Re-key or re-version an AWS KMS key encryption key for AWS KMS
Suggest changes
PDFs
POST /security/aws-kms/{aws_kms.uuid}/rekey-external
Introduced In: 9.12
Rekeys or re-versions the AWS KMS Key Encryption Key (KEK) for the given AWS KMS.
Related ONTAP commands
-
security key-manager external aws rekey-external
Parameters
| Name | Type | In | Required | Description |
|---|---|---|---|---|
aws_kms.uuid |
string |
path |
True |
UUID of the existing AWS KMS configuration. |
return_timeout |
integer |
query |
False |
The number of seconds to allow the call to execute before returning. When doing a POST, PATCH, or DELETE operation on a single record, the default is 0 seconds. This means that if an asynchronous operation is started, the server immediately returns HTTP code 202 (Accepted) along with a link to the job. If a non-zero value is specified for POST, PATCH, or DELETE operations, ONTAP waits that length of time to see if the job completes so it can return something other than 202.
|
return_records |
boolean |
query |
False |
The default is false. If set to true, the records are returned.
|
Request Body
| Name | Type | Description |
|---|---|---|
key_id |
string |
Key identifier of the AWS KMS key encryption key. |
Example request
{
"key_id": "key01"
}Response
Status: 202, AcceptedResponse
Status: 201, CreatedError
Status: DefaultONTAP Error Response Codes
| Error Code | Description |
|---|---|
65537538 |
Internal error. Failed to get unwrapped key for a given key ID. |
65537543 |
Internal Error. Missing top-level internal key protection key (KEK) on a node. |
65537547 |
One or more volume encryption keys for encrypted volumes of this data SVM are stored in the key manager configured for the admin SVM. Use the REST API POST method to migrate this data SVM's keys from the admin SVM's key manager before running the rekey operation. |
65537610 |
Rekey cannot be performed on the SVM while the enabled keystore configuration is being switched. If a previous attempt to switch the keystore configuration failed, or was interrupted, the system will continue to prevent rekeying for the SVM. Use the REST API PATCH method "/api/security/key-stores/{uuid}" to re-run and complete the operation. |
65537919 |
External rekey failed on one or more nodes. |
65537926 |
AWS KMS is not configured for the given SVM. |
65539436 |
Rekey cannot be performed on the SVM while the enabled keystore configuration is being initialized. Wait until the keystore is in the active state, and rerun the rekey operation. |
65539437 |
Rekey cannot be performed on the SVM while the enabled keystore configuration is being disabled. |
Also see the table of common errors in the Response body overview section of this documentation.
| Name | Type | Description |
|---|---|---|
error |
Example error
{
"error": {
"arguments": [
{
"code": "string",
"message": "string"
}
],
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}Definitions
See Definitions
aws_kms_key
| Name | Type | Description |
|---|---|---|
key_id |
string |
Key identifier of the AWS KMS key encryption key. |
error_arguments
| Name | Type | Description |
|---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
returned_error
| Name | Type | Description |
|---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |