man-page

GCLOUD_SECRETS_REPLICATION_UPDATE(1)
GCLOUD_SECRETS_REPLICATION_UPDATE(1)

NAME

gcloud secrets replication update - update a secret replica's metadata

SYNOPSIS

gcloud secrets replication update SECRET [--remove-cmek | --location=REPLICA-LOCATION --set-kms-key=SET-KMS-KEY] [GCLOUD_WIDE_FLAG ...]

DESCRIPTION

Update a secret replica's metadata (e.g. cmek policy). This command will return an error if given a secret that does not exist or if given a location that the given secret doesn't exist in.

The --remove-kms-key flag is only valid for Secrets that have an automatic replication policy or exist in a single location. To remove keys from a Secret with multiple user managed replicas, please use the set-replication command.

EXAMPLES

To remove CMEK from a secret called 'my-secret', run:

$ gcloud secrets replication update my-secret --remove-cmek

To set the CMEK key on an automatic secret called my-secret to a specified KMS key, run:

$gcloud secrets replication update my-secret --set-kms-key=projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key

To set the CMEK key on a secret called my-secret to a specified KMS key in a specified location in its replication, run:

$gcloud secrets replication update my-secret --set-kms-key=projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key --location=us-central1

POSITIONAL ARGUMENTS

Secret resource - The secret to update. This represents a Cloud resource.

(NOTE) Some attributes are not given arguments in this group but can be set in other ways. To set the project attribute:

—

provide the argument SECRET on the command line with a fully specified name;

—

provide the argument --project on the command line;

—

set the property core/project.

This must be specified.

SECRET

ID of the secret or fully qualified identifier for the secret. To set the secret attribute:

provide the argument SECRET on the command line.

FLAGS

Replication update.

At most one of these can be specified:

--remove-cmek

Remove customer managed encryption key so that future versions will be encrypted by a Google managed encryption key.

CMEK Update.

--location=REPLICA-LOCATION

Location of replica to update. For secrets with automatic replication policies, this can be omitted.

--set-kms-key=SET-KMS-KEY

New KMS key with which to encrypt and decrypt future secret versions.

GCLOUD WIDE FLAGS

These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

NOTES

This variant is also available:

$ gcloud beta secrets replication update