gcloud kms keys update - update a key
gcloud kms keys update (KEY : --keyring=KEYRING --location=LOCATION) [--default-algorithm=DEFAULT_ALGORITHM] [--next-rotation-time=NEXT_ROTATION_TIME] [--primary-version=PRIMARY_VERSION] [--remove-rotation-schedule] [--rotation-period=ROTATION_PERIOD] [--update-labels=[KEY=VALUE,...]] [--clear-labels | --remove-labels=[KEY,...]] [GCLOUD_WIDE_FLAG ...]
1. Update the rotation schedule for the given key.
Updates the rotation schedule for the given key. The schedule automatically creates a new primary version for the key according to next-rotation-time and rotation-period flags.
Flag next-rotation-time must be in ISO 8601 or RFC3339 format, and rotation-period must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d).
Key rotations performed manually via update-primary-version and the version create do not affect the stored next-rotation-time.
2. Remove the rotation schedule for the given key with remove-rotation-schedule flag.
3. Update/Remove the labels for the given key with update-labels and/or remove-labels flags.
4. Update the primary version for the given key with primary-version flag.
The following command sets a 30 day rotation period for the key named frodo within the keyring fellowship and location global starting at the specified time:
$ gcloud kms keys update frodo --location=global \ --keyring=fellowship --rotation-period=30d \ --next-rotation-time=2017-10-12T12:34:56.1234Z
The following command removes the rotation schedule for the key named frodo within the keyring fellowship and location global:
$ gcloud kms keys update frodo --location=global \ --keyring=fellowship --remove-rotation-schedule
The following command updates the labels value for the key named frodo within the keyring fellowship and location global. If the label key does not exist at the time, it will be added:
$ gcloud kms keys update frodo --location=global \ --keyring=fellowship --update-labels=k1=v1
The following command removes labels k1 and k2 from the key named frodo within the keyring fellowship and location global:
$ gcloud kms keys update frodo --location=global \ --keyring=fellowship --remove-labels=k1,k2
The following command updates the primary version for the key named frodo within the keyring fellowship and location global:
$ gcloud kms keys update frodo --location=global \ --keyring=fellowship --primary-version=1
The following command updates the default algorithm for the key named frodo within the keyring fellowship and location global, assuming the key originally has purpose 'asymmetric-encryption' and algorithm 'rsa-decrypt-oaep-2048-sha256':
$ gcloud kms keys update frodo --location=global \ --keyring=fellowship \ --default-algorithm=rsa-decrypt-oaep-4096-sha256
- Key resource - The KMS key resource. The arguments in this group can be used to
specify the attributes of this resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways. To set the project attribute:
- —
provide the argument key on the command line with a fully specified name;
- —
set the property core/project.
This must be specified.
- KEY
ID of the key or fully qualified identifier for the key. To set the key attribute:
provide the argument key on the command line.
This positional argument must be specified if any of the other arguments in this group are specified.
- --keyring=KEYRING
The KMS keyring of the key. To set the keyring attribute:
provide the argument key on the command line with a fully specified name;
provide the argument --keyring on the command line.
- --location=LOCATION
The Cloud location for the key. To set the location attribute:
provide the argument key on the command line with a fully specified name;
provide the argument --location on the command line.
- --default-algorithm=DEFAULT_ALGORITHM
The default algorithm for the crypto key. For more information about choosing an algorithm, see https://cloud.google.com/kms/docs/algorithms. DEFAULT_ALGORITHM must be one of: ec-sign-p256-sha256, ec-sign-p384-sha384, ec-sign-secp256k1-sha256, external-symmetric-encryption, google-symmetric-encryption, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, hmac-sha512, rsa-decrypt-oaep-2048-sha1, rsa-decrypt-oaep-2048-sha256, rsa-decrypt-oaep-3072-sha1, rsa-decrypt-oaep-3072-sha256, rsa-decrypt-oaep-4096-sha1, rsa-decrypt-oaep-4096-sha256, rsa-decrypt-oaep-4096-sha512, rsa-sign-pkcs1-2048-sha256, rsa-sign-pkcs1-3072-sha256, rsa-sign-pkcs1-4096-sha256, rsa-sign-pkcs1-4096-sha512, rsa-sign-pss-2048-sha256, rsa-sign-pss-3072-sha256, rsa-sign-pss-4096-sha256, rsa-sign-pss-4096-sha512, rsa-sign-raw-pkcs1-2048, rsa-sign-raw-pkcs1-3072, rsa-sign-raw-pkcs1-4096.
- --next-rotation-time=NEXT_ROTATION_TIME
Next automatic rotation time of the key. See $ gcloud topic datetimes for information on time formats.
- --primary-version=PRIMARY_VERSION
Primary version to make primary.
- --remove-rotation-schedule
Remove any existing rotation schedule on the key.
- --rotation-period=ROTATION_PERIOD
Automatic rotation period of the key. See $ gcloud topic datetimes for information on duration formats.
- --update-labels=[KEY=VALUE,...]
List of label KEY=VALUE pairs to update. If a label exists, its value is modified. Otherwise, a new label is created.
Keys must start with a lowercase character and contain only hyphens (-), underscores (_), lowercase characters, and numbers. Values must contain only hyphens (-), underscores (_), lowercase characters, and numbers.
- At most one of these can be specified:
- --clear-labels
Remove all labels. If --update-labels is also specified then --clear-labels is applied first.
For example, to remove all labels:
$ gcloud kms keys update --clear-labels
To remove all existing labels and create two new labels, foo and baz:
$ gcloud kms keys update --clear-labels \ --update-labels foo=bar,baz=qux
- --remove-labels=[KEY,...]
List of label keys to remove. If a label does not exist it is silently ignored. If --update-labels is also specified then --update-labels is applied first.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
These variants are also available:
$ gcloud alpha kms keys update
$ gcloud beta kms keys update