gcloud secrets replication update - update a secret replica's metadata
gcloud secrets replication update SECRET [--remove-cmek | --location=REPLICA-LOCATION --set-kms-key=SET-KMS-KEY] [GCLOUD_WIDE_FLAG ...]
Update a secret replica's metadata (e.g. cmek policy). This command will return an error if given a secret that does not exist or if given a location that the given secret doesn't exist in.
The --remove-kms-key flag is only valid for Secrets that have an automatic replication policy or exist in a single location. To remove keys from a Secret with multiple user managed replicas, please use the set-replication command.
To remove CMEK from a secret called 'my-secret', run:
$ gcloud secrets replication update my-secret --remove-cmek
To set the CMEK key on an automatic secret called my-secret to a specified KMS key, run:
$gcloud secrets replication update my-secret --set-kms-key=projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key
To set the CMEK key on a secret called my-secret to a specified KMS key in a specified location in its replication, run:
$gcloud secrets replication update my-secret --set-kms-key=projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key --location=us-central1
- Secret resource - The secret to update. This represents a Cloud resource.
(NOTE) Some attributes are not given arguments in this group but can be set in other ways. To set the project attribute:
- —
provide the argument SECRET on the command line with a fully specified name;
- —
provide the argument --project on the command line;
- —
set the property core/project.
This must be specified.
- SECRET
ID of the secret or fully qualified identifier for the secret. To set the secret attribute:
provide the argument SECRET on the command line.
- Replication update.
At most one of these can be specified:
- --remove-cmek
Remove customer managed encryption key so that future versions will be encrypted by a Google managed encryption key.
- CMEK Update.
- --location=REPLICA-LOCATION
Location of replica to update. For secrets with automatic replication policies, this can be omitted.
- --set-kms-key=SET-KMS-KEY
New KMS key with which to encrypt and decrypt future secret versions.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
This variant is also available:
$ gcloud beta secrets replication update