To get the permissions that you need to create keys, ask your
Organization IAM Admin to grant you the KMS Creator (kms-creator)
role in your project. If you need additional privileges, such as deleting keys,
request the KMS Admin (kms-admin) role.
Create a key
Complete the following steps:
Create a key in the project namespace. The following example creates the
AEAD key:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eKey management operations are performed using the \u003ccode\u003ekubectl\u003c/code\u003e command to access the Management API server.\u003c/p\u003e\n"],["\u003cp\u003eBefore creating or deleting keys, users must configure \u003ccode\u003ekubectl\u003c/code\u003e with a kubeconfig file obtained via the \u003ccode\u003egdcloud\u003c/code\u003e CLI.\u003c/p\u003e\n"],["\u003cp\u003eUsers need the KMS Creator (\u003ccode\u003ekms-creator\u003c/code\u003e) role to create keys and the KMS Admin (\u003ccode\u003ekms-admin\u003c/code\u003e) role for additional privileges like key deletion, granted by their Organization IAM Admin.\u003c/p\u003e\n"],["\u003cp\u003eCreating a key involves using a \u003ccode\u003ekubectl apply\u003c/code\u003e command with a YAML configuration, specifying the key's name, type (e.g., \u003ccode\u003eAEAD\u003c/code\u003e), and project namespace.\u003c/p\u003e\n"],["\u003cp\u003eDeleting a key is done via a \u003ccode\u003ekubectl delete\u003c/code\u003e command, and verification involves using \u003ccode\u003ekubectl get\u003c/code\u003e to ensure the key is no longer present.\u003c/p\u003e\n"]]],[],null,["# Create and delete keys\n\nThe AO performs key management operations through the `kubectl` command to\naccess the Management API server.\n\nBefore you begin\n----------------\n\nBefore performing KMS operations, configure the `kubectl` command to access the\nManagement API server. To do this,\n[get a kubeconfig file](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-auth#get-kubeconfig)\nusing the [gdcloud CLI-line interface (CLI)](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-overview).\n\nTo get the permissions that you need to create keys, ask your\nOrganization IAM Admin to grant you the KMS Creator (`kms-creator`)\nrole in your project. If you need additional privileges, such as deleting keys,\nrequest the KMS Admin (`kms-admin`) role.\n\nCreate a key\n------------\n\nComplete the following steps:\n\n1. Create a key in the project namespace. The following example creates the\n `AEAD` key:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e \\\n apply -f - \u003c\u003c EOF\n apiVersion: \"kms.gdc.goog/v1\"\n kind: AEADKey\n metadata:\n name: \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e\n namespace: \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e\n spec:\n algorithm: AES_256_GCM\n EOF\n\n Replace the following variables:\n - \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e: the kubeconfig file of the Management API server. [Sign in and generate](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in) the kubeconfig file if you don't have one.\n - \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e: a name for the key you want to create---for example: `key-1`.\n - \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e: the name of the project---for example: `kms-test1`.\n2. Verify the key creation:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e \\\n get aeadkey \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e \\\n --namespace=\u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e -o yaml\n\n If the key creation is successful, you see the value `True` in the `READY`\n column.\n\nDelete a key\n------------\n\nComplete the following steps:\n\n1. Delete the key in the project namespace:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e \\\n delete \u003cvar translate=\"no\"\u003eKEY_PRIMITIVE\u003c/var\u003e \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e \\\n --namespace=\u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e\n\n Replace the following variables:\n - \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e: the kubeconfig file of the Management API server. [Sign in and generate](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in) the kubeconfig file if you don't have one.\n - \u003cvar translate=\"no\"\u003eKEY_PRIMITIVE\u003c/var\u003e: the key you want to delete---for example: `aeadkey` for the `AEAD` key.\n - \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e: the name of the key you want to delete---for example: `key-1`.\n - \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e: the name of the project---for example: `kms-test1`.\n2. Verify the key deletion, and ensure you don't see the key in return:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e \\\n get \u003cvar translate=\"no\"\u003eKEY_PRIMITIVE\u003c/var\u003e \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e \\\n --namespace=\u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e"]]