Stay organized with collections
Save and categorize content based on your preferences.
If your root key becomes compromised, or if you choose to periodically rotate
root keys, you can rotate your keys to a new root
key using the RotationJob
resource.
The KMS Rotation Job Admin role. To get the permissions that you need to
rotate keys, ask your Organization IAM Admin to grant you the KMS Rotation
Job Admin (kms-rotationjob-admin) role.
Rotate a root key
To create a new root key and rotate your keys, complete the following steps:
Create a YAML file, and add in the RotationJob resource and the following
contents:
Replace ROTATION_NAME with a name for the rotation job
— for example: rotate-job1.
Replace ROOT_KEY_RESOURCE_NAME with the root key name
specified in the form namespace/NAMESPACE/secrets/ROOT_KEY_NAME
For example, namespaces/kms-system/secrets/ctm-root.
Apply the contents of the YAML file to the KMS:
kubectlapply-fFILENAME.yaml
Replace FILENAME with the name of the YAML file.
After running the command, the KMS creates a new root key and rotates every
key with the new root key.
To verify the root key rotation is complete, run the following:
kubectlgetrotationjobsROTATION_NAME
Replace ROTATION_NAME with the name of the rotation job.
After running the command, you see the status of the rotation job as
Completed if successful.
Remove the Done annotation from the root key. Removing the annotation lets
you rotate the key more than once. Your Infrastructure Operator (IO) must
perform this step. Ask your IO to run the following:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eRoot keys can be rotated to a new root key using the \u003ccode\u003eRotationJob\u003c/code\u003e resource if the current root key is compromised or needs periodic rotation.\u003c/p\u003e\n"],["\u003cp\u003eBefore rotating root keys, you must have \u003ccode\u003ekubectl\u003c/code\u003e configured to access the Management API server and possess the KMS Rotation Job Admin role.\u003c/p\u003e\n"],["\u003cp\u003eRotating a root key involves creating a \u003ccode\u003eRotationJob\u003c/code\u003e resource in a YAML file, applying the file to the KMS, and then verifying the job's completion.\u003c/p\u003e\n"],["\u003cp\u003eAfter a successful rotation, the \u003ccode\u003eDone\u003c/code\u003e annotation must be removed from the root key by an Infrastructure Operator to allow for future rotations.\u003c/p\u003e\n"]]],[],null,["# Rotate a root key\n\nIf your root key becomes compromised, or if you choose to periodically rotate\nroot keys, you can rotate your keys to a new root\nkey using the [`RotationJob`](/distributed-cloud/hosted/docs/latest/gdch/apis/service/kms/kms-api-overview#rotationjob)\nresource.\n\nRefer to the [KMS API overview](/distributed-cloud/hosted/docs/latest/gdch/apis/kms-api-overview) for details\non the KMS API and the [Key Management Service KRM API](/distributed-cloud/hosted/docs/latest/gdch/apis/kms-krm-api)\nto view the full API definition.\n\n### Before you begin\n\nBefore continuing, ensure you have the following:\n\n- The `kubectl` command configured to access the Management API server. To do this,\n [get a kubeconfig file](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-auth#get-kubeconfig)\n using the [gdcloud command-line interface (CLI)](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-overview).\n\n- The KMS Rotation Job Admin role. To get the permissions that you need to\n rotate keys, ask your Organization IAM Admin to grant you the KMS Rotation\n Job Admin (`kms-rotationjob-admin`) role.\n\nRotate a root key\n-----------------\n\nTo create a new root key and rotate your keys, complete the following steps:\n\n1. Create a YAML file, and add in the `RotationJob` resource and the following\n contents:\n\n apiVersion: \"kms.gdc.goog/v1\"\n kind: RotationJob\n metadata:\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eROTATION_NAME\u003c/span\u003e\u003c/var\u003e\n spec:\n rootKeyResourceName: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eROOT_KEY_RESOURCE_NAME\u003c/span\u003e\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eROTATION_NAME\u003c/var\u003e with a name for the rotation job\n --- for example: `rotate-job1`.\n\n Replace \u003cvar translate=\"no\"\u003eROOT_KEY_RESOURCE_NAME\u003c/var\u003e with the root key name\n specified in the form `namespace/`\u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e`/secrets/`\u003cvar translate=\"no\"\u003eROOT_KEY_NAME\u003c/var\u003e\n\n For example, `namespaces/kms-system/secrets/ctm-root`.\n2. Apply the contents of the YAML file to the KMS:\n\n kubectl apply -f \u003cvar translate=\"no\"\u003eFILENAME\u003c/var\u003e.yaml\n\n Replace \u003cvar translate=\"no\"\u003eFILENAME\u003c/var\u003e with the name of the YAML file.\n\n After running the command, the KMS creates a new root key and rotates every\n key with the new root key.\n3. To verify the root key rotation is complete, run the following:\n\n kubectl get rotationjobs \u003cvar translate=\"no\"\u003eROTATION_NAME\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eROTATION_NAME\u003c/var\u003e with the name of the rotation job.\n\n After running the command, you see the status of the rotation job as\n `Completed` if successful.\n4. Remove the `Done` annotation from the root key. Removing the annotation lets\n you rotate the key more than once. Your Infrastructure Operator (IO) must\n perform this step. Ask your IO to run the following:\n\n kubectl annotate secret kms-key-\u003cvar translate=\"no\"\u003eROOT_KEY_NAME\u003c/var\u003e -n kms-system gdch.cluster.gke.io/rotation-status-"]]
