The AO performs key management operations through the kubectl command to
access the org admin cluster.
Before you begin
Before performing KMS operations, configure the kubectl command to access the
org admin cluster. To do this,
get a kubeconfig file
using the gdcloud command-line interface (CLI).
To get the permissions that you need to create keys, ask your
Organization IAM Admin to grant you the KMS Creator (kms-creator)
role in your project. If you need additional privileges, such as deleting keys,
request the KMS Admin (kms-admin) role.
Create a key
Complete the following steps:
Create a key in the project namespace. The following example creates the
AEADkey:kubectl --kubeconfig ORG_ADMIN_KUBECONFIG apply -f - << EOF apiVersion: "kms.gdc.goog/v1" kind: AEADKey metadata: name: KEY_NAME namespace: PROJECT spec: algorithm: AES_256_GCM EOFReplace the following variables:
- ORG_ADMIN_KUBECONFIG: the
kubeconfigfile of the org admin cluster. - KEY_NAME: a name for the key you want to
create—for example:
key-1. - PROJECT: the name of the project—for
example:
kms-test1.
- ORG_ADMIN_KUBECONFIG: the
Verify the key creation:
kubectl --kubeconfig ORG_ADMIN_KUBECONFIG \ get aeadkey KEY_NAME \ --namespace=PROJECT -o yamlIf the key creation is successful, you see the value
Truein theREADYcolumn.
Delete a key
Complete the following steps:
Delete the key in the project namespace:
kubectl --kubeconfig ORG_ADMIN_KUBECONFIG \ delete KEY_PRIMITIVE KEY_NAME \ --namespace=PROJECTReplace the following variables:
- ORG_ADMIN_KUBECONFIG: the
kubeconfigfile of the org admin cluster. - KEY_PRIMITIVE: the key you want to delete—for
example:
aeadkeyfor theAEADkey. - KEY_NAME: the name of the key you want to
delete—for example:
key-1. - PROJECT: the name of the project—for
example:
kms-test1.
- ORG_ADMIN_KUBECONFIG: the
Verify the key deletion, and ensure you do not see the key in return:
kubectl --kubeconfig ORG_ADMIN_KUBECONFIG \ get KEY_PRIMITIVE KEY_NAME \ --namespace=PROJECT