hmac - CRUD operations on service account HMAC keys.
Synopsis
gsutil hmac create [-p <project>] <service_account_email>
gsutil hmac delete [-p <project>] <access_id>
gsutil hmac get [-p <project>] <access_id>
gsutil hmac list [-a] [-l] [-p <project>] [-u <service_account_email>]
gsutil hmac update -s (ACTIVE|INACTIVE) [-e <etag>] [-p <project>] <access_id>
Description
You can use the hmac
command to interact with service account HMAC keys.
The hmac
command has five sub-commands:
Create
The hmac create
command creates an HMAC key for the specified service
account:
gsutil hmac create test.service.account@test_project.iam.gserviceaccount.com
The secret key material is only available upon creation, so be sure to store the returned secret along with the access_id.
Create Options
The create
sub-command has the following option
- -p <project>
Specify the ID or number of the project in which to create a key.
Delete
The hmac delete
command permanently deletes the specified HMAC key:
gsutil hmac delete GOOG56JBMFZX6PMPTQ62VD2
Note that keys must be updated to be in the INACTIVE
state before they can be
deleted.
Delete Options
The delete
sub-command has the following option
- -p <project>
Specify the ID or number of the project from which to delete a key.
Get
The hmac get
command retrieves the specified HMAC key's metadata:
gsutil hmac get GOOG56JBMFZX6PMPTQ62VD2
Note that there is no option to retrieve a key's secret material after it has been created.
Get Options
The get
sub-command has the following option
- -p <project>
Specify the ID or number of the project from which to get a key.
List
The hmac list
command lists the HMAC key metadata for keys in the
specified project. If no project is specified in the command, the default
project is used.
List Options
The list
sub-command has the following options
- -a
Show all keys, including recently deleted keys.
- -l
Use long listing format. Shows each key's full metadata excluding the secret.
- -p <project>
Specify the ID or number of the project from which to list keys.
- -u <service_account_email>
Filter keys for a single service account.
Update
The hmac update
command sets the state of the specified key:
gsutil hmac update -s INACTIVE -e M42da= GOOG56JBMFZX6PMPTQ62VD2
Valid state arguments are ACTIVE
and INACTIVE
. To set a key to state
DELETED
, use the hmac delete
command on an INACTIVE
key. If an etag
is set in the command, it will only succeed if the provided etag matches the etag
of the stored key.
Update Options
The update
sub-command has the following options
- -s <ACTIVE|INACTIVE>
Sets the state of the specified key to either
ACTIVE
orINACTIVE
.- -e <etag>
If provided, the update will only be performed if the specified etag matches the etag of the stored key.
- -p <project>
Specify the ID or number of the project in which to update a key.