud KMS port number. -
cloudkms_host- Google Cloud KMS host subdomain. -
oauth_host- Open authorization server host name. -
oauth_url- Open authorization URL for the access token. -
privileged_account- Account used to impersonate Google Cloud KMS requests.
Related ONTAP commands
-
security key-manager external gcp enable
Parameters
| Name | Type | In | Required | Description |
|---|---|---|---|---|
return_records |
boolean |
query |
False |
The default is false. If set to true, the records are returned.
|
Request Body
| Name | Type | Description |
|---|---|---|
_links |
||
application_credentials |
string |
Google Cloud application's service account credentials required to access the specified KMS. It is a JSON file containing an email address and the private key of the service account holder. |
caller_account |
string |
Google Cloud KMS caller account email |
cloudkms_host |
string |
Google Cloud KMS host subdomain. |
ekmip_reachability |
array[ekmip_reachability] |
|
google_reachability |
Indicates whether or not the Google Cloud KMS is reachable from all nodes in the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
|
key_name |
string |
Key Identifier of Google Cloud KMS key encryption key. |
key_ring_location |
string |
Google Cloud KMS key ring location. |
key_ring_name |
string |
Google Cloud KMS key ring name of the deployed Google Cloud application. |
oauth_host |
string |
Open authorization server host name. |
oauth_url |
string |
Open authorization URL for the access token. |
port |
integer |
Authorization server and Google Cloud KMS port number. |
privileged_account |
string |
Google Cloud KMS account to impersonate. |
project_id |
string |
Google Cloud project (application) ID of the deployed Google Cloud application that has appropriate access to the Google Cloud KMS. |
proxy_host |
string |
Proxy host name. |
proxy_password |
string |
Proxy password. Password is not audited. |
proxy_port |
integer |
Proxy port number. |
proxy_type |
string |
Type of proxy. |
proxy_username |
string |
Proxy username. |
scope |
string |
Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster". |
state |
Google Cloud Key Management Services is a cloud key management service (KMS) that provides a secure store for encryption keys. This object indicates whether or not the Google Cloud KMS key protection is available on all nodes in the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
|
svm |
SVM, applies only to SVM-scoped objects. |
|
uuid |
string |
A unique identifier for the Google Cloud KMS. |
Example request
{
"application_credentials": "{ type: service_account, project_id: project-id, private_key_id: key-id, private_key: -----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n, client_email: service-account-email, client_id: client-id, auth_uri: https://accounts.google.com/o/oauth2/auth, token_uri: https://accounts.google.com/o/oauth2/token, auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs, client_x509_cert_url: https://www.googleapis.com/robot/v1/metadata/x509/service-account-email }",
"caller_account": "myaccount@myproject.com",
"cloudkms_host": "cloudkms.googleapis.com",
"ekmip_reachability": [
{
"code": "346758",
"message": "embedded KMIP server status unavailable on node.",
"node": {
"name": "node1",
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
}
}
],
"google_reachability": {
"code": "346758",
"message": "Google Cloud KMS is not reachable from all nodes - <reason>."
},
"key_name": "cryptokey1",
"key_ring_location": "global",
"key_ring_name": "gcpapp1-keyring",
"oauth_host": "oauth2.googleapis.com",
"oauth_url": "https://oauth2.googleapis.com/token",
"port": 443,
"privileged_account": "myserviceaccount@myproject.iam.gserviceaccount.com",
"project_id": "gcpapp1",
"proxy_host": "proxy.eng.com",
"proxy_password": "proxypassword",
"proxy_port": 1234,
"proxy_type": "http",
"proxy_username": "proxyuser",
"scope": "string",
"state": {
"code": "346758",
"message": "Top-level internal key protection key (KEK) is unavailable on the following nodes with the associated reasons: Node: node1. Reason: No volumes created yet for the SVM. Wrapped KEK status will be available after creating encrypted volumes."
},
"svm": {
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
},
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412",
"verify_host": "",
"verify_ip": ""
}Response
Status: 201, Created| Name | Type | Description |
|---|---|---|
num_records |
integer |
Number of records |
records |
array[gcp_kms] |
Example response
{
"num_records": 1,
"records": [
{
"application_credentials": "{ type: service_account, project_id: project-id, private_key_id: key-id, private_key: -----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n, client_email: service-account-email, client_id: client-id, auth_uri: https://accounts.google.com/o/oauth2/auth, token_uri: https://accounts.google.com/o/oauth2/token, auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs, client_x509_cert_url: https://www.googleapis.com/robot/v1/metadata/x509/service-account-email }",
"caller_account": "myaccount@myproject.com",
"cloudkms_host": "cloudkms.googleapis.com",
"ekmip_reachability": [
{
"code": "346758",
"message": "embedded KMIP server status unavailable on node.",
"node": {
"name": "node1",
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
}
}
],
"google_reachability": {
"code": "346758",
"message": "Google Cloud KMS is not reachable from all nodes - <reason>."
},
"key_name": "cryptokey1",
"key_ring_location": "global",
"key_ring_name": "gcpapp1-keyring",
"oauth_host": "oauth2.googleapis.com",
"oauth_url": "https://oauth2.googleapis.com/token",
"port": 443,
"privileged_account": "myserviceaccount@myproject.iam.gserviceaccount.com",
"project_id": "gcpapp1",
"proxy_host": "proxy.eng.com",
"proxy_password": "proxypassword",
"proxy_port": 1234,
"proxy_type": "http",
"proxy_username": "proxyuser",
"scope": "string",
"state": {
"code": "346758",
"message": "Top-level internal key protection key (KEK) is unavailable on the following nodes with the associated reasons: Node: node1. Reason: No volumes created yet for the SVM. Wrapped KEK status will be available after creating encrypted volumes."
},
"svm": {
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
},
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412",
"verify_host": "",
"verify_ip": ""
}
]
}Headers
| Name | Description | Type |
|---|---|---|
Location |
Useful for tracking the resource location |
string |
Error
Status: DefaultONTAP Error Response Codes
| Error Code | Description |
|---|---|
65537703 |
The Google Cloud Key Management Service is not supported for the admin Vserver. |
65537704 |
The Google Cloud Key Management Service is not supported in MetroCluster configurations. |
65537706 |
Internal error. Failed to the encrypt the application credentials. |
65537713 |
Internal Error. Failed to store the application credentials. |
65537719 |
Failed to enable the Google Cloud Key Management Service for SVM |
65537720 |
Failed to configure Google Cloud Key Management Service for SVM |
65537740 |
The privileged account must be an email address or an empty string. |
Also see the table of common errors in the Response body overview section of this documentation.
Definitions
See Definitions
href
| Name | Type | Description |
|---|---|---|
href |
string |
_links
node
| Name | Type | Description |
|---|---|---|
name |
string |
|
uuid |
string |
ekmip_reachability
Provides the connectivity status for the given SVM on the given node to all EKMIP servers configured on all nodes of the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.
| Name | Type | Description |
|---|---|---|
code |
string |
Code corresponding to the error message. Returns a 0 if a given SVM is able to communicate to the EKMIP servers of all of the nodes in the cluster. |
message |
string |
Error message set when cluster-wide EKMIP server availability from the given SVM and node is false. |
node |
||
reachable |
boolean |
Set to true if the given SVM on the given node is able to communicate to all EKMIP servers configured on all nodes in the cluster. |
google_reachability
Indicates whether or not the Google Cloud KMS is reachable from all nodes in the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.
| Name | Type | Description |
|---|---|---|
code |
string |
Code corresponding to the error message. Returns a 0 if Google Cloud KMS is reachable from all nodes in the cluster. |
message |
string |
Set to the error message when 'reachable' is false. |
reachable |
boolean |
Set to true if the Google Cloud KMS is reachable from all nodes of the cluster. |
state
Google Cloud Key Management Services is a cloud key management service (KMS) that provides a secure store for encryption keys. This object indicates whether or not the Google Cloud KMS key protection is available on all nodes in the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields query parameter or GET for all advanced properties is enabled.
| Name | Type | Description |
|---|---|---|
cluster_state |
boolean |
Set to true when Google Cloud KMS key protection is available on all nodes of the cluster. |
code |
string |
Error code corresponding to the status message. Returns 0 if Google Cloud KMS key protection is available in all nodes of the cluster. |
message |
string |
Error message set when top-level internal key protection key (KEK) availability on cluster is false. |
svm
SVM, applies only to SVM-scoped objects.
| Name | Type | Description |
|---|---|---|
name |
string |
The name of the SVM. This field cannot be specified in a PATCH method. |
uuid |
string |
The unique identifier of the SVM. This field cannot be specified in a PATCH method. |
gcp_kms
| Name | Type | Description |
|---|---|---|
_links |
||
application_credentials |
string |
Google Cloud application's service account credentials required to access the specified KMS. It is a JSON file containing an email address and the private key of the service account holder. |
caller_account |
string |
Google Cloud KMS caller account email |
cloudkms_host |
string |
Google Cloud KMS host subdomain. |
ekmip_reachability |
array[ekmip_reachability] |
|
google_reachability |
Indicates whether or not the Google Cloud KMS is reachable from all nodes in the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
|
key_name |
string |
Key Identifier of Google Cloud KMS key encryption key. |
key_ring_location |
string |
Google Cloud KMS key ring location. |
key_ring_name |
string |
Google Cloud KMS key ring name of the deployed Google Cloud application. |
oauth_host |
string |
Open authorization server host name. |
oauth_url |
string |
Open authorization URL for the access token. |
port |
integer |
Authorization server and Google Cloud KMS port number. |
privileged_account |
string |
Google Cloud KMS account to impersonate. |
project_id |
string |
Google Cloud project (application) ID of the deployed Google Cloud application that has appropriate access to the Google Cloud KMS. |
proxy_host |
string |
Proxy host name. |
proxy_password |
string |
Proxy password. Password is not audited. |
proxy_port |
integer |
Proxy port number. |
proxy_type |
string |
Type of proxy. |
proxy_username |
string |
Proxy username. |
scope |
string |
Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster". |
state |
Google Cloud Key Management Services is a cloud key management service (KMS) that provides a secure store for encryption keys. This object indicates whether or not the Google Cloud KMS key protection is available on all nodes in the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
|
svm |
SVM, applies only to SVM-scoped objects. |
|
uuid |
string |
A unique identifier for the Google Cloud KMS. |
error_arguments
| Name | Type | Description |
|---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
returned_error
| Name | Type | Description |
|---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |