Configure the AWS KMS configuration for an SVM
POST /security/aws-kms
Introduced In: 9.12
Configures the AWS KMS configuration for the specified SVM.
Required properties
-
access_key_id
- AWS access key ID of the user who has the appropriate access to AWS KMS. -
secret_access_key
- AWS secret access key for the access key ID provided. -
svm.uuid
orsvm.name
- Existing SVM in which to create an AWS KMS. -
region
- AWS region of the AWS KMS. -
key_id
- AWS Key ID
Optional properties
-
service
- AWS service type. -
default_domain
- AWS KMS default domain. -
host
- AWS KMS host's hostname. -
port
- AWS KMS port. -
proxy_type
- Type of proxy (http, https, etc.), if proxy configuration is used. -
proxy_host
- Proxy hostname if proxy configuration is used. -
proxy_port
- Proxy port number if proxy configuration is used. -
proxy_username
- Proxy username if proxy configuration is used. -
proxy_password
- Proxy password if proxy configuration is used. -
polling_period
- Polling period in minutes. -
encryption_context
- Additional layer of authentication and logging.
Related ONTAP commands
-
security key-manager external aws enable
Parameters
Name | Type | In | Required | Description |
---|---|---|---|---|
return_records |
boolean |
query |
False |
The default is false. If set to true, the records are returned.
|
Request Body
Name | Type | Description |
---|---|---|
_links |
||
access_key_id |
string |
AWS Access Key ID of the user that has appropriate access to AWS KMS. |
amazon_reachability |
Indicates whether or not the Amazon KMS is reachable from all nodes in the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
|
default_domain |
string |
AWS KMS default domain. |
ekmip_reachability |
array[ekmip_reachability] |
|
encryption_context |
string |
Additional layer of authentication and logging. |
host |
string |
AWS KMS host's hostname. |
key_id |
string |
AWS Key ID. |
polling_period |
integer |
Polling period in minutes. |
port |
integer |
AWS KMS port. |
proxy_host |
string |
Proxy host. |
proxy_password |
string |
Proxy password. Password is not audited. |
proxy_port |
integer |
Proxy port. |
proxy_type |
string |
Proxy type. |
proxy_username |
string |
Proxy username. |
region |
string |
AWS region of the AWS KMS. |
scope |
string |
Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster". |
secret_access_key |
string |
AWS Secret Access Key for the provided access key ID. |
service |
string |
AWS service type. |
skip_verify |
boolean |
Set to true to bypass verification of the user provided access_key_id and secret_access_key. An error will be returned if 'skip_verify' is provided but 'access_key_id' is not. |
state |
Indicates whether or not the Amazon Web Services Key Management Service (AWS KMS) key protection is available cluster-wide. |
|
svm |
SVM, applies only to SVM-scoped objects. |
|
timeout |
integer |
AWS Connection timeout, in seconds. |
uuid |
string |
A unique identifier for the AWS KMS. |
verify |
boolean |
Set to true to verify the AWS KMS host. |
verify_host |
boolean |
Set to true to verify the AWS KMS host's hostname. |
verify_ip |
boolean |
Set to true to verify the AWS KMS host's IP address. |
Example request
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"access_key_id": "<id_value>",
"amazon_reachability": {
"code": "346758",
"message": "Amazon KMS is not reachable from all nodes - <reason>."
},
"default_domain": "domainName",
"ekmip_reachability": [
{
"code": "346758",
"message": "embedded KMIP server status unavailable on node.",
"node": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "node1",
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
}
}
],
"encryption_context": "aws:fsx:fs-id=fs-0785c8beceb895999",
"host": "aws-host.host.com",
"key_id": "kmip-aws",
"polling_period": 55,
"port": 443,
"proxy_host": "proxy.eng.com",
"proxy_password": "awskze-Jwjje2-WJJPer",
"proxy_port": 1234,
"proxy_type": "http",
"proxy_username": "proxyuser",
"region": "us-east-1",
"scope": "string",
"secret_access_key": "<id_value>",
"service": "dynamodb.*.amazonaws.com",
"skip_verify": "",
"state": {
"code": "346758",
"message": "AWS KMS key protection is unavailable on the following nodes: node1, node2."
},
"svm": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
},
"timeout": 20,
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412",
"verify": "",
"verify_host": 1,
"verify_ip": ""
}
Response
Status: 201, Created
Name | Type | Description |
---|---|---|
_links |
||
num_records |
integer |
Number of records |
records |
array[aws_kms] |
Example response
{
"_links": {
"next": {
"href": "/api/resourcelink"
},
"self": {
"href": "/api/resourcelink"
}
},
"num_records": 1,
"records": [
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"access_key_id": "<id_value>",
"amazon_reachability": {
"code": "346758",
"message": "Amazon KMS is not reachable from all nodes - <reason>."
},
"default_domain": "domainName",
"ekmip_reachability": [
{
"code": "346758",
"message": "embedded KMIP server status unavailable on node.",
"node": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "node1",
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412"
}
}
],
"encryption_context": "aws:fsx:fs-id=fs-0785c8beceb895999",
"host": "aws-host.host.com",
"key_id": "kmip-aws",
"polling_period": 55,
"port": 443,
"proxy_host": "proxy.eng.com",
"proxy_password": "awskze-Jwjje2-WJJPer",
"proxy_port": 1234,
"proxy_type": "http",
"proxy_username": "proxyuser",
"region": "us-east-1",
"scope": "string",
"secret_access_key": "<id_value>",
"service": "dynamodb.*.amazonaws.com",
"skip_verify": "",
"state": {
"code": "346758",
"message": "AWS KMS key protection is unavailable on the following nodes: node1, node2."
},
"svm": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
},
"timeout": 20,
"uuid": "1cd8a442-86d1-11e0-ae1c-123478563412",
"verify": "",
"verify_host": 1,
"verify_ip": ""
}
]
}
Headers
Name | Description | Type |
---|---|---|
Location |
Useful for tracking the resource location |
string |
Error
Status: Default
ONTAP Error Response Codes
Error Code | Description |
---|---|
3735622 |
Certificate type not supported for create operation. |
3735645 |
You cannot specify a value for serial as it is generated automatically. |
3735657 |
Specifying \"-subtype\" when creating a certificate is not supported. |
3735664 |
Specified key size is not supported in FIPS mode. |
3735665 |
Specified hash function is not supported in FIPS mode. |
3735700 |
Specified key size is not supported. |
65536600 |
Nodes are out of quorum. |
65537518 |
Failed to find a LIF with Cluster role on node. One or more nodes may be out of quorum. |
65537900 |
Failed to enable the Amazon Web Service Key Management Service for an SVM due to an invalid secret access key. |
65537901 |
The Amazon Web Service Key Management Service (AWSKMS) cannot be enabled because all nodes in the cluster are not running a version that supports the AWSKMS feature. |
65537906 |
Failed to store the secret access key. |
65537907 |
The Amazon Web Service Key Management Service is disabled on the cluster. For further assistance, contact technical support. |
65537908 |
The Amazon Web Service Key Management Service is not supported for the admin SVM. |
65537910 |
Failed to configure Amazon Web Service Key Management Service for an SVM because a key manager has already been configured for the SVM. |
65537911 |
The Amazon Web Service Key Management Service is not supported in MetroCluster configurations. |
65537912 |
The Amazon Web Service Key Management Service cannot be configured for an SVM because one or more volume encryption keys of the SVM are stored on the admin SVM. |
65537926 |
The Amazon Web Service Key Management Service is not configured for this SVM. |
Also see the table of common errors in the Response body overview section of this documentation.
Name | Type | Description |
---|---|---|
error |
Example error
{
"error": {
"arguments": [
{
"code": "string",
"message": "string"
}
],
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}
Definitions
See Definitions
href
Name | Type | Description |
---|---|---|
href |
string |
_links
Name | Type | Description |
---|---|---|
self |
amazon_reachability
Indicates whether or not the Amazon KMS is reachable from all nodes in the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields
query parameter or GET for all advanced properties is enabled.
Name | Type | Description |
---|---|---|
code |
string |
Code corresponding to the error message. Returns a 0 if Amazon KMS is reachable from all nodes in the cluster. |
message |
string |
Error message returned when 'reachable' is false. |
reachable |
boolean |
Set to true if the Amazon KMS is reachable from all nodes of the cluster. |
node
Name | Type | Description |
---|---|---|
_links |
||
name |
string |
|
uuid |
string |
ekmip_reachability
Provides the connectivity status for the given SVM on the given node to all EKMIP servers configured on all nodes of the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the fields
query parameter or GET for all advanced properties is enabled.
Name | Type | Description |
---|---|---|
code |
string |
Code corresponding to the error message. Returns a 0 if a given SVM is able to communicate to the EKMIP servers of all of the nodes in the cluster. |
message |
string |
Error message set when cluster-wide EKMIP server availability from the given SVM and node is false. |
node |
||
reachable |
boolean |
Set to true if the given SVM on the given node is able to communicate to all EKMIP servers configured on all nodes in the cluster. |
state
Indicates whether or not the Amazon Web Services Key Management Service (AWS KMS) key protection is available cluster-wide.
Name | Type | Description |
---|---|---|
cluster_state |
boolean |
Set to true when AWS KMS key protection is available on all nodes of the cluster. |
code |
string |
Code corresponding to the message. Returns a 0 if AWS KMS key protection is available on all nodes of the cluster. |
message |
string |
Error message set when cluster_state is false. |
svm
SVM, applies only to SVM-scoped objects.
Name | Type | Description |
---|---|---|
_links |
||
name |
string |
The name of the SVM. This field cannot be specified in a PATCH method. |
uuid |
string |
The unique identifier of the SVM. This field cannot be specified in a PATCH method. |
aws_kms
Name | Type | Description |
---|---|---|
_links |
||
access_key_id |
string |
AWS Access Key ID of the user that has appropriate access to AWS KMS. |
amazon_reachability |
Indicates whether or not the Amazon KMS is reachable from all nodes in the cluster.
This is an advanced property; there is an added computational cost to retrieving its value. The property is not populated for either a collection GET or an instance GET unless it is explicitly requested using the |
|
default_domain |
string |
AWS KMS default domain. |
ekmip_reachability |
array[ekmip_reachability] |
|
encryption_context |
string |
Additional layer of authentication and logging. |
host |
string |
AWS KMS host's hostname. |
key_id |
string |
AWS Key ID. |
polling_period |
integer |
Polling period in minutes. |
port |
integer |
AWS KMS port. |
proxy_host |
string |
Proxy host. |
proxy_password |
string |
Proxy password. Password is not audited. |
proxy_port |
integer |
Proxy port. |
proxy_type |
string |
Proxy type. |
proxy_username |
string |
Proxy username. |
region |
string |
AWS region of the AWS KMS. |
scope |
string |
Set to "svm" for interfaces owned by an SVM. Otherwise, set to "cluster". |
secret_access_key |
string |
AWS Secret Access Key for the provided access key ID. |
service |
string |
AWS service type. |
skip_verify |
boolean |
Set to true to bypass verification of the user provided access_key_id and secret_access_key. An error will be returned if 'skip_verify' is provided but 'access_key_id' is not. |
state |
Indicates whether or not the Amazon Web Services Key Management Service (AWS KMS) key protection is available cluster-wide. |
|
svm |
SVM, applies only to SVM-scoped objects. |
|
timeout |
integer |
AWS Connection timeout, in seconds. |
uuid |
string |
A unique identifier for the AWS KMS. |
verify |
boolean |
Set to true to verify the AWS KMS host. |
verify_host |
boolean |
Set to true to verify the AWS KMS host's hostname. |
verify_ip |
boolean |
Set to true to verify the AWS KMS host's IP address. |
_links
Name | Type | Description |
---|---|---|
next |
||
self |
error_arguments
Name | Type | Description |
---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
returned_error
Name | Type | Description |
---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |