mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-18 14:56:05 +00:00
gcloud: Thu Jun 27 09:38:12 UTC 2024
This commit is contained in:
parent
fb3e2aa33b
commit
9cd336cae4
60 changed files with 1726 additions and 122 deletions
|
|
@ -3,7 +3,9 @@ NAME
|
|||
|
||||
SYNOPSIS
|
||||
gcloud kms keys create (KEY : --keyring=KEYRING --location=LOCATION)
|
||||
--purpose=PURPOSE [--crypto-key-backend=CRYPTO_KEY_BACKEND]
|
||||
--purpose=PURPOSE
|
||||
[--allowed-access-reasons=[ALLOWED_ACCESS_REASONS,...]]
|
||||
[--crypto-key-backend=CRYPTO_KEY_BACKEND]
|
||||
[--default-algorithm=DEFAULT_ALGORITHM]
|
||||
[--destroy-scheduled-duration=DESTROY_SCHEDULED_DURATION]
|
||||
[--import-only] [--labels=[KEY=VALUE,...]]
|
||||
|
|
@ -53,6 +55,12 @@ DESCRIPTION
|
|||
The flag --crypto-key-backend defines the resource name for the backend
|
||||
where the key resides. Required for external-vpc keys.
|
||||
|
||||
The optional flag --allowed-access-reasons defines the Key Access
|
||||
Justifications Policy for the key, and is specified as a comma separated
|
||||
list of zero or more justification codes defined in
|
||||
https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes.
|
||||
The key must be enrolled in Key Access Justifications to use this flag.
|
||||
|
||||
EXAMPLES
|
||||
The following command creates a key named frodo with protection level
|
||||
software within the keyring fellowship and location us-east1:
|
||||
|
|
@ -113,6 +121,16 @@ EXAMPLES
|
|||
--crypto-key-backend="projects/$(gcloud config get project)/
|
||||
locations/us-central1/ekmConnections/eagles"
|
||||
|
||||
The following command creates a key named arwen with protection level
|
||||
software within the keyring fellowship and location us-east1 with a Key
|
||||
Access Justifications policy that allows access reasons
|
||||
customer-initiated-access and google-initiated-system-operation:
|
||||
|
||||
$ gcloud kms keys create arwen --location=us-east1 \
|
||||
--keyring=fellowship --purpose=encryption \
|
||||
--allowed-access-reasons=customer-initiated-access,\
|
||||
google-initiated-system-operation
|
||||
|
||||
POSITIONAL ARGUMENTS
|
||||
Key resource - The KMS key resource. The arguments in this group can be
|
||||
used to specify the attributes of this resource. (NOTE) Some attributes
|
||||
|
|
@ -157,6 +175,21 @@ REQUIRED FLAGS
|
|||
raw-encryption.
|
||||
|
||||
OPTIONAL FLAGS
|
||||
--allowed-access-reasons=[ALLOWED_ACCESS_REASONS,...]
|
||||
The list of allowed Key Access Justifications access reasons on the
|
||||
key. The key must be enrolled in Key Access Justifications to configure
|
||||
this field. By default, this field is absent, and all justification
|
||||
codes are allowed. For more information about justification codes, see
|
||||
https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes.
|
||||
ALLOWED_ACCESS_REASONS must be one of:
|
||||
customer-authorized-workflow-servicing, customer-initiated-access,
|
||||
customer-initiated-support, google-initiated-review,
|
||||
google-initiated-service, google-initiated-system-operation,
|
||||
google-response-to-production-alert,
|
||||
modified-customer-initiated-access,
|
||||
modified-google-initiated-system-operation, reason-not-expected,
|
||||
reason-unspecified, third-party-data-request.
|
||||
|
||||
--crypto-key-backend=CRYPTO_KEY_BACKEND
|
||||
The resource name of the backend environment where the key material for
|
||||
all CryptoKeyVersions associated with this CryptoKey reside and where
|
||||
|
|
|
|||
|
|
@ -3,10 +3,13 @@ NAME
|
|||
|
||||
SYNOPSIS
|
||||
gcloud kms keys update (KEY : --keyring=KEYRING --location=LOCATION)
|
||||
[--allowed-access-reasons=[ALLOWED_ACCESS_REASONS,...]]
|
||||
[--default-algorithm=DEFAULT_ALGORITHM]
|
||||
[--next-rotation-time=NEXT_ROTATION_TIME]
|
||||
[--primary-version=PRIMARY_VERSION] [--remove-rotation-schedule]
|
||||
[--rotation-period=ROTATION_PERIOD] [--update-labels=[KEY=VALUE,...]]
|
||||
[--primary-version=PRIMARY_VERSION]
|
||||
[--remove-key-access-justifications-policy]
|
||||
[--remove-rotation-schedule] [--rotation-period=ROTATION_PERIOD]
|
||||
[--update-labels=[KEY=VALUE,...]]
|
||||
[--clear-labels | --remove-labels=[KEY,...]] [GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
|
|
@ -31,6 +34,20 @@ DESCRIPTION
|
|||
|
||||
4. Update the primary version for the given key with primary-version flag.
|
||||
|
||||
5. Update the Key Access Justifications policy for the given key with
|
||||
allowed-access-reasons flag to allow specified reasons. The key must be
|
||||
enrolled in Key Access Justifications to use this flag.
|
||||
|
||||
6. Remove the Key Access Justifications policy for the given key with
|
||||
remove-key-access-justifications-policy flag. The key must be enrolled in
|
||||
Key Access Justifications to use this flag.
|
||||
|
||||
7. Update the Key Access Justifications policy for the given key with
|
||||
allowed_access_reasons flag to allow zero access reasons. This effectively
|
||||
disables the key, because a policy is configured to reject all access
|
||||
reasons. The key must be enrolled in Key Access Justifications to use this
|
||||
flag.
|
||||
|
||||
EXAMPLES
|
||||
The following command sets a 30 day rotation period for the key named frodo
|
||||
within the keyring fellowship and location global starting at the specified
|
||||
|
|
@ -74,6 +91,29 @@ EXAMPLES
|
|||
--keyring=fellowship \
|
||||
--default-algorithm=rsa-decrypt-oaep-4096-sha256
|
||||
|
||||
The following command updates the Key Access Justifications policy for the
|
||||
key named frodo within the keyring fellowship and location global to allow
|
||||
only customer-initiated-access and google-initiated-system-operation:
|
||||
|
||||
$ gcloud kms keys update frodo --location=global \
|
||||
--keyring=fellowship \
|
||||
--allowed-access-reasons=customer-initiated-access,\
|
||||
google-initiated-system-operation
|
||||
|
||||
The following command removes the Key Access Justifications policy for the
|
||||
key named frodo within the keyring fellowship and location global, which
|
||||
results in all access reasons being allowed:
|
||||
|
||||
$ gcloud kms keys update frodo --location=global \
|
||||
--keyring=fellowship --remove-key-access-justifications-policy
|
||||
|
||||
The following command updates the Key Access Justifications policy for the
|
||||
key named frodo within the keyring fellowship and location global to allow
|
||||
only zero access reasons, effectively disabling the key:
|
||||
|
||||
$ gcloud kms keys update frodo --location=global \
|
||||
--keyring=fellowship --allowed-access-reasons=
|
||||
|
||||
POSITIONAL ARGUMENTS
|
||||
Key resource - The KMS key resource. The arguments in this group can be
|
||||
used to specify the attributes of this resource. (NOTE) Some attributes
|
||||
|
|
@ -112,6 +152,21 @@ POSITIONAL ARGUMENTS
|
|||
▸ provide the argument --location on the command line.
|
||||
|
||||
FLAGS
|
||||
--allowed-access-reasons=[ALLOWED_ACCESS_REASONS,...]
|
||||
The list of allowed Key Access Justifications access reasons on the
|
||||
key. The key must be enrolled in Key Access Justifications to configure
|
||||
this field. By default, this field is absent, and all justification
|
||||
codes are allowed. For more information about justification codes, see
|
||||
https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes.
|
||||
ALLOWED_ACCESS_REASONS must be one of:
|
||||
customer-authorized-workflow-servicing, customer-initiated-access,
|
||||
customer-initiated-support, google-initiated-review,
|
||||
google-initiated-service, google-initiated-system-operation,
|
||||
google-response-to-production-alert,
|
||||
modified-customer-initiated-access,
|
||||
modified-google-initiated-system-operation, reason-not-expected,
|
||||
reason-unspecified, third-party-data-request.
|
||||
|
||||
--default-algorithm=DEFAULT_ALGORITHM
|
||||
The default algorithm for the crypto key. For more information about
|
||||
choosing an algorithm, see
|
||||
|
|
@ -138,6 +193,10 @@ FLAGS
|
|||
--primary-version=PRIMARY_VERSION
|
||||
Primary version to make primary.
|
||||
|
||||
--remove-key-access-justifications-policy
|
||||
Removes the Key Access Justifications policy on the key, making all
|
||||
justification codes allowed.
|
||||
|
||||
--remove-rotation-schedule
|
||||
Remove any existing rotation schedule on the key.
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue