Skip to main content

Key mappings

important

Before leveraging Key Mappings make sure to migrate your existing KAS Grants.

important

v0.5.0 of the SDK will prefer key mappings over grants. Meaning if a key mapping shows up for an attribute the SDK will use the mapping and not the grant. You should migrate all grants over to mappings in one sitting

important

As of v0.7.0 of the OpenTDF platform, grants can no longer be assigned.

Key mappings are now the replacement for key access server grants. The idea for mapping a key to an attribute definition/value/namespace is the same as grants, except now we separate the keys from key access servers. Previously an admin was expected to add a key directly to the KeyAccessServer object, as either remote or cached, and then assign a key access server to an attribute. That process is known as a grant. Now users should create a key, and assign that key to an attribute.

How do I create a key mapping

note

The following example only shows how to create a mapping for attribute definitions, you can also create mappings for namespaces and attribute values.

  1. First you will need to create a key access server

OpenTDF CLI

otdfctl policy kas-registry create --uri http://example.com/kas --name example-kas
  1. Next, you will need to create a key

OpenTDF CLI

otdfctl key create --key-id "rsa-key-1" --algorithm "rsa:2048" --mode "local" --kas "891cfe85-b381-4f85-9699-5f7dbfe2a9ab" --wrapping-key-id "virtru-stored-key" --wrapping-key "a8c4824daafcfa38ed0d13002e92b08720e6c4fcee67d52e954c1a6e045907d1"
  1. create a namespace

OpenTDF CLI

otdfctl policy attributes namespaces create --name opentdf.io
  1. create an attribute

OpenTDF CLI

otdfctl policy attributes create --namespace 3d25d33e-2469-4990-a9ed-fdd13ce74436 --name myattribute --rule ANY_OF
  1. assign a key to an attribute

OpenTDF CLI

otdfctl policy attributes key assign --attribute 3d25d33e-2469-4990-a9ed-fdd13ce74436 --key-id 8f7e6d5c-4b3a-2d1e-9f8d-7c6b5a432f1d

Now you have successfully created a key mapping.