gcloud storage service-agent - manage a project's Cloud Storage service agent, which is used to perform Cloud KMS operations
gcloud storage service-agent [--authorize-cmek=AUTHORIZE_CMEK] [GCLOUD_WIDE_FLAG ...]
gcloud storage service-agent displays the Cloud Storage service agent, which is used to perform Cloud KMS operations against your a default or supplied project. If the project does not yet have a service agent, gcloud storage service-agent creates one.
To show the service agent for your default project:
$ gcloud storage service-agent
To show the service account for my-project:
$ gcloud storage service-agent --project=my-project
To authorize your default project to use a Cloud KMS key:
$ gcloud storage service-agent \ --authorize-cmek=projects/key-project/locations/us-east1/\ keyRings/key-ring/cryptoKeys/my-key
- --authorize-cmek=AUTHORIZE_CMEK
Adds appropriate encrypt/decrypt permissions to the specified Cloud KMS key. This allows the Cloud Storage service agent to write and read Cloud KMS-encrypted objects in buckets associated with the service agent's project.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
This variant is also available:
$ gcloud alpha storage service-agent