Create and delete keys

The AO performs key management operations through the kubectl command to access the org admin cluster.

Before you begin

Before performing KMS operations, configure the kubectl command to access the org admin cluster. To do this, get a kubeconfig file using the gdcloud command-line interface (CLI).

To get the permissions that you need to create keys, ask your Organization IAM Admin to grant you the KMS Creator (kms-creator) role in your project. If you need additional privileges, such as deleting keys, request the KMS Admin (kms-admin) role.

Create a key

Complete the following steps:

  1. Create a key in the project namespace. The following example creates the AEAD key:

    kubectl --kubeconfig ORG_ADMIN_KUBECONFIG
    apply -f - << EOF
    apiVersion: "kms.gdc.goog/v1"
    kind: AEADKey
    metadata:
      name: KEY_NAME
      namespace: PROJECT
    spec:
      algorithm: AES_256_GCM
    EOF
    

    Replace the following variables:

    • ORG_ADMIN_KUBECONFIG: the kubeconfig file of the org admin cluster.
    • KEY_NAME: a name for the key you want to create—for example: key-1.
    • PROJECT: the name of the project—for example: kms-test1.
  2. Verify the key creation:

    kubectl --kubeconfig ORG_ADMIN_KUBECONFIG \
      get aeadkey KEY_NAME \
      --namespace=PROJECT -o yaml
    

    If the key creation is successful, you see the value True in the READY column.

Delete a key

Complete the following steps:

  1. Delete the key in the project namespace:

    kubectl --kubeconfig ORG_ADMIN_KUBECONFIG \
      delete KEY_PRIMITIVE KEY_NAME \
      --namespace=PROJECT
    

    Replace the following variables:

    • ORG_ADMIN_KUBECONFIG: the kubeconfig file of the org admin cluster.
    • KEY_PRIMITIVE: the key you want to delete—for example: aeadkey for the AEAD key.
    • KEY_NAME: the name of the key you want to delete—for example: key-1.
    • PROJECT: the name of the project—for example: kms-test1.
  2. Verify the key deletion, and ensure you do not see the key in return:

    kubectl --kubeconfig ORG_ADMIN_KUBECONFIG \
      get KEY_PRIMITIVE  KEY_NAME \
      --namespace=PROJECT