How to get started with the Amazon KMS connector and Qlik's Encryption API using Qlik Automate

MarkGeurtsen — Wed, 28 May 2025 12:12:22 GMT

This article explains how the Amazon KMS connector in Qlik Automate and the Encryption API of Qlik Cloud can be used together to manage operations such as key rotations.

This article makes use of the Qlik Cloud connector, however the same actions can be performed with the Qlik Platform Ops connector for OEM use cases.

Table of Contents:

Authentication

AWS Setup

Authentication to Amazon KMS happens through an IAM user. The steps below outline how to create the IAM user, have the correct policy assigned and make a connection in Automations.

Open the AWS console
Navigate to Identity and Access Management (IAM)
Click Create Policy
In the Policy editor, switch to JSON view
Copy in the following JSON document:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:EnableKey", "kms:UntagResource", "kms:PutKeyPolicy", "kms:GetKeyPolicy", "kms:CancelKeyDeletion", "kms:ListResourceTags", "kms:DisableKey", "kms:UpdateAlias", "kms:ListKeys", "kms:TagResource", "kms:ListAliases", "kms:CreateAlias", "kms:DescribeKey", "kms:CreateKey", "kms:DeleteAlias", "kms:scheduleKeyDeletion" ], "Resource": "*" } ] }

Example:
On the review policy page, add a name and a description for the policy. In the example, the name is set to qlik-byok:
After creating the policy, navigate to the Users page in IAM
Click Add Users
Specify a name for the user.

There is no need to provide the user access to the AWS console.
Assign the previously generated permission policy to the user on the Set Permissions Page:
Review your user settings in the Review and Create page
Click Create user
Back on the Users page, click on the user that you just created
Navigate to the Security Credentials tab
Click Create Access Key and then navigate to the Security Credentials tab and click Create Access Key:
For Use Case click Third-party service and follow the recommendations. A description tag is optional.
Click Create Access Key
Copy the Access Key and Secret Access Key values.

Store them safely. The Secret Access Key will only be shown once. See Access key best practices onscreen.

Qlik Cloud

Open Qlik Cloud
Navigate to My Automations
Switch to the Connections tab
Click Add new connection
Search for Amazon KMS and click Add
Provide the access key and secret access key and specify the AWS region in which your KMS is located

Available blocks

The Amazon KMS connector has the following blocks available:

Add Tag to Key
Cancel Key Deletion
Create Alias
Create Key
Delete Alias
Delete Tag from Key
Describe Key
Disable Key
Enable Key
List Aliases
List Keys
List Tags from Keys
Put Key Policy
Schedule Key Deletion
Update Alias

The Qlik Cloud and Qlik Platform Ops connector have the following blocks to make use of the Encryption API:

List Key Providers
Validate Key Provider
Create Key Provider
Get Key Provider by Fingerprint
Trigger Migration to Key Provider
Get Ongoing Key Provider Migration Details
Reset a Migration to Qlik Provider

Building an automation to encrypt a tenant with a customer-managed key

Now that there's a connection to Amazon KMS, we can configure an automation which generates a new key and sets this key to be the key provider in Qlik Cloud for the entire tenant. Then re-encrypt the whole tenant with the new provided key. Instructions below on how to build this with an Automation:

First, validate which key is currently being used.

Navigate to https://{tenant_name}.{region}.qlikcloud.com/console/settings/KMS-providers.

If this is your first time adding a Customer Managed Key, you should see that the tenant is making use of a Qlik-provided key:
Change to the Automations console using the icon in the top right and click on My Automations
Click on Create Automation in the top right
Choose the Blank Automation template
Provide a name for the automation and an optional description
Click Save
In the Automation editor, use the left panel to search for the Amazon KMS connector
Locate the Create Key block and drag it into the canvas on the right
Do the same for the Put Key Policy block and drag this underneath the Create Key block.
Click on the Put Key Policy block and provide a key ID in the inputs panel.

You can make use of the example values from the Create Key block.

To do so:
1. click on the Key ID input
2. Choose Output from Create Key
3. Find the KeyId field
For the Key Policy input field, use the toggle for Raw Input and provide the following JSON document. Modify the values for {account_id} to your AWS account ID and the {tenant_id} to your Qlik Cloud tenant Id. You can use Automations to obtain your tenant ID through the Get Tenant Info block of the Qlik Cloud connector.

{ "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::{acoount_id}:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Enable KMS Key policy for proxy account", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::338144066592:role/byok-encryption-proxy-role", "arn:aws:iam::338144066592:role/byok-automations-proxy-role", "arn:aws:iam::634246602378:role/byok-encryption-proxy-role", "arn:aws:iam::634246602378:role/byok-automations-proxy-role" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:TenantId": "{tenant_id}" } } } ] }
Use the blocks panel to open the Qlik Cloud connector and drag the Create Key Provider block on the canvas. Configure this block with the ARN obtained from the Create Key block, provide a name and set the type to AWS-KMS.
From the Qlik Cloud connector, drag both the Validate Key Provider and Trigger Migration to Key Provider blocks on the canvas. Configure the inputs for Key ID just like for the earlier blocks. You should have the following automation: