使用 CloudHSM CLI 取消共享密钥
使用 CloudHSM CLI 中的 key unshare 命令取消与 AWS CloudHSM 集群中的其他 CU 共享密钥。
只有创建密钥并因此拥有该密钥的 CU 才能取消共享该密钥。共享密钥的用户可以在加密操作中使用该密钥,但不能删除、导出、共享或取消共享该密钥。此外,这些用户无法更改密钥属性。
用户类型
以下类型的用户均可运行此命令。
-
加密用户(CU)
要求
要运行此命令,必须以 CU 身份登录。
语法
aws-cloudhsm >
help key unshare
Unshare a key in the HSM cluster with another user Usage: key unshare --filter [
<FILTER>
...] --username<USERNAME>
--role<ROLE>
Options: --cluster-id<CLUSTER_ID>
Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error --filter [<FILTER>
...] Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a matching key for unsharing --username<USERNAME>
A username with which the key will be unshared --role<ROLE>
Role the user has in the cluster Possible values: - crypto-user: A CryptoUser has the ability to manage and use keys - admin: An Admin has the ability to manage user accounts -h, --help Print help (see a summary with '-h')
示例:取消与其他 CU 共享密钥
以下示例演示了如何使用 key unshare 命令取消与 CU alice
共享密钥。
-
运行 key list 命令并按要取消与
alice
共享的特定密钥筛选。aws-cloudhsm >
key list --filter attr.label="rsa_key_to_share" attr.class=private-key --verbose
{ "error_code": 0, "data": { "matched_keys": [ { "key-reference": "0x00000000001c0686", "key-info": { "key-owners": [ { "username": "cu3", "key-coverage": "full" } ], "shared-users": [ { "username": "cu2", "key-coverage": "full" }, { "username": "cu1", "key-coverage": "full" }, { "username": "cu4", "key-coverage": "full" }, { "username": "cu5", "key-coverage": "full" }, { "username": "cu6", "key-coverage": "full" }, { "username": "cu7", "key-coverage": "full" }, { "username": "alice", "key-coverage": "full" } ], "cluster-coverage": "full" }, "attributes": { "key-type": "rsa", "label": "rsa_key_to_share", "id": "", "check-value": "0xae8ff0", "class": "private-key", "encrypt": false, "decrypt": true, "token": true, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": true, "trusted": false, "unwrap": true, "verify": false, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 1219, "public-exponent": "0x010001", "modulus": "0xa8855cba933cec0c21a4df0450ec31675c024f3e65b2b215a53d2bda6dcd191f75729150b59b4d86df58254c8f518f7d000cc04d8e958e7502c7c33098e28da4d94378ef34fb57d1cc7e042d9119bd79be0df728421a980a397095157da24cf3cc2b6dab12225d33fdca11f0c6ed1a5127f12488cda9a556814b39b06cd8373ff5d371db2212887853621b8510faa7b0779fbdec447e1f1d19f343acb02b22526487a31f6c704f8f003cb4f7013136f90cc17c2c20e414dc1fc7bcfb392d59c767900319679fc3307388633485657ce2e1a3deab0f985b0747ef4ed339de78147d1985d14fdd8634219321e49e3f5715e79c298f18658504bab04086bfbdcd3b", "modulus-size-bits": 2048 } } ], "total_key_count": 1, "returned_key_count": 1 } }
-
在
shared-users
输出中确认alice
,然后运行以下 key unshare 命令取消与alice
共享密钥。aws-cloudhsm >
key unshare --filter attr.label="rsa_key_to_share" attr.class=private-key --username alice --role crypto-user
{ "error_code": 0, "data": { "message": "Key unshared successfully" } }
-
再次运行
key list
命令以确认已取消与alice
共享该密钥。aws-cloudhsm >
key list --filter attr.label="rsa_key_to_share" attr.class=private-key --verbose
{ "error_code": 0, "data": { "matched_keys": [ { "key-reference": "0x00000000001c0686", "key-info": { "key-owners": [ { "username": "cu3", "key-coverage": "full" } ], "shared-users": [ { "username": "cu2", "key-coverage": "full" }, { "username": "cu1", "key-coverage": "full" }, { "username": "cu4", "key-coverage": "full" }, { "username": "cu5", "key-coverage": "full" }, { "username": "cu6", "key-coverage": "full" }, { "username": "cu7", "key-coverage": "full" }, ], "cluster-coverage": "full" }, "attributes": { "key-type": "rsa", "label": "rsa_key_to_share", "id": "", "check-value": "0xae8ff0", "class": "private-key", "encrypt": false, "decrypt": true, "token": true, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": true, "trusted": false, "unwrap": true, "verify": false, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 1219, "public-exponent": "0x010001", "modulus": "0xa8855cba933cec0c21a4df0450ec31675c024f3e65b2b215a53d2bda6dcd191f75729150b59b4d86df58254c8f518f7d000cc04d8e958e7502c7c33098e28da4d94378ef34fb57d1cc7e042d9119bd79be0df728421a980a397095157da24cf3cc2b6dab12225d33fdca11f0c6ed1a5127f12488cda9a556814b39b06cd8373ff5d371db2212887853621b8510faa7b0779fbdec447e1f1d19f343acb02b22526487a31f6c704f8f003cb4f7013136f90cc17c2c20e414dc1fc7bcfb392d59c767900319679fc3307388633485657ce2e1a3deab0f985b0747ef4ed339de78147d1985d14fdd8634219321e49e3f5715e79c298f18658504bab04086bfbdcd3b", "modulus-size-bits": 2048 } } ], "total_key_count": 1, "returned_key_count": 1 } }
参数
<CLUSTER_ID>
-
要运行此操作的集群的 ID。
必需:如果已配置多个集群。
<FILTER>
-
密钥引用(例如
key-reference=0xabc
)或空格分隔的密钥属性列表,采用attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE
形式,可选择要删除的匹配密钥。有关支持的密钥属性的列表,请参阅 CloudHSM CLI 的密钥属性。
必需:是
<USERNAME>
-
为用户指定友好名称。最大长度为 31 个字符。唯一允许的特殊字符是下划线 ( _ )。此命令中的用户名不区分大小写,用户名始终以小写形式显示。
必需:是
<ROLE>
-
指定分配给该用户的角色。此参数为必需参数。要获取用户的角色,请使用 user list 命令。有关 HSM 上的用户类型的详细信息,请参阅 CloudHSM CLI 的 HSM 用户类型。
必需:是