List of Keys
GET/byok/v1/keys
Retrieve a sorted, filtered, paginated list of all keys.
Request
Responses
- 200
- 400
- 401
- 403
- 429
- 500
Key.
Response Headers
The unique identifier for the API request.
The maximum number of requests you're permitted to make per time period.
The number of requests remaining in the current rate limit window.
The relative time in seconds until the current rate-limit window resets.
Important: This differs from Github and Twitter's same-named header which uses UTC epoch seconds. We use relative time to avoid client/server time synchronization issues.
Bad Request
Response Headers
The unique identifier for the API request.
The request lacks valid authentication credentials for this resource.
Response Headers
The unique identifier for the API request.
The unique identifier for the API request.
Basic error="invalid_key", error_description="The API Key is invalid"The access credentials were considered insufficient to grant access
Response Headers
The unique identifier for the API request.
Rate Limit Exceeded
Response Headers
The unique identifier for the API request.
The maximum number of requests you're permitted to make per time period.
The number of requests remaining in the current rate limit window.
The relative time in seconds until the current rate-limit window resets.
Important: This differs from Github and Twitter's same-named header which uses UTC epoch seconds. We use relative time to avoid client/server time synchronization issues.
The number of seconds to wait until the rate limit window resets. Only sent when the rate limit is reached.
Oops, something went wrong!
Response Headers
The unique identifier for the API request.
OpenAPI definition (YAML)
paths:
/byok/v1/keys:
get:
x-lifecycle-stage: General Availability
x-self-access: true
operationId: listByokV1Keys
description: '[](#section/Versioning/API-Lifecycle-Policy)
Retrieve a sorted, filtered, paginated list of all keys.'
parameters:
- name: display_name
in: query
required: false
schema:
description: Filter a collection by a string search
type: string
title: SearchFilter
example: Key for billing cluster
description: Filter the results by a partial search of display_name.
- name: provider
in: query
required: false
schema:
description: Filter a collection by a string search
type: string
title: SearchFilter
example: AWS
description: Filter the results by exact match for provider.
- name: state
in: query
required: false
schema:
description: Filter a collection by a string search
type: string
title: SearchFilter
example: IN_USE
description: Filter the results by exact match for state.
- name: validation_phase
in: query
required: false
schema:
description: Filter a collection by a string search
type: string
title: SearchFilter
description: Filter the results by exact match for validation_phase.
- name: validation_region
in: query
required: false
schema:
description: Filter a collection by a string search
type: string
title: SearchFilter
example: us-west-2
description: 'Filter keys by the cloud region where they are deployed.
'
- name: key
in: query
required: false
schema:
description: Filter a collection by a string search
type: string
title: SearchFilter
example: vault-name
description: 'Filters results by a partial match on the key identifier: key_arn for AWS, key_id
for Azure and GCP.
'
- name: page_size
in: query
required: false
schema:
type: integer
default: 10
maximum: 100
x-max-page-items: 500
description: A pagination size for collection requests.
- name: page_token
in: query
required: false
schema:
type: string
maxLength: 255
description: An opaque pagination token for collection requests.
tags:
- Keys (byok/v1)
security:
- cloud-api-key: []
- global-api-key: []
- confluent-sts-access-token: []
responses:
'200':
description: Key.
content:
application/json:
schema:
allOf:
- type: object
description: '`Key` objects represent customer managed keys on dedicated Confluent Cloud
clusters.
Keys are used to protect data at rest stored in your dedicated Confluent Cloud clusters
on AWS, Azure, and GCP.
This API allows you to upload and retrieve self-managed keys on Confluent Cloud.
Related guide: [Confluent Cloud Bring Your Own Key (BYOK) Management API](https://docs.confluent.io/cloud/current/clusters/byok/index.html).
## The Keys Model
<SchemaDefinition schemaRef="#/components/schemas/byok.v1.Key" />
## Quotas and Limits
This resource is subject to the [following quotas](https://docs.confluent.io/cloud/current/quotas/overview.html):
| Quota | Description |
| --- | --- |
| `byok.max_keys.per_org` | BYOK keys in one Confluent Cloud organisation. |'
required:
- api_version
- kind
- metadata
- data
properties:
api_version:
type: string
enum:
- byok/v1
description: APIVersion defines the schema version of this representation of a resource.
readOnly: true
kind:
type: string
description: Kind defines the object this REST resource represents.
readOnly: true
enum:
- KeyList
metadata:
allOf:
- type: object
description: ListMeta describes metadata that resource collections may have
properties:
first:
description: A link to the first page of results. If a response does not contain
a first link, then direct navigation to the first page is not supported.
type: string
format: uri
nullable: true
example: https://api.confluent.cloud/v2/resourcekinds
last:
description: A link to the last page of results. If a response does not contain
a last link, then direct navigation to the last page is not supported.
type: string
format: uri
nullable: true
example: https://api.confluent.cloud/v2/resourcekinds?page_token=bcAOehAY8F16YD84Z1wT
prev:
description: A link to the previous page of results. If a response does not
contain a prev link, then either there is no previous data or backwards
traversal through the result set is not supported.
type: string
format: uri
nullable: true
example: https://api.confluent.cloud/v2/resourcekinds?page_token=YIXRY97wWYmwzrax4dld
next:
description: A link to the next page of results. If a response does not contain
a next link, then there is no more data available.
type: string
format: uri
nullable: true
example: https://api.confluent.cloud/v2/resourcekinds?page_token=UvmDWOB1iwfAIBPj6EYb
total_size:
description: Number of records in the full result set. This response may be
paginated and have a smaller number of records.
type: integer
format: int32
minimum: 0
example: 123
title: ListMeta
- properties:
first:
example: https://api.confluent.cloud/byok/v1/keys
last:
example: https://api.confluent.cloud/byok/v1/keys?page_token=bcAOehAY8F16YD84Z1wT
prev:
example: https://api.confluent.cloud/byok/v1/keys?page_token=YIXRY97wWYmwzrax4dld
next:
example: https://api.confluent.cloud/byok/v1/keys?page_token=UvmDWOB1iwfAIBPj6EYb
data:
type: array
description: A data property that contains an array of resource items. Each entry
in the array is a separate resource.
items:
allOf:
- type: object
description: '`Key` objects represent customer managed keys on dedicated Confluent
Cloud clusters.
Keys are used to protect data at rest stored in your dedicated Confluent Cloud
clusters on AWS, Azure, and GCP.
This API allows you to upload and retrieve self-managed keys on Confluent
Cloud.
Related guide: [Confluent Cloud Bring Your Own Key (BYOK) Management API](https://docs.confluent.io/cloud/current/clusters/byok/index.html).
## The Keys Model
<SchemaDefinition schemaRef="#/components/schemas/byok.v1.Key" />
## Quotas and Limits
This resource is subject to the [following quotas](https://docs.confluent.io/cloud/current/quotas/overview.html):
| Quota | Description |
| --- | --- |
| `byok.max_keys.per_org` | BYOK keys in one Confluent Cloud organisation.
|'
properties:
api_version:
type: string
enum:
- byok/v1
description: APIVersion defines the schema version of this representation
of a resource.
readOnly: true
kind:
type: string
description: Kind defines the object this REST resource represents.
readOnly: true
enum:
- Key
id:
description: ID is the "natural identifier" for an object within its scope/namespace;
it is normally unique across time but not space. That is, you can assume
that the ID will not be reclaimed and reused after an object is deleted
("time"); however, it may collide with IDs for other object `kinds` or
objects of the same `kind` within a different scope/namespace ("space").
type: string
maxLength: 255
readOnly: true
example: dlz-f3a90de
metadata:
allOf:
- description: ObjectMeta is metadata that all persisted resources must
have, which includes all objects users must create.
required:
- self
properties:
self:
description: Self is a Uniform Resource Locator (URL) at which an
object can be addressed. This URL encodes the service location,
API version, and other particulars necessary to locate the resource
at a point in time
type: string
format: uri
readOnly: true
example: https://api.confluent.cloud/v2/kafka-clusters/lkc-f3a90de
resource_name:
description: Resource Name is a Uniform Resource Identifier (URI)
that is globally unique across space and time. It is represented
as a Confluent Resource Name
type: string
format: uri
readOnly: true
example: crn://confluent.cloud/kafka=lkc-f3a90de
created_at:
type: string
format: date-time
example: '2006-01-02T15:04:05-07:00'
readOnly: true
description: The date and time at which this object was created. It
is represented in RFC3339 format and is in UTC.
updated_at:
type: string
format: date-time
example: '2006-01-02T15:04:05-07:00'
readOnly: true
description: The date and time at which this object was last updated.
It is represented in RFC3339 format and is in UTC.
deleted_at:
type: string
format: date-time
example: '2006-01-02T15:04:05-07:00'
readOnly: true
description: The date and time at which this object was (or will be)
deleted. It is represented in RFC3339 format and is in UTC.
readOnly: true
title: ObjectMeta
- properties:
self:
example: https://api.confluent.cloud/byok/v1/keys/cck-12345
resource_name:
example: crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/key=cck-12345
key:
type: object
description: 'The cloud-specific key details.
For AWS, provide the corresponding `key_arn`.
For Azure, provide the corresponding `key_id`.
For GCP, provide the corresponding `key_id`.
'
discriminator:
propertyName: kind
mapping:
AwsKey:
type: object
description: 'The AWS BYOK details
'
properties:
key_arn:
description: 'The Amazon Resource Name (ARN) of an AWS KMS key.
'
type: string
example: arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
x-immutable: true
roles:
description: 'The Amazon Resource Names (ARNs) of IAM Roles created
for this key-environment combination.
'
type: array
items:
type: string
readOnly: true
example:
- arn:aws:iam::123456789876:role/block_storage_manager
- arn:aws:iam::987654321234:role/cc-kafka-1111aaaa-11aa-11aa-11aa-111111aaaaaa
kind:
description: 'BYOK kind type.
'
type: string
enum:
- AwsKey
x-immutable: true
required:
- key_arn
- kind
title: byok.v1.AwsKey
AzureKey:
type: object
description: 'The Azure BYOK details.
'
properties:
application_id:
description: 'The Application ID created for this key-environment
combination.
'
type: string
readOnly: true
key_id:
description: 'The unique Key Object Identifier URL without version
of an Azure Key Vault key.
'
type: string
example: https://vault-name.vault.azure.net/keys/key-name
x-immutable: true
key_vault_id:
description: 'Key Vault ID containing the key
'
type: string
example: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourcegroup-name/providers/Microsoft.KeyVault/vaults/vault-name
x-immutable: true
kind:
description: 'BYOK kind type.
'
type: string
enum:
- AzureKey
x-immutable: true
tenant_id:
description: 'Tenant ID (uuid) hosting the Key Vault containing
the key
'
type: string
example: 00000000-0000-0000-0000-000000000000
x-immutable: true
required:
- key_id
- key_vault_id
- kind
- tenant_id
title: byok.v1.AzureKey
GcpKey:
type: object
description: 'The GCP BYOK details
'
properties:
key_id:
description: 'The Google Cloud Platform key ID.
'
type: string
example: projects/exampleproject/locations/us-central1/keyRings/testkeyring/cryptoKeys/testbyokkey/cryptoKeyVersions/3
x-immutable: true
security_group:
description: 'The Google security group created for this key.
'
type: string
example: testgroupid@domain.com
readOnly: true
kind:
description: 'BYOK kind type.
'
type: string
enum:
- GcpKey
x-immutable: true
required:
- key_id
- kind
title: byok.v1.GcpKey
oneOf:
- type: object
description: 'The AWS BYOK details
'
properties:
key_arn:
description: 'The Amazon Resource Name (ARN) of an AWS KMS key.
'
type: string
example: arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
x-immutable: true
roles:
description: 'The Amazon Resource Names (ARNs) of IAM Roles created
for this key-environment combination.
'
type: array
items:
type: string
readOnly: true
example:
- arn:aws:iam::123456789876:role/block_storage_manager
- arn:aws:iam::987654321234:role/cc-kafka-1111aaaa-11aa-11aa-11aa-111111aaaaaa
kind:
description: 'BYOK kind type.
'
type: string
enum:
- AwsKey
x-immutable: true
required:
- key_arn
- kind
title: byok.v1.AwsKey
- type: object
description: 'The Azure BYOK details.
'
properties:
application_id:
description: 'The Application ID created for this key-environment
combination.
'
type: string
readOnly: true
key_id:
description: 'The unique Key Object Identifier URL without version
of an Azure Key Vault key.
'
type: string
example: https://vault-name.vault.azure.net/keys/key-name
x-immutable: true
key_vault_id:
description: 'Key Vault ID containing the key
'
type: string
example: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourcegroup-name/providers/Microsoft.KeyVault/vaults/vault-name
x-immutable: true
kind:
description: 'BYOK kind type.
'
type: string
enum:
- AzureKey
x-immutable: true
tenant_id:
description: 'Tenant ID (uuid) hosting the Key Vault containing the
key
'
type: string
example: 00000000-0000-0000-0000-000000000000
x-immutable: true
required:
- key_id
- key_vault_id
- kind
- tenant_id
title: byok.v1.AzureKey
- type: object
description: 'The GCP BYOK details
'
properties:
key_id:
description: 'The Google Cloud Platform key ID.
'
type: string
example: projects/exampleproject/locations/us-central1/keyRings/testkeyring/cryptoKeys/testbyokkey/cryptoKeyVersions/3
x-immutable: true
security_group:
description: 'The Google security group created for this key.
'
type: string
example: testgroupid@domain.com
readOnly: true
kind:
description: 'BYOK kind type.
'
type: string
enum:
- GcpKey
x-immutable: true
required:
- key_id
- kind
title: byok.v1.GcpKey
x-immutable: true
display_name:
type: string
description: 'The human-readable name of the key object.
'
example: Key for billing cluster
x-immutable: false
provider:
type: string
description: The cloud provider of the Key.
readOnly: true
example: AWS
enum:
- AWS
- Azure
- GCP
state:
type: string
description: "The state of the key:\n\n AVAILABLE: key can be used for\
\ a Kafka cluster provisioning.\n\n IN_USE: key is already in use by\
\ a Kafka cluster provisioning.\n"
readOnly: true
example: IN_USE
enum:
- AVAILABLE
- IN_USE
validation:
description: 'The validation details of the key.
'
readOnly: true
allOf:
- type: object
description: 'The validation details of the key.
'
required:
- phase
- since
properties:
phase:
type: string
description: "The validation phase of the key:\n\n INITIALIZING:\
\ Initial phase for new keys awaiting first successful validation.\n\
\n VALID: Last validation attempt succeeded.\n\n INVALID: Last\
\ validation attempt failed.\n"
example: VALID
enum:
- INITIALIZING
- VALID
- INVALID
message:
type: string
description: 'A message describing validation events.
'
example: Access to key denied.
since:
type: string
format: date-time
description: 'The timestamp since which the key is in the current
validation phase.
Changes to the validation message or phase will update this timestamp.
'
example: '2024-03-20T15:30:00Z'
region:
type: string
description: 'The cloud region where the key is deployed. This value
is computed by the
API after the key is successfully validated.
'
example: us-west-2
readOnly: true
title: byok.v1.KeyValidation
title: byok.v1.Key
- type: object
required:
- id
- metadata
- key
- provider
- state
- validation
uniqueItems: true
title: byok.v1.KeyList
headers:
X-Request-Id:
schema:
type: string
description: The unique identifier for the API request.
X-RateLimit-Limit:
schema:
type: integer
description: The maximum number of requests you're permitted to make per time period.
X-RateLimit-Remaining:
schema:
type: integer
description: The number of requests remaining in the current rate limit window.
X-RateLimit-Reset:
schema:
type: integer
description: "The relative time in seconds until the current rate-limit window resets. \
\ \n \n**Important:** This differs from Github and Twitter's same-named header which\
\ uses UTC epoch seconds. We use relative time to avoid client/server time synchronization\
\ issues."
'400':
description: Bad Request
headers:
X-Request-Id:
schema:
type: string
description: The unique identifier for the API request.
content:
application/json:
schema:
type: object
description: Provides information about problems encountered while performing an operation.
required:
- errors
properties:
errors:
description: List of errors which caused this operation to fail
type: array
items:
type: object
description: Describes a particular error encountered while performing an operation.
properties:
id:
description: A unique identifier for this particular occurrence of the problem.
type: string
maxLength: 255
status:
description: The HTTP status code applicable to this problem, expressed as a
string value.
type: string
code:
description: An application-specific error code, expressed as a string value.
type: string
title:
description: A short, human-readable summary of the problem. It **SHOULD NOT**
change from occurrence to occurrence of the problem, except for purposes of
localization.
type: string
detail:
description: A human-readable explanation specific to this occurrence of the
problem.
type: string
source:
type: object
description: If this error was caused by a particular part of the API request,
the source will point to the query string parameter or request body property
that caused it.
properties:
pointer:
description: A JSON Pointer [RFC6901] to the associated entity in the request
document [e.g. "/spec" for a spec object, or "/spec/title" for a specific
field].
type: string
parameter:
description: A string indicating which query parameter caused the error.
type: string
error_code:
type: integer
format: int32
message:
type: string
nullable: true
additionalProperties: false
title: Error
uniqueItems: true
title: Failure
example:
errors:
- id: ed42afdc-f0d5-4c0d-b428-9fc6ed6e279d
status: '400'
code: invalid_filter
title: Invalid Filter
detail: The 'delorean' resource can't be filtered by 'num_doors'
source:
parameter: num_doors
'401':
x-summary: Unauthorized
description: The request lacks valid authentication credentials for this resource.
headers:
X-Request-Id:
schema:
type: string
description: The unique identifier for the API request.
WWW-Authenticate:
schema:
type: string
description: The unique identifier for the API request.
example: Basic error="invalid_key", error_description="The API Key is invalid"
content:
application/json:
schema:
type: object
description: Provides information about problems encountered while performing an operation.
required:
- errors
properties:
errors:
description: List of errors which caused this operation to fail
type: array
items:
type: object
description: Describes a particular error encountered while performing an operation.
properties:
id:
description: A unique identifier for this particular occurrence of the problem.
type: string
maxLength: 255
status:
description: The HTTP status code applicable to this problem, expressed as a
string value.
type: string
code:
description: An application-specific error code, expressed as a string value.
type: string
title:
description: A short, human-readable summary of the problem. It **SHOULD NOT**
change from occurrence to occurrence of the problem, except for purposes of
localization.
type: string
detail:
description: A human-readable explanation specific to this occurrence of the
problem.
type: string
source:
type: object
description: If this error was caused by a particular part of the API request,
the source will point to the query string parameter or request body property
that caused it.
properties:
pointer:
description: A JSON Pointer [RFC6901] to the associated entity in the request
document [e.g. "/spec" for a spec object, or "/spec/title" for a specific
field].
type: string
parameter:
description: A string indicating which query parameter caused the error.
type: string
error_code:
type: integer
format: int32
message:
type: string
nullable: true
additionalProperties: false
title: Error
uniqueItems: true
title: Failure
example:
errors:
- id: ed42afdc-f0d5-4c0d-b428-9fc6ed6e279d
status: '401'
code: user_unauthenticated
title: Authentication Required
detail: Valid authentication credentials must be provided
'403':
x-summary: Forbidden
description: The access credentials were considered insufficient to grant access
headers:
X-Request-Id:
schema:
type: string
description: The unique identifier for the API request.
content:
application/json:
schema:
type: object
description: Provides information about problems encountered while performing an operation.
required:
- errors
properties:
errors:
description: List of errors which caused this operation to fail
type: array
items:
type: object
description: Describes a particular error encountered while performing an operation.
properties:
id:
description: A unique identifier for this particular occurrence of the problem.
type: string
maxLength: 255
status:
description: The HTTP status code applicable to this problem, expressed as a
string value.
type: string
code:
description: An application-specific error code, expressed as a string value.
type: string
title:
description: A short, human-readable summary of the problem. It **SHOULD NOT**
change from occurrence to occurrence of the problem, except for purposes of
localization.
type: string
detail:
description: A human-readable explanation specific to this occurrence of the
problem.
type: string
source:
type: object
description: If this error was caused by a particular part of the API request,
the source will point to the query string parameter or request body property
that caused it.
properties:
pointer:
description: A JSON Pointer [RFC6901] to the associated entity in the request
document [e.g. "/spec" for a spec object, or "/spec/title" for a specific
field].
type: string
parameter:
description: A string indicating which query parameter caused the error.
type: string
error_code:
type: integer
format: int32
message:
type: string
nullable: true
additionalProperties: false
title: Error
uniqueItems: true
title: Failure
example:
errors:
- id: ed42afdc-f0d5-4c0d-b428-9fc6ed6e279d
status: '403'
code: user_unauthorized
title: User Access Unauthorized
detail: The user 'mcfly' is not allowed to access the 'delorean' resource without the
'plutonium' role.
'429':
description: Rate Limit Exceeded
headers:
X-Request-Id:
schema:
type: string
description: The unique identifier for the API request.
X-RateLimit-Limit:
schema:
type: integer
description: The maximum number of requests you're permitted to make per time period.
X-RateLimit-Remaining:
schema:
type: integer
description: The number of requests remaining in the current rate limit window.
X-RateLimit-Reset:
schema:
type: integer
description: "The relative time in seconds until the current rate-limit window resets. \
\ \n \n**Important:** This differs from Github and Twitter's same-named header which\
\ uses UTC epoch seconds. We use relative time to avoid client/server time synchronization\
\ issues."
Retry-After:
schema:
type: integer
description: The number of seconds to wait until the rate limit window resets. Only sent
when the rate limit is reached.
'500':
description: Oops, something went wrong!
headers:
X-Request-Id:
schema:
type: string
description: The unique identifier for the API request.
content:
application/json:
schema:
type: object
description: Provides information about problems encountered while performing an operation.
required:
- errors
properties:
errors:
description: List of errors which caused this operation to fail
type: array
items:
type: object
description: Describes a particular error encountered while performing an operation.
properties:
id:
description: A unique identifier for this particular occurrence of the problem.
type: string
maxLength: 255
status:
description: The HTTP status code applicable to this problem, expressed as a
string value.
type: string
code:
description: An application-specific error code, expressed as a string value.
type: string
title:
description: A short, human-readable summary of the problem. It **SHOULD NOT**
change from occurrence to occurrence of the problem, except for purposes of
localization.
type: string
detail:
description: A human-readable explanation specific to this occurrence of the
problem.
type: string
source:
type: object
description: If this error was caused by a particular part of the API request,
the source will point to the query string parameter or request body property
that caused it.
properties:
pointer:
description: A JSON Pointer [RFC6901] to the associated entity in the request
document [e.g. "/spec" for a spec object, or "/spec/title" for a specific
field].
type: string
parameter:
description: A string indicating which query parameter caused the error.
type: string
error_code:
type: integer
format: int32
message:
type: string
nullable: true
additionalProperties: false
title: Error
uniqueItems: true
title: Failure
example:
errors:
- id: ed42afdc-f0d5-4c0d-b428-9fc6ed6e279d
status: '500'
code: out_of_gas
title: DeLorean Out Of Gas
detail: The DeLorean has run out of gas, but Doc Brown will fill 'er up for you asap
servers:
- url: https://api.confluent.cloud
description: Confluent Cloud API