Pour obtenir les autorisations nécessaires pour créer des clés, demandez à votre administrateur IAM de l'organisation de vous accorder le rôle Créateur KMS (kms-creator) dans votre projet. Si vous avez besoin de droits supplémentaires, comme celui de supprimer des clés, demandez le rôle Administrateur KMS (kms-admin).
Créer une clé
Procédez comme suit :
Créez une clé dans l'espace de noms du projet. L'exemple suivant crée la clé AEAD :
Sauf indication contraire, le contenu de cette page est régi par une licence Creative Commons Attribution 4.0, et les échantillons de code sont régis par une licence Apache 2.0. Pour en savoir plus, consultez les Règles du site Google Developers. Java est une marque déposée d'Oracle et/ou de ses sociétés affiliées.
Dernière mise à jour le 2025/09/05 (UTC).
[[["Facile à comprendre","easyToUnderstand","thumb-up"],["J'ai pu résoudre mon problème","solvedMyProblem","thumb-up"],["Autre","otherUp","thumb-up"]],[["Difficile à comprendre","hardToUnderstand","thumb-down"],["Informations ou exemple de code incorrects","incorrectInformationOrSampleCode","thumb-down"],["Il n'y a pas l'information/les exemples dont j'ai besoin","missingTheInformationSamplesINeed","thumb-down"],["Problème de traduction","translationIssue","thumb-down"],["Autre","otherDown","thumb-down"]],["Dernière mise à jour le 2025/09/05 (UTC)."],[[["\u003cp\u003eKey management operations are performed using the \u003ccode\u003ekubectl\u003c/code\u003e command to access the Management API server.\u003c/p\u003e\n"],["\u003cp\u003eBefore creating or deleting keys, users must configure \u003ccode\u003ekubectl\u003c/code\u003e with a kubeconfig file obtained via the \u003ccode\u003egdcloud\u003c/code\u003e CLI.\u003c/p\u003e\n"],["\u003cp\u003eUsers need the KMS Creator (\u003ccode\u003ekms-creator\u003c/code\u003e) role to create keys and the KMS Admin (\u003ccode\u003ekms-admin\u003c/code\u003e) role for additional privileges like key deletion, granted by their Organization IAM Admin.\u003c/p\u003e\n"],["\u003cp\u003eCreating a key involves using a \u003ccode\u003ekubectl apply\u003c/code\u003e command with a YAML configuration, specifying the key's name, type (e.g., \u003ccode\u003eAEAD\u003c/code\u003e), and project namespace.\u003c/p\u003e\n"],["\u003cp\u003eDeleting a key is done via a \u003ccode\u003ekubectl delete\u003c/code\u003e command, and verification involves using \u003ccode\u003ekubectl get\u003c/code\u003e to ensure the key is no longer present.\u003c/p\u003e\n"]]],[],null,["# Create and delete keys\n\nThe AO performs key management operations through the `kubectl` command to\naccess the Management API server.\n\nBefore you begin\n----------------\n\nBefore performing KMS operations, configure the `kubectl` command to access the\nManagement API server. To do this,\n[get a kubeconfig file](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-auth#get-kubeconfig)\nusing the [gdcloud CLI-line interface (CLI)](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-overview).\n\nTo get the permissions that you need to create keys, ask your\nOrganization IAM Admin to grant you the KMS Creator (`kms-creator`)\nrole in your project. If you need additional privileges, such as deleting keys,\nrequest the KMS Admin (`kms-admin`) role.\n\nCreate a key\n------------\n\nComplete the following steps:\n\n1. Create a key in the project namespace. The following example creates the\n `AEAD` key:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e \\\n apply -f - \u003c\u003c EOF\n apiVersion: \"kms.gdc.goog/v1\"\n kind: AEADKey\n metadata:\n name: \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e\n namespace: \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e\n spec:\n algorithm: AES_256_GCM\n EOF\n\n Replace the following variables:\n - \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e: the kubeconfig file of the Management API server. [Sign in and generate](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in) the kubeconfig file if you don't have one.\n - \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e: a name for the key you want to create---for example: `key-1`.\n - \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e: the name of the project---for example: `kms-test1`.\n2. Verify the key creation:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e \\\n get aeadkey \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e \\\n --namespace=\u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e -o yaml\n\n If the key creation is successful, you see the value `True` in the `READY`\n column.\n\nDelete a key\n------------\n\nComplete the following steps:\n\n1. Delete the key in the project namespace:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e \\\n delete \u003cvar translate=\"no\"\u003eKEY_PRIMITIVE\u003c/var\u003e \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e \\\n --namespace=\u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e\n\n Replace the following variables:\n - \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e: the kubeconfig file of the Management API server. [Sign in and generate](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in) the kubeconfig file if you don't have one.\n - \u003cvar translate=\"no\"\u003eKEY_PRIMITIVE\u003c/var\u003e: the key you want to delete---for example: `aeadkey` for the `AEAD` key.\n - \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e: the name of the key you want to delete---for example: `key-1`.\n - \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e: the name of the project---for example: `kms-test1`.\n2. Verify the key deletion, and ensure you don't see the key in return:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e \\\n get \u003cvar translate=\"no\"\u003eKEY_PRIMITIVE\u003c/var\u003e \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e \\\n --namespace=\u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e"]]