Encryption

Tenants in Qlik Cloud can be encrypted with a key you provide via a supported KMS. This API allows you to configure and manage encryption keys.

Download specification

List AWS key providers registered for the tenant.

Returns a list of AWS key providers in the tenant. Use /actions/list to return all key providers.

Facts

Rate limit Tier 1 (1000 requests per minute)
Categories manage

Header Parameters

  • Authorizationstring
    Required

    The JWT used for authentication. Send the JWT in the request header using the Bearer schema.

Responses

200

application/json

Successfully retrieved list of key providers

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Show errors properties
      • arnstring
        Required

        The provider resource notation for the key.

      • namestring
        Required

        Name of key provider entry.

      • currentboolean

        Indicates whether the key is being used to encrypt/decrypt secrets.

      • tenantIdstring

        Tenant ID.

      • createdAtstring

        When key entry was created.

        format = "date-time"

      • descriptionstring

        Description of key provider entry.

      • keyProviderstring

        Key Provider type.

        Can be one of: "AWS-KMS"

      • multiRegionboolean

        Indicates whether the key has multi-region configurations and has replica key in qcs secondary region.

      • replicaKeysarray of objects
        Show replicaKeys properties
        • arnstring

          Replica key keeps list of backup keys from the supported qcs secondary region.

        • regionstring

          Region indicates the backup qcs-region link to the primary region.
      • arnFingerPrintstring

        The ARN fingerprint.

      • promotedToCurrentAtstring

        When the key was promoted to being the current active one.

        format = "date-time"

      • demotedFromCurrentAtstring

        When the key was demoted from being current to non active.

        format = "date-time"

400

application/json

Bad Request

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

417

application/json

Failed to load list of key providers

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.
GET /v1/encryption/keyproviders 
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders" \
-H "Authorization: Bearer <access_token>"

const https = require('https')
  const data = JSON.stringify("")
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/api/v1/encryption/keyproviders',
    'method': 'GET',
    'headers': {
      'Authorization': 'Bearer <access_token>'
    }
  }
  const req = https.request(options)
  

This API is not included yet in qlik-cli

Response

[
  {
    "arn": "arn:aws:kms:eu-west-1:111222334455:key/mrk-1237c011a37erft67ei987c7612q456",
    "name": "test name",
    "current": true,
    "description": "test description",
    "drCompliant": true,
    "keyprovider": "AWS-KMS",
    "multiRegion": true,
    "replicaKeys": [
      {
        "arn": "arn:aws:kms:eu-west-3:111222334455:key/mrk-1237c011a37erft67ei987c7612q456",
        "region": "eu-west-3"
      }
    ],
    "complianceError": {
      "code": "",
      "region": "",
      "message": ""
    }
  }
]

Register a new multi-region AWS-KMS key.

The AWS-KMS key configuration must match the Qlik Cloud region configuration requirements. Most regions should have a key deployed to the same AWS region as the Qlik Cloud tenant, with a replica key in the relevant Qlik Cloud DR region. Consult the documentation for DR region mappings.

Facts

Rate limit Tier 2 (100 requests per minute)
Categories manage

Header Parameters

  • Authorizationstring
    Required

    The JWT used for authentication. Send the JWT in the request header using the Bearer schema.

Request Body

application/json

  • application/jsonobject
    Show application/json properties
    • arnstring
      Required

      The provider resource notation for the key.

    • namestring
      Required

      Name of key provider entry.

    • descriptionstring

      Description of key provider entry.

    • keyProviderstring

      Key Provider type.

      Can be one of: "AWS-KMS"

Responses

201

application/json

Successfully registered the provided AWS-KMS key

  • application/jsonobject
    Show application/json properties
    • arnstring
      Required

      The provider resource notation for the key.

    • namestring
      Required

      Name of key provider entry.

    • currentboolean

      Indicates whether the key is being used to encrypt/decrypt secrets.

    • tenantIdstring

      Tenant ID.

    • createdAtstring

      When key entry was created.

      format = "date-time"

    • descriptionstring

      Description of key provider entry.

    • keyProviderstring

      Key Provider type.

      Can be one of: "AWS-KMS"

    • multiRegionboolean

      Indicates whether the key has multi-region configurations and has replica key in qcs secondary region.

    • replicaKeysarray of objects
      Show replicaKeys properties
      • arnstring

        Replica key keeps list of backup keys from the supported qcs secondary region.

      • regionstring

        Region indicates the backup qcs-region link to the primary region.
    • arnFingerPrintstring

      The ARN fingerprint.

    • promotedToCurrentAtstring

      When the key was promoted to being the current active one.

      format = "date-time"

    • demotedFromCurrentAtstring

      When the key was demoted from being current to non active.

      format = "date-time"

400

application/json

Bad Request

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

401

application/json

Unauthorized, invalid JWT

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

403

application/json

Unable to access the provided AWS-KMS key, access is forbidden. Check if AWS key policy allows access from Qlik Cloud.

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

406

application/json

Failed to register the provided AWS-KMS key

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

408

application/json

Failed to return a response within the timeout window. The key provider (QlikVault, AWS-KMS) might be unavailable.

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

409

application/json

The provided key is already registered

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

417

application/json

Failed to validate AWS-KMS ARN structure

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.
POST /v1/encryption/keyproviders 
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders" \
-X POST \
-H "Authorization: Bearer <access_token>" \
-H "Content-type: application/json" \
-d '{"arn":"arn:aws:kms:eu-west-1:111222334455:key/mrk-1237c011a37erft67ei987c7612q456","name":"test name","current":false,"description":"test description","drCompliant":true,"keyprovider":"AWS-KMS","multiRegion":true,"replicaKeys":[{"arn":"arn:aws:kms:eu-west-3:111222334455:key/mrk-1237c011a37erft67ei987c7612q456","region":"eu-west-3"}],"complianceError":[{"code":"","region":"","message":""}]}'

const https = require('https')
  const data = JSON.stringify({"arn":"arn:aws:kms:eu-west-1:111222334455:key/mrk-1237c011a37erft67ei987c7612q456","name":"test name","current":false,"description":"test description","drCompliant":true,"keyprovider":"AWS-KMS","multiRegion":true,"replicaKeys":[{"arn":"arn:aws:kms:eu-west-3:111222334455:key/mrk-1237c011a37erft67ei987c7612q456","region":"eu-west-3"}],"complianceError":[{"code":"","region":"","message":""}]})
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/api/v1/encryption/keyproviders',
    'method': 'POST',
    'headers': {
      'Authorization': 'Bearer <access_token>',
      'Content-type': 'application/json'
    }
  }
  const req = https.request(options)
  req.write(data)
  

This API is not included yet in qlik-cli

Request

{
  "arn": "arn:aws:kms:eu-west-1:111222334455:key/mrk-1237c011a37erft67ei987c7612q456",
  "name": "test name",
  "current": false,
  "description": "test description",
  "drCompliant": true,
  "keyprovider": "AWS-KMS",
  "multiRegion": true,
  "replicaKeys": [
    {
      "arn": "arn:aws:kms:eu-west-3:111222334455:key/mrk-1237c011a37erft67ei987c7612q456",
      "region": "eu-west-3"
    }
  ],
  "complianceError": [
    {
      "code": "",
      "region": "",
      "message": ""
    }
  ]
}

Response

{
  "arn": "arn:aws:kms:eu-west-1:111222334455:key/mrk-1237c011a37erft67ei987c7612q456",
  "name": "test name",
  "current": false,
  "description": "test description",
  "drCompliant": true,
  "keyprovider": "AWS-KMS",
  "multiRegion": true,
  "replicaKeys": [
    {
      "arn": "arn:aws:kms:eu-west-3:111222334455:key/mrk-1237c011a37erft67ei987c7612q456",
      "region": "eu-west-3"
    }
  ],
  "complianceError": [
    {
      "code": "",
      "region": "",
      "message": ""
    }
  ]
}

Retrieve key for a given ARN fingerprint.

Retrieve key provider detail by passing the ARN fingerprint as parameter.

Facts

Rate limit Tier 1 (1000 requests per minute)
Categories manage

Header Parameters

  • Authorizationstring
    Required

    The JWT used for authentication. Send the JWT in the request header using the Bearer schema.

Path Parameters

  • arnFingerPrintstring
    Required

    The fingerprint of the requested provider key.

Responses

200

application/json

Successfully fetched key provider information

  • application/jsonobject
    Show application/json properties
    • arnstring
      Required

      The provider resource notation for the key.

    • namestring
      Required

      Name of key provider entry.

    • currentboolean

      Indicates whether the key is being used to encrypt/decrypt secrets.

    • tenantIdstring

      Tenant ID.

    • createdAtstring

      When key entry was created.

      format = "date-time"

    • descriptionstring

      Description of key provider entry.

    • keyProviderstring

      Key Provider type.

      Can be one of: "AWS-KMS"

    • multiRegionboolean

      Indicates whether the key has multi-region configurations and has replica key in qcs secondary region.

    • replicaKeysarray of objects
      Show replicaKeys properties
      • arnstring

        Replica key keeps list of backup keys from the supported qcs secondary region.

      • regionstring

        Region indicates the backup qcs-region link to the primary region.
    • arnFingerPrintstring

      The ARN fingerprint.

    • promotedToCurrentAtstring

      When the key was promoted to being the current active one.

      format = "date-time"

    • demotedFromCurrentAtstring

      When the key was demoted from being current to non active.

      format = "date-time"

400

application/json

Bad Request

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

404

application/json

No entry match for the fingerprint was found

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

414

application/json

Requested fingerprint length is too large

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.
GET /v1/encryption/keyproviders/{arnFingerPrint} 
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}" \
-H "Authorization: Bearer <access_token>"

const https = require('https')
  const data = JSON.stringify("")
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/api/v1/encryption/keyproviders/{arnFingerPrint}',
    'method': 'GET',
    'headers': {
      'Authorization': 'Bearer <access_token>'
    }
  }
  const req = https.request(options)
  

This API is not included yet in qlik-cli

Response

{
  "arn": "arn:aws:kms:eu-west-1:111222334455:key/mrk-1237c011a37erft67ei987c7612q456",
  "name": "test name",
  "current": false,
  "description": "test description",
  "drCompliant": true,
  "keyprovider": "AWS-KMS",
  "multiRegion": true,
  "replicaKeys": [
    {
      "arn": "arn:aws:kms:eu-west-3:111222334455:key/mrk-1237c011a37erft67ei987c7612q456",
      "region": "eu-west-3"
    }
  ],
  "complianceError": [
    {
      "code": "",
      "region": "",
      "message": ""
    }
  ]
}

Patches Name & Description of a given key provider.

Update the name and/or description of a key provider.

Facts

Rate limit Tier 2 (100 requests per minute)
Categories manage

Header Parameters

  • Authorizationstring
    Required

    The JWT used for authentication. Send the JWT in the request header using the Bearer schema.

Path Parameters

  • arnFingerPrintstring
    Required

    The ARN fingerprint of an existing key provider key.

Request Body

Required

application/json

A JSON Patch document as defined in https://datatracker.ietf.org/doc/html/rfc6902.

  • application/jsonarray of objects

    A JSON Patch document as defined in https://datatracker.ietf.org/doc/html/rfc6902.

    Show application/json properties
    • opstring
      Required

      The operation to be performed.

      Can be one of: "replace"

    • pathstring
      Required

      The property path.

    • valuestring
      Required

      The value to be used for this operation.

Responses

204

Successfully patched key provider information

400

application/json

Failed to decode key provider patch request payload

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

401

application/json

Unauthorized, invalid JWT

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

404

application/json

No entry match for the fingerprint was found

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

417

application/json

Failed to patch key provider information

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.
PATCH /v1/encryption/keyproviders/{arnFingerPrint} 
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}" \
-X PATCH \
-H "Authorization: Bearer <access_token>" \
-H "Content-type: application/json" \
-d '[{"op":"replace","path":"/name","value":"New Encryption Key"}]'

const https = require('https')
  const data = JSON.stringify([{"op":"replace","path":"/name","value":"New Encryption Key"}])
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/api/v1/encryption/keyproviders/{arnFingerPrint}',
    'method': 'PATCH',
    'headers': {
      'Authorization': 'Bearer <access_token>',
      'Content-type': 'application/json'
    }
  }
  const req = https.request(options)
  req.write(data)
  

This API is not included yet in qlik-cli

Request

[
  {
    "op": "replace",
    "path": "/name",
    "value": "New Encryption Key"
  }
]

Deletes the given key from the tenant.

Delete a key configuration from the tenant. Not supported for the default Qlik managed key provider. Key must not be in use.

Facts

Rate limit Tier 2 (100 requests per minute)
Categories manage

Header Parameters

  • Authorizationstring
    Required

    The JWT used for authentication. Send the JWT in the request header using the Bearer schema.

Path Parameters

  • arnFingerPrintstring
    Required

    The fingerprint of the key provider you wish to delete.

Responses

204

application/json

Successfully deleted key

  • application/jsonobject
    Show application/json properties
    • responsestring

      Successful response message.

      format = "text"

400

application/json

Bad Request

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

404

application/json

No entry match for the fingerprint was found

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

417

application/json

Failed to delete key provider information

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

424

application/json

The requested key is being used and cannot be deleted

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.
DELETE /v1/encryption/keyproviders/{arnFingerPrint} 
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}" \
-X DELETE \
-H "Authorization: Bearer <access_token>"

const https = require('https')
  const data = JSON.stringify("")
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/api/v1/encryption/keyproviders/{arnFingerPrint}',
    'method': 'DELETE',
    'headers': {
      'Authorization': 'Bearer <access_token>'
    }
  }
  const req = https.request(options)
  

This API is not included yet in qlik-cli

Response

{
  "message": "Key provider metadata deleted successfully"
}

Migrate existing cipherkeys from current key provider to requested key provider.

Migrate the active key from one provider to another. The migration process may take some time to complete, however this process will not impact users, and the tenant will continue to function normally during the migration. Use the migration details endpoint to monitor migration progress.

Facts

Rate limit Tier 2 (100 requests per minute)
Categories manage

Header Parameters

  • Authorizationstring
    Required

    The JWT used for authentication. Send the JWT in the request header using the Bearer schema.

Path Parameters

  • arnFingerPrintstring
    Required

    The fingerprint of an existing key provider key.

Responses

200

application/json

Successfully initiated cipherkeys migration

  • application/jsonobject
    Show application/json properties
    • idstring

      Migration operation ID.

      format = "uid"

    • statestring

      Migration operation state.

      Can be one of: "New""InProgress""Completed"

    • progressnumber

      Progress in percentage.

    • tenantIdstring

      Tenant ID.

      format = "uid"

    • completedAtstring

      format = "date-time"

    • initiatedAtstring

      format = "date-time"

    • migratingTostring

      The new key ARN that keys should be migrated to.

    • migratingFromstring

      The key ARN being migrated from (in case of QlikVault, could be a short name only).

    • migratingToPrefixstring

      The new key prefix (to help services know which prefix should NOT be migrated).

    • migratingToFingerprintstring

      The new key ARN fingerprint.

400

application/json

Bad Request

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

401

application/json

Unauthorized, invalid JWT

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

404

application/json

No entry match for the fingerprint was found

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

412

application/json

Failed to initiate migration

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

424

application/json

Failed to prepare migration

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

428

application/json

There is already an ongoing migration for the tenant

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.
POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate 
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate" \
-X POST \
-H "Authorization: Bearer <access_token>"

const https = require('https')
  const data = JSON.stringify("")
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/api/v1/encryption/keyproviders/{arnFingerPrint}/actions/migrate',
    'method': 'POST',
    'headers': {
      'Authorization': 'Bearer <access_token>'
    }
  }
  const req = https.request(options)
  

This API is not included yet in qlik-cli

Response

{
  "id": "TiQ8GPVr8qI714Lp5ChAAFFaU24MJy69",
  "state": "New",
  "progress": 42,
  "tenantId": "TiQ8GPVr8qI714Lp5ChAAFFaU24MJy69",
  "completedAt": "2018-10-30T07:06:22Z",
  "initiatedAt": "2018-10-30T07:06:22Z",
  "migratingTo": "string",
  "migratingFrom": "string",
  "migratingToPrefix": "string",
  "migratingToFingerprint": "string"
}

Validate AWS-KMS key access.

Validate a key to check if Qlik Cloud has required access to your AWS account and key policy, and the key configuration. If the key policy or configuration are changed from the required configuration, this may impact your ability to access your tenant.

Facts

Rate limit Tier 2 (100 requests per minute)
Categories manage

Header Parameters

  • Authorizationstring
    Required

    The JWT used for authentication. Send the JWT in the request header using the Bearer schema.

Path Parameters

  • arnFingerPrintstring
    Required

    The fingerprint of an existing key provider key.

Responses

201

application/json

Successfully validated key

  • application/jsonobject
    Show application/json properties
    • arnstring
      Required

      The provider resource notation for the key.

    • namestring
      Required

      Name of key provider entry.

    • currentboolean

      Indicates whether the key is being used to encrypt/decrypt secrets.

    • tenantIdstring

      Tenant ID.

    • createdAtstring

      When key entry was created.

      format = "date-time"

    • descriptionstring

      Description of key provider entry.

    • keyProviderstring

      Key Provider type.

      Can be one of: "AWS-KMS"

    • multiRegionboolean

      Indicates whether the key has multi-region configurations and has replica key in qcs secondary region.

    • replicaKeysarray of objects
      Show replicaKeys properties
      • arnstring

        Replica key keeps list of backup keys from the supported qcs secondary region.

      • regionstring

        Region indicates the backup qcs-region link to the primary region.
    • arnFingerPrintstring

      The ARN fingerprint.

    • promotedToCurrentAtstring

      When the key was promoted to being the current active one.

      format = "date-time"

    • demotedFromCurrentAtstring

      When the key was demoted from being current to non active.

      format = "date-time"

400

application/json

Bad Request

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

401

application/json

Unauthorized, invalid JWT

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

404

application/json

No entry match for the fingerprint was found

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

408

application/json

Failed to return a response within the timeout window. The key provider (QlikVault, AWS-KMS) might be unavailable.

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.
POST /v1/encryption/keyproviders/{arnFingerPrint}/actions/test 
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/{arnFingerPrint}/actions/test" \
-X POST \
-H "Authorization: Bearer <access_token>"

const https = require('https')
  const data = JSON.stringify("")
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/api/v1/encryption/keyproviders/{arnFingerPrint}/actions/test',
    'method': 'POST',
    'headers': {
      'Authorization': 'Bearer <access_token>'
    }
  }
  const req = https.request(options)
  

This API is not included yet in qlik-cli

Response

{
  "arn": "arn:aws:kms:eu-west-1:111222334455:key/mrk-1237c011a37erft67ei987c7612q456",
  "name": "test name",
  "current": false,
  "description": "test description",
  "drCompliant": true,
  "keyprovider": "AWS-KMS",
  "multiRegion": true,
  "replicaKeys": [
    {
      "arn": "arn:aws:kms:eu-west-3:111222334455:key/mrk-1237c011a37erft67ei987c7612q456",
      "region": "eu-west-3"
    }
  ],
  "complianceError": [
    {
      "code": "",
      "region": "",
      "message": ""
    }
  ]
}

Lists all key providers registered for the tenant.

Returns a list of all key providers in the tenant, including the default Qlik key provider.

Facts

Rate limit Tier 1 (1000 requests per minute)
Categories manage

Header Parameters

  • Authorizationstring
    Required

    The JWT used for authentication. Send the JWT in the request header using the Bearer schema.

Responses

200

application/json

Successfully retrieved list of key providers

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Show errors properties
      • arnstring
        Required

        The provider resource notation for the key.

      • namestring
        Required

        Name of key provider entry.

      • currentboolean

        Indicates whether the key is being used to encrypt/decrypt secrets.

      • tenantIdstring

        Tenant ID.

      • createdAtstring

        When key entry was created.

        format = "date-time"

      • descriptionstring

        Description of key provider entry.

      • keyProviderstring

        Key Provider type.

        Can be one of: "AWS-KMS"

      • multiRegionboolean

        Indicates whether the key has multi-region configurations and has replica key in qcs secondary region.

      • replicaKeysarray of objects
        Show replicaKeys properties
        • arnstring

          Replica key keeps list of backup keys from the supported qcs secondary region.

        • regionstring

          Region indicates the backup qcs-region link to the primary region.
      • arnFingerPrintstring

        The ARN fingerprint.

      • promotedToCurrentAtstring

        When the key was promoted to being the current active one.

        format = "date-time"

      • demotedFromCurrentAtstring

        When the key was demoted from being current to non active.

        format = "date-time"

400

application/json

Bad Request

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

417

application/json

Failed to load list of key providers

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.
GET /v1/encryption/keyproviders/actions/list 
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/actions/list" \
-H "Authorization: Bearer <access_token>"

const https = require('https')
  const data = JSON.stringify("")
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/api/v1/encryption/keyproviders/actions/list',
    'method': 'GET',
    'headers': {
      'Authorization': 'Bearer <access_token>'
    }
  }
  const req = https.request(options)
  

This API is not included yet in qlik-cli

Response

[
  {
    "arn": "#QLIK_MANAGED_KEY_PROVIDER#",
    "name": "Qlik Internal Kms",
    "tenantId": "ImTRa-bkJTD-NZRYjNBa_rDhwSVA6Qo8",
    "createdAt": "Qlik managed",
    "description": "Default key management service",
    "keyprovider": "Qlik",
    "arnFingerPrint": "ImTRa-bkJTD-NZRYjNBa_rDhwSVA6Qo8",
    "promotedToCurrentAt": "2023-06-21T18:45:57Z",
    "demotedFromCurrentAt": "0001-01-01T00:00:00Z"
  },
  {
    "arn": "arn:aws:kms:eu-west-1:111222334455:key/mrk-1237c011a37erft67ei987c7612q456",
    "name": "CMK - 01",
    "tenantId": "ImTRa-bkJTD-NZRYjNBa_rDhwSVA6Qo8",
    "createdAt": "2023-06-21T18:43:49Z",
    "drCompliant": true,
    "keyprovider": "AWS-KMS",
    "multiRegion": true,
    "replicaKeys": [
      {
        "arn": "arn:aws:kms:eu-west-3:111222334455:key/mrk-1237c011a37erft67ei987c7612q456",
        "region": "eu-west-3"
      }
    ],
    "arnFingerPrint": "9f352c5a9c1618485051892cb57467e4",
    "complianceError": {
      "code": "",
      "region": "",
      "message": ""
    },
    "promotedToCurrentAt": "2023-06-21T18:43:54Z",
    "demotedFromCurrentAt": "2023-06-21T18:45:57Z"
  },
  {
    "arn": "arn:aws:kms:eu-west-1:111222334455:key/mrk-2678f8123w236c3123469387dc2ce561",
    "name": "CMK - 02",
    "current": true,
    "tenantId": "ImTRa-bkJTD-NZRYjNBa_rDhwSVA6Qo8",
    "createdAt": "2023-06-21T18:59:17Z",
    "description": "CMK migration test",
    "drCompliant": false,
    "keyprovider": "AWS-KMS",
    "multiRegion": true,
    "replicaKeys": [
      {
        "arn": "arn:aws:kms:eu-west-3:111222334455:key/mrk-2678f8123w236c3123469387dc2ce561",
        "region": "eu-west-3"
      }
    ],
    "arnFingerPrint": "12342c83b25f9e36543bca28f69e4210",
    "complianceError": {
      "code": "Encryption-88",
      "region": "eu-west-3",
      "message": "The policy of the provided key does not allow the required action [eu-west-3] [GenerateDataKey]."
    },
    "promotedToCurrentAt": "2023-06-21T18:59:18Z",
    "demotedFromCurrentAt": "0001-01-01T00:00:00Z"
  }
]

Reset tenant key provider to default Qlik managed provider.

Reset the encryption key back to the default Qlik managed provider. No action will be taken if tenant is already using the Qlik provider.

Facts

Rate limit Tier 2 (100 requests per minute)
Categories manage

Header Parameters

  • Authorizationstring
    Required

    The JWT used for authentication. Send the JWT in the request header using the Bearer schema.

Responses

200

application/json

Tenant is already using Qlik Managed provider, no action taken

  • application/jsonobject
    Show application/json properties
    • messagestring

      Tenant is already using Qlik KMS, no migration is required.

205

application/json

Successfully initiated key migration to Qlik managed provider

  • application/jsonobject
    Show application/json properties
    • idstring

      Migration operation ID.

      format = "uid"

    • statestring

      Migration operation state.

      Can be one of: "New""InProgress""Completed"

    • progressnumber

      Progress in percentage.

    • tenantIdstring

      Tenant ID.

      format = "uid"

    • completedAtstring

      format = "date-time"

    • initiatedAtstring

      format = "date-time"

    • migratingTostring

      The new key ARN that keys should be migrated to.

    • migratingFromstring

      The key ARN being migrated from (in case of QlikVault, could be a short name only).

    • migratingToPrefixstring

      The new key prefix (to help services know which prefix should NOT be migrated).

    • migratingToFingerprintstring

      The new key ARN fingerprint.

401

application/json

Unauthorized, invalid JWT

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

406

application/json

There is already an ongoing migration in progress for this tenant, this must complete before a new migration can be started

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

412

application/json

Failed to initiate migration to Qlik managed provider

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

424

application/json

Tenant is already using Qlik Managed provider

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.
POST /v1/encryption/keyproviders/actions/reset-to-default-provider 
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/actions/reset-to-default-provider" \
-X POST \
-H "Authorization: Bearer <access_token>"

const https = require('https')
  const data = JSON.stringify("")
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/api/v1/encryption/keyproviders/actions/reset-to-default-provider',
    'method': 'POST',
    'headers': {
      'Authorization': 'Bearer <access_token>'
    }
  }
  const req = https.request(options)
  

This API is not included yet in qlik-cli

Response

{
  "message": "Tenant is already using Qlik KMS, no migration is required."
}

Retrieve most recent migration details.

Retrieve details for the ongoing or last completed migration for the tenant.

Facts

Rate limit Tier 1 (1000 requests per minute)
Categories manage

Header Parameters

  • Authorizationstring
    Required

    The JWT used for authentication. Send the JWT in the request header using the Bearer schema.

Responses

200

application/json

Successfully fetched migration information

  • application/jsonobject
    Show application/json properties
    • idstring

      Migration operation ID.

      format = "uid"

    • statestring

      Migration operation state.

      Can be one of: "New""InProgress""Completed"

    • progressnumber

      Progress in percentage.

    • tenantIdstring

      Tenant ID.

      format = "uid"

    • completedAtstring

      format = "date-time"

    • initiatedAtstring

      format = "date-time"

    • migratingTostring

      The new key ARN that keys should be migrated to.

    • migratingFromstring

      The key ARN being migrated from (in case of QlikVault, could be a short name only).

    • migratingToPrefixstring

      The new key prefix (to help services know which prefix should NOT be migrated).

    • migratingToFingerprintstring

      The new key ARN fingerprint.

400

application/json

Bad Request

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

401

application/json

Unauthorized, invalid JWT

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

404

application/json

There is no ongoing migration for this tenant

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.

417

application/json

Failed to get ongoing migration information

  • application/jsonobject
    Show application/json properties
    • errorsarray of objects
      Required
      Show errors properties
      • codestring
        Required

        The error code.

      • metaobject

        Additional error object metadata.

      • titlestring
        Required

        Description of the error.

      • detailstring

        Extra information about the error.
GET /v1/encryption/keyproviders/migration/actions/details 
curl "https://your-tenant.us.qlikcloud.com/api/v1/encryption/keyproviders/migration/actions/details" \
-H "Authorization: Bearer <access_token>"

const https = require('https')
  const data = JSON.stringify("")
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/api/v1/encryption/keyproviders/migration/actions/details',
    'method': 'GET',
    'headers': {
      'Authorization': 'Bearer <access_token>'
    }
  }
  const req = https.request(options)
  

This API is not included yet in qlik-cli

Response

{
  "id": "TiQ8GPVr8qI714Lp5ChAAFFaU24MJy69",
  "state": "New",
  "progress": 42,
  "tenantId": "TiQ8GPVr8qI714Lp5ChAAFFaU24MJy69",
  "completedAt": "2018-10-30T07:06:22Z",
  "initiatedAt": "2018-10-30T07:06:22Z",
  "migratingTo": "string",
  "migratingFrom": "string",
  "migratingToPrefix": "string",
  "migratingToFingerprint": "string"
}