This page shows you how to update the external key reference for a Cloud EKM key without rotating the key. The new key reference must point to the same key material as the current key reference. If the key material has been rotated in the external key management partner system, you must rotate the key instead.
Use the instructions on this page if your external key management partner system has changed the key reference for an existing key. For example, the key reference can change as a result of a change to the hostname of the external key management partner or a change in their key reference structure.
Required roles
To get the permission that
you need to update an external key reference,
ask your administrator to grant you the
Cloud KMS Admin (roles/cloudkms.admin) IAM role on your key.
For more information about granting roles, see Manage access to projects, folders, and organizations.
This predefined role contains the
cloudkms.cryptoKeyVersions.update
permission,
which is required to
update an external key reference.
You might also be able to get this permission with custom roles or other predefined roles.
Update the URI for a key version without rotation
To update the key reference for a Cloud EKM key that you use over the internet, complete the following steps:
Console
In the Google Cloud console, go to the Key Management page.
Select the key ring, and then select the key and version.
Click more_vert More, and then click View key URI.
Click Update key URI.
Enter the new key URI, and then click Save.
gcloud CLI
To update the URI for the key version, use the gcloud kms versions update
command:
gcloud kms keys versions update KEY_VERSION \ --key KEY_NAME \ --keyring KEY_RING \ --location LOCATION \ --external-key-uri NEW_KEY_URI
Replace the following:
KEY_VERSION: the key version number.KEY_NAME: the name of the key.KEY_RING: the name of the key ring that contains the key.LOCATION: the Cloud KMS location of the key ring.NEW_KEY_URI: the new URI for the existing external key material.
Update the key path for a key version without rotation
To update the key reference for a Cloud EKM key that you use over a VPC network, complete the following steps:
Console
In the Google Cloud console, go to the Key Management page.
Select the key ring, and then select the key and version.
Click More more_vert then View key path.
Click Update key path.
Enter the new key path, then click Save.
gcloud CLI
To update the key path of the key version, use the gcloud kms versions
update command:
gcloud kms keys versions update KEY_VERSION \ --key KEY_NAME \ --keyring KEY_RING \ --location LOCATION \ --ekm-connection-key-path NEW_KEY_PATH
Replace the following:
KEY_VERSION: the key version number.KEY_NAME: the name of the key.KEY_RING: the name of the key ring that contains the key.LOCATION: the Cloud KMS location of the key ring.NEW_KEY_PATH: the new path for the existing external key material.