Stay organized with collections
Save and categorize content based on your preferences.
This page covers instructions for the Application Operator (AO) to perform key
import operations from exported key management systems (KMS) keys. The AO
performs the import and export operations using the kubectl command
line interface (CLI) from the following resources:
The KMS Key Import Admin and KMS Key Export Admin roles. To get the
permissions that you need to import an exported key, ask your
Platform Administrator (PA) to grant you the KMS Key Import Admin
(kms-keyimport-admin) and the KMS Key Export Admin (kms-keyexport-admin)
roles.
Import an exported key
To import an exported key, complete the following steps:
Create a YAML file, and add in the KeyImport resource as the value of the
kind object:
KEY_IMPORT_NAME: the name of the KeyImport resource
— for example: key-import-test.
PROJECT: the name of the project
namespace — for example: kms-test1.
MECHANISM: the key sharing mechanism of the key —
for example: `EDCH_P521_AES256` .
Apply the contents of the YAML file to the KMS and create the KeyImport
resource:
kubectlapply-fFILENAME.yaml
Replace FILENAME with the name of the YAML file.
With the public key of an internally generated key pair, the KMS updates
the status of the KeyImport resource to AwaitingKeyToImport. To
continue, you need to view the status of the resource and obtain the KMS
generated public key.
To view the status of KeyImport resource and obtain the KMS generated
public key, run the following:
KEY_EXPORT_NAME: the name of the KeyExport resource
— for example: key-export-test.
PROJECT: the name of the project namespace — for
example: kms-test1.
MECHANISM: the key sharing mechanism of the key —
for example: `EDCH_P521_AES256` .
PUBLIC_KEY: the public key from
keyImport.Status.PeerContext.PublicKey.
KEY_PRIMITIVE: the CRD of the key—for example,
aeadkey and signingkey.
KEY_NAME: the name of the key—for example, key-1.
Apply the contents of the YAML file to the KMS and create the KeyExport
resource:
kubectlapply-fFILENAME.yaml
Replace FILENAME with the name of the YAML file.
After running the command, the KMS updates the status of the KeyExport
resource and generates an exported key. To obtain the exported key, view
the resource's status.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis page outlines how Application Operators (AOs) can import keys from exported key management systems (KMS) using the \u003ccode\u003ekubectl\u003c/code\u003e command-line interface (CLI).\u003c/p\u003e\n"],["\u003cp\u003eKey import and export operations are managed through the \u003ccode\u003eKeyImport\u003c/code\u003e and \u003ccode\u003eKeyExport\u003c/code\u003e resources, respectively, detailed in the KMS API overview.\u003c/p\u003e\n"],["\u003cp\u003eBefore starting, AOs must have \u003ccode\u003ekubectl\u003c/code\u003e configured for Management API server access and possess the KMS Key Import Admin and KMS Key Export Admin roles.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves creating YAML files for \u003ccode\u003eKeyImport\u003c/code\u003e and \u003ccode\u003eKeyExport\u003c/code\u003e resources, applying them via \u003ccode\u003ekubectl\u003c/code\u003e, and managing key status and metadata.\u003c/p\u003e\n"],["\u003cp\u003eThe steps include generating a public key, using it in a \u003ccode\u003eKeyExport\u003c/code\u003e resource, obtaining an exported key, and finally using that key to complete a \u003ccode\u003eKeyImport\u003c/code\u003e resource.\u003c/p\u003e\n"]]],[],null,["# Import and export keys\n\nThis page covers instructions for the Application Operator (AO) to perform key\nimport operations from exported key management systems (KMS) keys. The AO\nperforms the import and export operations using the `kubectl` command\nline interface (CLI) from the following resources:\n\n- [`KeyImport`](/distributed-cloud/hosted/docs/latest/gdch/apis/service/kms/kms-api-overview#keyimport)\n- [`KeyExport`](/distributed-cloud/hosted/docs/latest/gdch/apis/service/kms/kms-api-overview#keyexport)\n\nTo view more details on these resources, see the\n[KMS API overview](/distributed-cloud/hosted/docs/latest/gdch/apis/kms-api-overview).\n\nRefer to the [Supported keys](./kms#supported-keys) section in the\n*Key management systems (KMS)* page to view the full list and details of KMS\nsupported keys.\n\nBefore you begin\n----------------\n\nBefore continuing, ensure you have the following:\n\n- The `kubectl` command configured to access the Management API server. To do this,\n follow the sections [Get a kubeconfig file](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-auth#get-kubeconfig)\n and [gdcloud command-line interface (CLI)](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-overview).\n\n- The KMS Key Import Admin and KMS Key Export Admin roles. To get the\n permissions that you need to import an exported key, ask your\n Platform Administrator (PA) to grant you the KMS Key Import Admin\n (`kms-keyimport-admin`) and the KMS Key Export Admin (`kms-keyexport-admin`)\n roles.\n\nImport an exported key\n----------------------\n\nTo import an exported key, complete the following steps:\n\n1. Create a YAML file, and add in the `KeyImport` resource as the value of the\n `kind` object:\n\n apiVersion: \"kms.gdc.goog/v1\"\n kind: KeyImport\n metadata:\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eKEY_IMPORT_NAME\u003c/span\u003e\u003c/var\u003e\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003ePROJECT\u003c/span\u003e\u003c/var\u003e\n spec:\n context:\n mechanism: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eMECHANISM\u003c/span\u003e\u003c/var\u003e\n\n Replace the following variables:\n - \u003cvar translate=\"no\"\u003eKEY_IMPORT_NAME\u003c/var\u003e: the name of the `KeyImport` resource --- for example: `key-import-test`.\n - \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e: the name of the project namespace --- for example: `kms-test1`.\n - \u003cvar translate=\"no\"\u003eMECHANISM\u003c/var\u003e: the key sharing mechanism of the key --- for example: \\`EDCH_P521_AES256\\` .\n2. Apply the contents of the YAML file to the KMS and create the `KeyImport`\n resource:\n\n kubectl apply -f \u003cvar translate=\"no\"\u003eFILENAME\u003c/var\u003e.yaml\n\n Replace \u003cvar translate=\"no\"\u003eFILENAME\u003c/var\u003e with the name of the YAML file.\n\n With the public key of an internally generated key pair, the KMS updates\n the status of the `KeyImport` resource to `AwaitingKeyToImport`. To\n continue, you need to view the status of the resource and obtain the KMS\n generated public key.\n3. To view the status of `KeyImport` resource and obtain the KMS generated\n public key, run the following:\n\n kubectl describe keyimport \u003cvar translate=\"no\"\u003eKEY_IMPORT_NAME\u003c/var\u003e --namespace \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e\n\n Replace the following variables:\n - \u003cvar translate=\"no\"\u003eKEY_IMPORT_NAME\u003c/var\u003e: the `KeyImport` resource name --- for example, `key-import-test`.\n - \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e: the name of the project namespace --- for example: `kms-test1`.\n\n After running the command, you see output similar to the following: \n\n ...\n Status:\n Conditions:\n Last Transition Time: 2022-12-14T20:43:50Z\n Message: waiting for user to provide KeyToImport\n Observed Generation: 1\n Reason: AwaitingKeyToImport\n Status: False\n Type: Ready\n Imported Key Ref:\n Kind: KeyImport\n Name: key-import-test\n Peer Context:\n Private Key:\n Public Key: \u003cvar translate=\"no\"\u003ePUBLIC_KEY\u003c/var\u003e\n Events: \u003cnone\u003e\n\n The value \u003cvar translate=\"no\"\u003ePUBLIC_KEY\u003c/var\u003e represents the KMS generated public\n key. Copy the public key, and add it to the `KeyExport` resource in the\n following step.\n4. Create another YAML file, add in the `KeyExport` resource as the value of\n the `kind` object, and the following contents:\n\n apiVersion: \"kms.gdc.goog/v1\"\n kind: KeyExport\n metadata:\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eKEY_EXPORT_NAME\u003c/span\u003e\u003c/var\u003e\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003ePROJECT\u003c/span\u003e\u003c/var\u003e\n spec:\n context:\n mechanism: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eMECHANISM\u003c/span\u003e\u003c/var\u003e\n publicKey: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003ePUBLIC_KEY\u003c/span\u003e\u003c/var\u003e\n keyToExport:\n kind: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eKEY_PRIMITIVE\u003c/span\u003e\u003c/var\u003e\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eKEY_NAME\u003c/span\u003e\u003c/var\u003e\n\n Replace the following variables:\n - \u003cvar translate=\"no\"\u003eKEY_EXPORT_NAME\u003c/var\u003e: the name of the `KeyExport` resource --- for example: `key-export-test`.\n - \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e: the name of the project namespace --- for\n example: `kms-test1`.\n\n | **Important:** The `KeyExport` custom resource definition (CRD) must reside in the same project namespace of the imported key. If the imported key resides in the project namespace `kms-test1`, the `KeyExport` CRD must also reside in the same project namespace.\n - \u003cvar translate=\"no\"\u003eMECHANISM\u003c/var\u003e: the key sharing mechanism of the key ---\n for example: \\`EDCH_P521_AES256\\` .\n\n - \u003cvar translate=\"no\"\u003ePUBLIC_KEY\u003c/var\u003e: the public key from\n `keyImport.Status.PeerContext.PublicKey`.\n\n - \u003cvar translate=\"no\"\u003eKEY_PRIMITIVE\u003c/var\u003e: the CRD of the key---for example,\n aeadkey and signingkey.\n\n - \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e: the name of the key---for example, `key-1`.\n\n5. Apply the contents of the YAML file to the KMS and create the `KeyExport`\n resource:\n\n kubectl apply -f \u003cvar translate=\"no\"\u003eFILENAME\u003c/var\u003e.yaml\n\n Replace \u003cvar translate=\"no\"\u003eFILENAME\u003c/var\u003e with the name of the YAML file.\n\n After running the command, the KMS updates the status of the `KeyExport`\n resource and generates an exported key. To obtain the exported key, view\n the resource's status.\n6. To view the resource's status, run the following:\n\n kubectl describe keyexport \u003cvar translate=\"no\"\u003eKEY_EXPORT_NAME\u003c/var\u003e --namespace \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e\n\n Replace the following variables:\n - \u003cvar translate=\"no\"\u003eKEY_EXPORT_NAME\u003c/var\u003e: the name of the `KeyExport` resource --- for example, `key-export-test`.\n - \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e: the name of the project namespace---for example: `kms-test1`.\n\n After running the command, you see an output similar to the following: \n\n ...\n Status:\n Conditions:\n Last Transition Time: 2022-12-14T20:45:57Z\n Message: key successfully exported\n Observed Generation: 1\n Reason: KeyExportCompleted\n Status: True\n Type: Ready\n Exported Key: \u003cvar translate=\"no\"\u003eEXPORTED_KEY\u003c/var\u003e\n\n \u003cvar translate=\"no\"\u003eEXPORTED_KEY\u003c/var\u003e represents the metadata of the exported key.\n Copy the contents in \u003cvar translate=\"no\"\u003eEXPORTED_KEY\u003c/var\u003e to continue to the\n following step.\n7. Edit the YAML file that contains the `KeyImport` resource, and add in the\n contents you copied from the output in `keyexport.status.exportedkey`.\n\n apiVersion: \"kms.gdc.goog/v1\"\n kind: KeyImport\n metadata:\n name: key-import-test\n namespace: kms-test1\n spec:\n context:\n mechanism: EDCH_P521_AES256\n keyToImport: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eEXPORTED_KEY\u003c/span\u003e\u003c/var\u003e\n\n8. After editing the YAML file, apply the contents to the KMS:\n\n kubectl apply -f \u003cvar translate=\"no\"\u003eFILENAME\u003c/var\u003e.yaml\n\n After running the command, the KMS imports the exported key you provided.\n9. To view details on the imported key, run the following:\n\n kubectl get keyimport \u003cvar translate=\"no\"\u003eKEY_IMPORT_NAME\u003c/var\u003e\n\n You see output similar to the following: \n\n NAMESPACE NAME AGE READY REASON KEY KIND\n kms-test1 \u003cvar translate=\"no\"\u003eKEY_IMPORT_NAME\u003c/var\u003e 60s True KeyImportCompleted \u003cvar translate=\"no\"\u003eKEY_PRIMITIVE\u003c/var\u003e\n\n \u003cvar translate=\"no\"\u003eKEY_PRIMITIVE\u003c/var\u003e represents the kind of key you\n imported, between the AEAD and Signing keys."]]
