The AO performs key management operations through the kubectl
command to
access the org admin cluster.
Before you begin
Before performing KMS operations, configure the kubectl
command to access the
org admin cluster. To do this,
get a kubeconfig file
using the gdcloud command-line interface (CLI).
To get the permissions that you need to create keys, ask your
Organization IAM Admin to grant you the KMS Creator (kms-creator
)
role in your project. If you need additional privileges, such as deleting keys,
request the KMS Admin (kms-admin
) role.
Create a key
Complete the following steps:
Create a key in the project namespace. The following example creates the
AEAD
key:kubectl --kubeconfig ORG_ADMIN_KUBECONFIG apply -f - << EOF apiVersion: "kms.gdc.goog/v1" kind: AEADKey metadata: name: KEY_NAME namespace: PROJECT spec: algorithm: AES_256_GCM EOF
Replace the following variables:
- ORG_ADMIN_KUBECONFIG: the
kubeconfig
file of the org admin cluster. - KEY_NAME: a name for the key you want to
createfor example:
key-1
. - PROJECT: the name of the projectfor
example:
kms-test1
.
- ORG_ADMIN_KUBECONFIG: the
Verify the key creation:
kubectl --kubeconfig ORG_ADMIN_KUBECONFIG \ get aeadkey KEY_NAME \ --namespace=PROJECT -o yaml
If the key creation is successful, you see the value
True
in theREADY
column.
Delete a key
Complete the following steps:
Delete the key in the project namespace:
kubectl --kubeconfig ORG_ADMIN_KUBECONFIG \ delete KEY_PRIMITIVE KEY_NAME \ --namespace=PROJECT
Replace the following variables:
- ORG_ADMIN_KUBECONFIG: the
kubeconfig
file of the org admin cluster. - KEY_PRIMITIVE: the key you want to deletefor
example:
aeadkey
for theAEAD
key. - KEY_NAME: the name of the key you want to
deletefor example:
key-1
. - PROJECT: the name of the projectfor
example:
kms-test1
.
- ORG_ADMIN_KUBECONFIG: the
Verify the key deletion, and ensure you do not see the key in return:
kubectl --kubeconfig ORG_ADMIN_KUBECONFIG \ get KEY_PRIMITIVE KEY_NAME \ --namespace=PROJECT