The AO performs key management operations through the kubectl
command to
access the org admin cluster.
Before you begin
Before performing KMS operations, configure the kubectl
command to access the
org admin cluster. To do this,
get a kubeconfig file
using the gdcloud command-line interface (CLI).
To get the permissions that you need to create keys, ask your
Organization IAM Admin to grant you the KMS Creator (kms-creator
)
role in your project. If you need additional privileges, such as deleting keys,
request the KMS Admin (kms-admin
) role.
Create a key
Complete the following steps:
Create a key in the project namespace. The following example creates the
AEAD
key:kubectl --kubeconfig
ORG_ADMIN_KUBECONFIG apply -f - << EOF apiVersion: "kms.gdc.goog/v1" kind: AEADKey metadata: name:KEY_NAME namespace:PROJECT spec: algorithm: AES_256_GCM EOFReplace the following variables:
- ORG_ADMIN_KUBECONFIG: the
kubeconfig
file of the org admin cluster. - KEY_NAME: a name for the key you want to
create—for example:
key-1
. - PROJECT: the name of the project—for
example:
kms-test1
.
- ORG_ADMIN_KUBECONFIG: the
Verify the key creation:
kubectl --kubeconfig
ORG_ADMIN_KUBECONFIG \ get aeadkeyKEY_NAME \ --namespace=PROJECT -o yamlIf the key creation is successful, you see the value
True
in theREADY
column.
Delete a key
Complete the following steps:
Delete the key in the project namespace:
kubectl --kubeconfig
ORG_ADMIN_KUBECONFIG \ deleteKEY_PRIMITIVE KEY_NAME \ --namespace=PROJECT Replace the following variables:
- ORG_ADMIN_KUBECONFIG: the
kubeconfig
file of the org admin cluster. - KEY_PRIMITIVE: the key you want to delete—for
example:
aeadkey
for theAEAD
key. - KEY_NAME: the name of the key you want to
delete—for example:
key-1
. - PROJECT: the name of the project—for
example:
kms-test1
.
- ORG_ADMIN_KUBECONFIG: the
Verify the key deletion, and ensure you do not see the key in return:
kubectl --kubeconfig
ORG_ADMIN_KUBECONFIG \ getKEY_PRIMITIVE KEY_NAME \ --namespace=PROJECT