1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-18 14:56:05 +00:00

gcloud: Thu Jun 27 09:38:12 UTC 2024

This commit is contained in:
Automated 2024-06-27 09:38:12 +00:00
parent fb3e2aa33b
commit 9cd336cae4
60 changed files with 1726 additions and 122 deletions

View file

@ -3,7 +3,9 @@ NAME
SYNOPSIS
gcloud kms keys create (KEY : --keyring=KEYRING --location=LOCATION)
--purpose=PURPOSE [--crypto-key-backend=CRYPTO_KEY_BACKEND]
--purpose=PURPOSE
[--allowed-access-reasons=[ALLOWED_ACCESS_REASONS,...]]
[--crypto-key-backend=CRYPTO_KEY_BACKEND]
[--default-algorithm=DEFAULT_ALGORITHM]
[--destroy-scheduled-duration=DESTROY_SCHEDULED_DURATION]
[--import-only] [--labels=[KEY=VALUE,...]]
@ -53,6 +55,12 @@ DESCRIPTION
The flag --crypto-key-backend defines the resource name for the backend
where the key resides. Required for external-vpc keys.
The optional flag --allowed-access-reasons defines the Key Access
Justifications Policy for the key, and is specified as a comma separated
list of zero or more justification codes defined in
https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes.
The key must be enrolled in Key Access Justifications to use this flag.
EXAMPLES
The following command creates a key named frodo with protection level
software within the keyring fellowship and location us-east1:
@ -113,6 +121,16 @@ EXAMPLES
--crypto-key-backend="projects/$(gcloud config get project)/
locations/us-central1/ekmConnections/eagles"
The following command creates a key named arwen with protection level
software within the keyring fellowship and location us-east1 with a Key
Access Justifications policy that allows access reasons
customer-initiated-access and google-initiated-system-operation:
$ gcloud kms keys create arwen --location=us-east1 \
--keyring=fellowship --purpose=encryption \
--allowed-access-reasons=customer-initiated-access,\
google-initiated-system-operation
POSITIONAL ARGUMENTS
Key resource - The KMS key resource. The arguments in this group can be
used to specify the attributes of this resource. (NOTE) Some attributes
@ -157,6 +175,21 @@ REQUIRED FLAGS
raw-encryption.
OPTIONAL FLAGS
--allowed-access-reasons=[ALLOWED_ACCESS_REASONS,...]
The list of allowed Key Access Justifications access reasons on the
key. The key must be enrolled in Key Access Justifications to configure
this field. By default, this field is absent, and all justification
codes are allowed. For more information about justification codes, see
https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes.
ALLOWED_ACCESS_REASONS must be one of:
customer-authorized-workflow-servicing, customer-initiated-access,
customer-initiated-support, google-initiated-review,
google-initiated-service, google-initiated-system-operation,
google-response-to-production-alert,
modified-customer-initiated-access,
modified-google-initiated-system-operation, reason-not-expected,
reason-unspecified, third-party-data-request.
--crypto-key-backend=CRYPTO_KEY_BACKEND
The resource name of the backend environment where the key material for
all CryptoKeyVersions associated with this CryptoKey reside and where

View file

@ -3,10 +3,13 @@ NAME
SYNOPSIS
gcloud kms keys update (KEY : --keyring=KEYRING --location=LOCATION)
[--allowed-access-reasons=[ALLOWED_ACCESS_REASONS,...]]
[--default-algorithm=DEFAULT_ALGORITHM]
[--next-rotation-time=NEXT_ROTATION_TIME]
[--primary-version=PRIMARY_VERSION] [--remove-rotation-schedule]
[--rotation-period=ROTATION_PERIOD] [--update-labels=[KEY=VALUE,...]]
[--primary-version=PRIMARY_VERSION]
[--remove-key-access-justifications-policy]
[--remove-rotation-schedule] [--rotation-period=ROTATION_PERIOD]
[--update-labels=[KEY=VALUE,...]]
[--clear-labels | --remove-labels=[KEY,...]] [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
@ -31,6 +34,20 @@ DESCRIPTION
4. Update the primary version for the given key with primary-version flag.
5. Update the Key Access Justifications policy for the given key with
allowed-access-reasons flag to allow specified reasons. The key must be
enrolled in Key Access Justifications to use this flag.
6. Remove the Key Access Justifications policy for the given key with
remove-key-access-justifications-policy flag. The key must be enrolled in
Key Access Justifications to use this flag.
7. Update the Key Access Justifications policy for the given key with
allowed_access_reasons flag to allow zero access reasons. This effectively
disables the key, because a policy is configured to reject all access
reasons. The key must be enrolled in Key Access Justifications to use this
flag.
EXAMPLES
The following command sets a 30 day rotation period for the key named frodo
within the keyring fellowship and location global starting at the specified
@ -74,6 +91,29 @@ EXAMPLES
--keyring=fellowship \
--default-algorithm=rsa-decrypt-oaep-4096-sha256
The following command updates the Key Access Justifications policy for the
key named frodo within the keyring fellowship and location global to allow
only customer-initiated-access and google-initiated-system-operation:
$ gcloud kms keys update frodo --location=global \
--keyring=fellowship \
--allowed-access-reasons=customer-initiated-access,\
google-initiated-system-operation
The following command removes the Key Access Justifications policy for the
key named frodo within the keyring fellowship and location global, which
results in all access reasons being allowed:
$ gcloud kms keys update frodo --location=global \
--keyring=fellowship --remove-key-access-justifications-policy
The following command updates the Key Access Justifications policy for the
key named frodo within the keyring fellowship and location global to allow
only zero access reasons, effectively disabling the key:
$ gcloud kms keys update frodo --location=global \
--keyring=fellowship --allowed-access-reasons=
POSITIONAL ARGUMENTS
Key resource - The KMS key resource. The arguments in this group can be
used to specify the attributes of this resource. (NOTE) Some attributes
@ -112,6 +152,21 @@ POSITIONAL ARGUMENTS
▸ provide the argument --location on the command line.
FLAGS
--allowed-access-reasons=[ALLOWED_ACCESS_REASONS,...]
The list of allowed Key Access Justifications access reasons on the
key. The key must be enrolled in Key Access Justifications to configure
this field. By default, this field is absent, and all justification
codes are allowed. For more information about justification codes, see
https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes.
ALLOWED_ACCESS_REASONS must be one of:
customer-authorized-workflow-servicing, customer-initiated-access,
customer-initiated-support, google-initiated-review,
google-initiated-service, google-initiated-system-operation,
google-response-to-production-alert,
modified-customer-initiated-access,
modified-google-initiated-system-operation, reason-not-expected,
reason-unspecified, third-party-data-request.
--default-algorithm=DEFAULT_ALGORITHM
The default algorithm for the crypto key. For more information about
choosing an algorithm, see
@ -138,6 +193,10 @@ FLAGS
--primary-version=PRIMARY_VERSION
Primary version to make primary.
--remove-key-access-justifications-policy
Removes the Key Access Justifications policy on the key, making all
justification codes allowed.
--remove-rotation-schedule
Remove any existing rotation schedule on the key.