NAME

gcloud alpha kms keys update - update a key

SYNOPSIS

gcloud alpha kms keys update (KEY : --keyring=KEYRING --location=LOCATION) [--default-algorithm=DEFAULT_ALGORITHM] [--next-rotation-time=NEXT_ROTATION_TIME] [--primary-version=PRIMARY_VERSION] [--remove-rotation-schedule] [--rotation-period=ROTATION_PERIOD] [--update-labels=[KEY=VALUE,...]] [--clear-labels | --remove-labels=[KEY,...]] [GCLOUD_WIDE_FLAG ...]

DESCRIPTION

(ALPHA) 1. Update the rotation schedule for the given key.

Updates the rotation schedule for the given key. The schedule automatically creates a new primary version for the key according to next-rotation-time and rotation-period flags.

Flag next-rotation-time must be in ISO 8601 or RFC3339 format, and rotation-period must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d).

Key rotations performed manually via update-primary-version and the version create do not affect the stored next-rotation-time.

2. Remove the rotation schedule for the given key with remove-rotation-schedule flag.

3. Update/Remove the labels for the given key with update-labels and/or remove-labels flags.

4. Update the primary version for the given key with primary-version flag.

EXAMPLES

The following command sets a 30 day rotation period for the key named frodo within the keyring fellowship and location global starting at the specified time:

$ gcloud alpha kms keys update frodo --location=global \ --keyring=fellowship --rotation-period=30d \ --next-rotation-time=2017-10-12T12:34:56.1234Z

The following command removes the rotation schedule for the key named frodo within the keyring fellowship and location global:

$ gcloud alpha kms keys update frodo --location=global \ --keyring=fellowship --remove-rotation-schedule

The following command updates the labels value for the key named frodo within the keyring fellowship and location global. If the label key does not exist at the time, it will be added:

$ gcloud alpha kms keys update frodo --location=global \ --keyring=fellowship --update-labels=k1=v1

The following command removes labels k1 and k2 from the key named frodo within the keyring fellowship and location global:

$ gcloud alpha kms keys update frodo --location=global \ --keyring=fellowship --remove-labels=k1,k2

The following command updates the primary version for the key named frodo within the keyring fellowship and location global:

$ gcloud alpha kms keys update frodo --location=global \ --keyring=fellowship --primary-version=1

The following command updates the default algorithm for the key named frodo within the keyring fellowship and location global, assuming the key originally has purpose 'asymmetric-encryption' and algorithm 'rsa-decrypt-oaep-2048-sha256':

$ gcloud alpha kms keys update frodo --location=global \ --keyring=fellowship \ --default-algorithm=rsa-decrypt-oaep-4096-sha256

POSITIONAL ARGUMENTS

Key resource - The KMS key resource. The arguments in this group can be used to

specify the attributes of this resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways. To set the project attribute:

provide the argument key on the command line with a fully specified name;

set the property core/project.

This must be specified.

KEY

ID of the key or fully qualified identifier for the key. To set the key attribute:

  • provide the argument key on the command line.

This positional argument must be specified if any of the other arguments in this group are specified.

--keyring=KEYRING

The KMS keyring of the key. To set the keyring attribute:

  • provide the argument key on the command line with a fully specified name;

  • provide the argument --keyring on the command line.

--location=LOCATION

The Cloud location for the key. To set the location attribute:

  • provide the argument key on the command line with a fully specified name;

  • provide the argument --location on the command line.

FLAGS

--default-algorithm=DEFAULT_ALGORITHM

The default algorithm for the crypto key. For more information about choosing an algorithm, see https://cloud.google.com/kms/docs/algorithms. DEFAULT_ALGORITHM must be one of: ec-sign-p256-sha256, ec-sign-p384-sha384, ec-sign-secp256k1-sha256, external-symmetric-encryption, google-symmetric-encryption, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, hmac-sha512, rsa-decrypt-oaep-2048-sha1, rsa-decrypt-oaep-2048-sha256, rsa-decrypt-oaep-3072-sha1, rsa-decrypt-oaep-3072-sha256, rsa-decrypt-oaep-4096-sha1, rsa-decrypt-oaep-4096-sha256, rsa-decrypt-oaep-4096-sha512, rsa-sign-pkcs1-2048-sha256, rsa-sign-pkcs1-3072-sha256, rsa-sign-pkcs1-4096-sha256, rsa-sign-pkcs1-4096-sha512, rsa-sign-pss-2048-sha256, rsa-sign-pss-3072-sha256, rsa-sign-pss-4096-sha256, rsa-sign-pss-4096-sha512, rsa-sign-raw-pkcs1-2048, rsa-sign-raw-pkcs1-3072, rsa-sign-raw-pkcs1-4096.

--next-rotation-time=NEXT_ROTATION_TIME

Next automatic rotation time of the key. See $ gcloud topic datetimes for information on time formats.

--primary-version=PRIMARY_VERSION

Primary version to make primary.

--remove-rotation-schedule

Remove any existing rotation schedule on the key.

--rotation-period=ROTATION_PERIOD

Automatic rotation period of the key. See $ gcloud topic datetimes for information on duration formats.

--update-labels=[KEY=VALUE,...]

List of label KEY=VALUE pairs to update. If a label exists, its value is modified. Otherwise, a new label is created.

Keys must start with a lowercase character and contain only hyphens (-), underscores (_), lowercase characters, and numbers. Values must contain only hyphens (-), underscores (_), lowercase characters, and numbers.

At most one of these can be specified:
--clear-labels

Remove all labels. If --update-labels is also specified then --clear-labels is applied first.

For example, to remove all labels:

$ gcloud alpha kms keys update --clear-labels

To remove all existing labels and create two new labels, foo and baz:

$ gcloud alpha kms keys update --clear-labels \ --update-labels foo=bar,baz=qux

--remove-labels=[KEY,...]

List of label keys to remove. If a label does not exist it is silently ignored. If --update-labels is also specified then --update-labels is applied first.

GCLOUD WIDE FLAGS

These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

NOTES

This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist. These variants are also available:

$ gcloud kms keys update

$ gcloud beta kms keys update