Create and delete keys

The AO performs key management operations through the kubectl command to access the Management API server.

Before you begin

Before performing KMS operations, configure the kubectl command to access the Management API server. To do this, get a kubeconfig file using the gdcloud CLI-line interface (CLI).

To get the permissions that you need to create keys, ask your Organization IAM Admin to grant you the KMS Creator (kms-creator) role in your project. If you need additional privileges, such as deleting keys, request the KMS Admin (kms-admin) role.

Create a key

Complete the following steps:

  1. Create a key in the project namespace. The following example creates the AEAD key:

    kubectl --kubeconfig MANAGEMENT_API_SERVER \
apply -f - << EOF
apiVersion: "kms.gdc.goog/v1"
kind: AEADKey
metadata:
  name: KEY_NAME
  namespace: PROJECT
spec:
  algorithm: AES_256_GCM
EOF

    Replace the following variables:

    • MANAGEMENT_API_SERVER: the kubeconfig file of the Management API server. Sign in and generate the kubeconfig file if you don't have one.
    • KEY_NAME: a name for the key you want to create—for example: key-1.
    • PROJECT: the name of the project—for example: kms-test1.

  2. Verify the key creation:

    kubectl --kubeconfig MANAGEMENT_API_SERVER \
  get aeadkey KEY_NAME \
  --namespace=PROJECT -o yaml

    If the key creation is successful, you see the value True in the READY column.

Delete a key

Complete the following steps:

  1. Delete the key in the project namespace:

    kubectl --kubeconfig MANAGEMENT_API_SERVER \
  delete KEY_PRIMITIVE KEY_NAME \
  --namespace=PROJECT

    Replace the following variables:

    • MANAGEMENT_API_SERVER: the kubeconfig file of the Management API server. Sign in and generate the kubeconfig file if you don't have one.
    • KEY_PRIMITIVE: the key you want to delete—for example: aeadkey for the AEAD key.
    • KEY_NAME: the name of the key you want to delete—for example: key-1.
    • PROJECT: the name of the project—for example: kms-test1.

  2. Verify the key deletion, and ensure you don't see the key in return:

    kubectl --kubeconfig MANAGEMENT_API_SERVER \
  get KEY_PRIMITIVE  KEY_NAME \
  --namespace=PROJECT