gcloud alpha storage service-agent - manage a project's Cloud Storage service agent, which is used to perform Cloud KMS operations
gcloud alpha storage service-agent [--authorize-cmek=AUTHORIZE_CMEK] [GCLOUD_WIDE_FLAG ...]
(ALPHA) gcloud alpha storage service-agent displays the Cloud Storage service agent, which is used to perform Cloud KMS operations against your a default or supplied project. If the project does not yet have a service agent, gcloud alpha storage service-agent creates one.
To show the service agent for your default project:
$ gcloud alpha storage service-agent
To show the service account for my-project:
$ gcloud alpha storage service-agent --project=my-project
To authorize your default project to use a Cloud KMS key:
$ gcloud alpha storage service-agent \ --authorize-cmek=projects/key-project/locations/us-east1/\ keyRings/key-ring/cryptoKeys/my-key
- --authorize-cmek=AUTHORIZE_CMEK
Adds appropriate encrypt/decrypt permissions to the specified Cloud KMS key. This allows the Cloud Storage service agent to write and read Cloud KMS-encrypted objects in buckets associated with the service agent's project.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist. This variant is also available:
$ gcloud storage service-agent