使用 Cloud 为用户列出密钥 HSM CLI - AWS CloudHSM

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用 Cloud 为用户列出密钥 HSM CLI

在 Cloud HSM CLI 中使用key list命令查找 AWS CloudHSM 集群中当前用户的所有密钥。输出包括用户拥有和共享的密钥,以及 Cloud HSM 集群中的所有公钥。

用户类型

以下类型的用户均可运行此命令。

  • 管理员 () COs

  • 加密用户 (CUs)

语法

aws-cloudhsm > help key list List the keys the current user owns, shares, and all public keys in the HSM cluster Usage: key list [OPTIONS] Options: --cluster-id <CLUSTER_ID> Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error --filter [<FILTER>...] Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select matching key(s) to list --max-items <MAX_ITEMS> The total number of items to return in the command's output. If the total number of items available is more than the value specified, a next-token is provided in the command's output. To resume pagination, provide the next-token value in the starting-token argument of a subsequent command [default: 10] --starting-token <STARTING_TOKEN> A token to specify where to start paginating. This is the next-token from a previously truncated response -v, --verbose If included, prints all attributes and key information for each matched key. By default each matched key only displays its key-reference and label attribute. This flag when used by Admins has no effect -h, --help Print help

示例

以下示例显示运行 key list 命令的不同方式。以下示例显示了作为加密用户的输出。

例 示例:Find all keys - default

此命令列出了 AWS CloudHSM 集群中已登录用户的密钥。

注意

默认情况下,仅显示当前登录用户的 10 个按键,并且输出中仅显示 key-referencelabel。使用适当的分页选项将更多或更少的密钥显示为输出。

aws-cloudhsm > key list { "error_code": 0, "data": { "matched_keys": [ { "key-reference": "0x00000000000003d5", "attributes": { "label": "test_label_1" } }, { "key-reference": "0x0000000000000626", "attributes": { "label": "test_label_2" } },. ...8 keys later... ], "total_key_count": 56, "returned_key_count": 10, "next_token": "10" } }
例 示例:Find all keys - verbose

输出包括用户拥有和共享的密钥,以及中的所有公钥HSMs。

注意

注意:默认情况下,仅显示当前登录用户的 10 个密钥。使用适当的分页选项将更多或更少的密钥显示为输出。

aws-cloudhsm > key list --verbose { "error_code": 0, "data": { "matched_keys": [ { "key-reference": "0x000000000012000c", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "cluster-coverage": "session" }, "attributes": { "key-type": "ec", "label": "ec-test-private-key", "id": "", "check-value": "0x2a737d", "class": "private-key", "encrypt": false, "decrypt": false, "token": false, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": false, "trusted": false, "unwrap": false, "verify": false, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 122, "ec-point": "0x0442d53274a6c0ec1a23c165dcb9ccdd72c64e98ae1a9594bb5284e752c746280667e11f1e983493c1c605e0a8071ede47ca280f94c6b2aa33", "curve": "secp224r1" } }, { "key-reference": "0x000000000012000d", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "cluster-coverage": "session" }, "attributes": { "key-type": "ec", "label": "ec-test-public-key", "id": "", "check-value": "0x2a737d", "class": "public-key", "encrypt": false, "decrypt": false, "token": false, "always-sensitive": false, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": false, "sign": false, "trusted": false, "unwrap": false, "verify": false, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 57, "ec-point": "0x0442d53274a6c0ec1a23c165dcb9ccdd72c64e98ae1a9594bb5284e752c746280667e11f1e983493c1c605e0a8071ede47ca280f94c6b2aa33", "curve": "secp224r1" } } ], ...8 keys later... "total_key_count": 1580, "returned_key_count": 10 } }
例 示例:Paginated return

以下示例显示密钥的分页子集,其中仅显示两个密钥。然后,该示例提供了一个后续调用以显示接下来的两个密钥。

aws-cloudhsm > key list --verbose --max-items 2 { "error_code": 0, "data": { "matched_keys": [ { "key-reference": "0x0000000000000030", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "cluster-coverage": "full" }, "attributes": { "key-type": "aes", "label": "98a6688d1d964ed7b45b9cec5c4b1909", "id": "", "check-value": "0xb28a46", "class": "secret-key", "encrypt": false, "decrypt": false, "token": true, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": true, "trusted": false, "unwrap": false, "verify": true, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 32 } }, { "key-reference": "0x0000000000000042", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "cluster-coverage": "full" }, "attributes": { "key-type": "aes", "label": "4ad6cdcbc02044e09fa954143efde233", "id": "", "check-value": "0xc98104", "class": "secret-key", "encrypt": true, "decrypt": true, "token": true, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": true, "trusted": false, "unwrap": true, "verify": true, "wrap": true, "wrap-with-trusted": false, "key-length-bytes": 16 } } ], "total_key_count": 1580, "returned_key_count": 2, "next_token": "2" } }

要显示接下来的 2 个密钥,可以进行后续调用:

aws-cloudhsm > key list --verbose --max-items 2 --starting-token 2 { "error_code": 0, "data": { "matched_keys": [ { "key-reference": "0x0000000000000081", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "cluster-coverage": "full" }, "attributes": { "key-type": "aes", "label": "6793b8439d044046982e5b895791e47f", "id": "", "check-value": "0x3f986f", "class": "secret-key", "encrypt": false, "decrypt": false, "token": true, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": true, "trusted": false, "unwrap": false, "verify": true, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 32 } }, { "key-reference": "0x0000000000000089", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "cluster-coverage": "full" }, "attributes": { "key-type": "aes", "label": "56b30fa05c6741faab8f606d3b7fe105", "id": "", "check-value": "0xe9201a", "class": "secret-key", "encrypt": false, "decrypt": false, "token": true, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": true, "trusted": false, "unwrap": false, "verify": true, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 32 } } ], "total_key_count": 1580, "returned_key_count": 2, "next_token": "4" } }

有关演示密钥过滤机制在云端工作原理的更多示例 HSMCLI,请参阅使用 Cloud 筛选密钥 HSM CLI

参数

<CLUSTER_ID>

要运行此操作的集群的 ID。

必需:如果已配置多个集群。

<FILTER>

按键引用(例如key-reference=0xabc)或以空格分隔的按键属性列表,形式attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE为,用于选择要列出的匹配密钥。

有关支持的 Cloud HSM CLI 密钥属性的列表,请参阅 云的关键属性 HSM CLI

必需:否

<MAX_ITEMS>

命令的输出中要返回的项目总数。如果可用的总项目数超过指定的值,则会在命令的输出中提供 next-token。要恢复分页,请在后续命令的 starting-token 参数中提供 next-token 值。

必需:否

<STARTING_TOKEN>

指定从何处开始分页的令牌。这是先前截断的响应中的 next-token。

必需:否

<VERBOSE>

如果包含,则打印每个匹配密钥的所有属性和密钥信息。默认情况下,每个匹配的密钥仅显示其键引用和标签属性。管理员使用此标志时无效。

必需:否

相关 主题