This page describes how to update the Google Cloud CLI to enable support for
automatically wrapping keys for secure import into Cloud Key Management Service, by
installing the
Pyca cryptography library. Version 2.2.0
or higher adds support for the required aes_key_wrap_with_padding
wrapping
mechanism.
Before you begin
- Install or upgrade the Google Cloud CLI to version 253.0.0 or higher.
- Install the
pip
command if possible.pip
is the platform-independent command-line interface to the Python Package Index. The package manager provided by your operating system may not provide version 2.2.0 or higher of the Pyca cryptographic library.
Installing and using pip
You can install and use pip
on Linux, macOS, or Windows systems.
This command installs the library into your user environment, specifying the
minimum version to install. To install system-wide, omit the
--user
flag. You may need to install pip
as a privileged user.
pip install --user "cryptography>=2.2.0"
After installing the Pyca cryptographic libraries, you must enable site packages so the gcloud CLI can use the libraries.
Installing on Linux using a package manager
Follow these instructions on Linux systems if you can't use the pip
command.
Debian or Ubuntu
If you use a system based on Debian or Ubuntu, you can install the Pyca
cryptographic library using the apt-get
command.
Check the versions of the
python-cryptography
package available in the package database. Version 2.2.0 or higher is required.apt policy python-cryptography
Install the package.
sudo apt-get install python-cryptography
If necessary, specify the version to install.
sudo apt-get install python-cryptography=version
After installing the Pyca cryptographic libraries, you must enable site packages so the gcloud CLI can use the libraries.
Red Hat, CentOS, or SUSE
If your system uses RPMs for package management, you can install the Pyca
crytographic library using the yum
command.
Check the versions of
python-cryptography
available in the package database. Version 2.2.0 or higher is required.yum --showduplicates list python2-cryptography
Install the package.
sudo yum install python2-cryptography
If necessary, specify the version to install.
sudo yum install python2-cryptography-version
After installing the Pyca cryptographic libraries, you must enable site packages so the gcloud CLI can use the libraries.
Enabling site packages
By default, the Google Cloud CLI ignores Python libraries installed on your local system. To allow the Google Cloud CLI to use the Pyca cryptographic library, you need to enable site packages.
To enable site packages, set the
CLOUDSDK_PYTHON_SITEPACKAGES
environment variable to 1
. With site packages
enabled, the gcloud CLI can use extra libraries outside of the
google-cloud-sdk/lib
directory.
Linux
export CLOUDSDK_PYTHON_SITEPACKAGES=1
macOS
export CLOUDSDK_PYTHON_SITEPACKAGES=1
Windows
set CLOUDSDK_PYTHON_SITEPACKAGES=1
Enabling site packages may cause some gcloud CLI commands to fail. It is recommended that you disable site packages after importing your keys.
Disabling site packages
After you finish importing keys, it is recommended that you disable site
packages on systems where you use the gcloud CLI. To disable site
packages, set CLOUDSDK_PYTHON_SITEPACKAGES
to 0
.
Linux
export CLOUDSDK_PYTHON_SITEPACKAGES=0
macOS
export CLOUDSDK_PYTHON_SITEPACKAGES=0
Windows
set CLOUDSDK_PYTHON_SITEPACKAGES=0