gcloud secrets replication update

NAME
gcloud secrets replication update - update a secret replica's metadata
SYNOPSIS
gcloud secrets replication update SECRET [--remove-cmek     | --location=REPLICA-LOCATION --set-kms-key=SET-KMS-KEY] [GCLOUD_WIDE_FLAG]
DESCRIPTION
Update a secret replica's metadata (e.g. cmek policy). This command will return an error if given a secret that does not exist or if given a location that the given secret doesn't exist in.

The --remove-kms-key flag is only valid for Secrets that have an automatic replication policy or exist in a single location. To remove keys from a Secret with multiple user managed replicas, please use the set-replication command.

EXAMPLES
To remove CMEK from a secret called 'my-secret', run:
gcloud secrets replication update my-secret --remove-cmek

To set the CMEK key on an automatic secret called my-secret to a specified KMS key, run:

$gcloud secrets replication update my-secret
--set-kms-key=projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key

To set the CMEK key on a secret called my-secret to a specified KMS key in a specified location in its replication, run:

$gcloud secrets replication update my-secret
--set-kms-key=projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key
--location=us-central1
POSITIONAL ARGUMENTS
Secret resource - The secret to update. This represents a Cloud resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways.

To set the project attribute:

  • provide the argument SECRET on the command line with a fully specified name;
  • provide the argument --project on the command line;
  • set the property core/project.

This must be specified.

SECRET
ID of the secret or fully qualified identifier for the secret.

To set the secret attribute:

  • provide the argument SECRET on the command line.
FLAGS
Replication update.

At most one of these can be specified:

--remove-cmek
Remove customer managed encryption key so that future versions will be encrypted by a Google managed encryption key.
CMEK Update.
--location=REPLICA-LOCATION
Location of replica to update. For secrets with automatic replication policies, this can be omitted.
--set-kms-key=SET-KMS-KEY
New KMS key with which to encrypt and decrypt future secret versions.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

NOTES
This variant is also available:
gcloud beta secrets replication update