Supported AWS CloudHSM service names and types for quorum authentication with CloudHSM CLI

Admin Services: Quorum authentication is used for admin privileged services like creating users, deleting users, changing user passwords, setting quorum values, and deactivating quorum and MFA capabilities.

Crypto User Services: Quorum authentication is used for crypto-user privileged services associated with a specific key like signing with a key, sharing/unsharing a key, wrapping/unwrapping a key, and setting a key's attribute. The quorum value of an associated key is configured when the key is generated, imported, or unwrapped. The quorum value must be equal to or less than the number of users that the key is associated with, which includes users that the key is shared with and the key owner.

Each service type is further broken down into a qualifying service name, which contains a specific set of quorum supported service operations that can be performed.

Service name	Service type	Service operations
user	Admin	user create user delete user change-password user change-mfa
quorum	Admin	quorum token-sign set-quorum-value
cluster¹	Admin	cluster mtls register-trust-anchor cluster mtls deregister-trust-anchor cluster mtls set-enforcement
key-management	Crypto User	key wrap key unwrap key share key unshare key set-attribute
key-usage	Crypto User	key sign

[1] Cluster service is exclusively available on hsm2m.medium

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Quorum authentication process

First time setup