gcloud alpha kms keys set-iam-policy - set the IAM policy for a key
gcloud alpha kms keys set-iam-policy (KEY : --keyring=KEYRING --location=LOCATION) POLICY_FILE [GCLOUD_WIDE_FLAG ...]
(ALPHA) Sets the IAM policy for the given key as defined in a JSON or YAML file.
See https://cloud.google.com/iam/docs/managing-policies for details of the policy file format and contents.
The following command will read am IAM policy defined in a JSON file 'policy.json' and set it for the key frodo with the keyring fellowship and location global:
$ gcloud alpha kms keys set-iam-policy frodo policy.json \ --keyring fellowship --location global
See https://cloud.google.com/iam/docs/managing-policies for details of the policy file format and contents.
- Key resource - The key whose IAM policy to update. The arguments in this group
can be used to specify the attributes of this resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways. To set the project attribute:
- —
provide the argument key on the command line with a fully specified name;
- —
provide the argument --project on the command line;
- —
set the property core/project.
This must be specified.
- KEY
ID of the key or fully qualified identifier for the key. To set the key attribute:
provide the argument key on the command line.
This positional argument must be specified if any of the other arguments in this group are specified.
- --keyring=KEYRING
The containing keyring. To set the keyring attribute:
provide the argument key on the command line with a fully specified name;
provide the argument --keyring on the command line.
- --location=LOCATION
The location of the resource. To set the location attribute:
provide the argument key on the command line with a fully specified name;
provide the argument --location on the command line.
- POLICY_FILE
Path to a local JSON or YAML formatted file containing a valid policy.
The output of the get-iam-policy command is a valid file, as is any JSON or YAML file conforming to the structure of a Policy https://cloud.google.com/iam/reference/rest/v1/Policy.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
This command uses the cloudkms/v1 API. The full documentation for this API can be found at: https://cloud.google.com/kms/
This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist. These variants are also available:
$ gcloud kms keys set-iam-policy
$ gcloud beta kms keys set-iam-policy