File: //snap/google-cloud-cli/396/help/man/man1/gcloud_beta_kms_keys_update.1
.TH "GCLOUD_BETA_KMS_KEYS_UPDATE" 1
.SH "NAME"
.HP
gcloud beta kms keys update \- update a key
.SH "SYNOPSIS"
.HP
\f5gcloud beta kms keys update\fR (\fIKEY\fR\ :\ \fB\-\-keyring\fR=\fIKEYRING\fR\ \fB\-\-location\fR=\fILOCATION\fR) [\fB\-\-allowed\-access\-reasons\fR=[\fIALLOWED_ACCESS_REASONS\fR,...]] [\fB\-\-default\-algorithm\fR=\fIDEFAULT_ALGORITHM\fR] [\fB\-\-next\-rotation\-time\fR=\fINEXT_ROTATION_TIME\fR] [\fB\-\-primary\-version\fR=\fIPRIMARY_VERSION\fR] [\fB\-\-remove\-key\-access\-justifications\-policy\fR] [\fB\-\-remove\-rotation\-schedule\fR] [\fB\-\-rotation\-period\fR=\fIROTATION_PERIOD\fR] [\fB\-\-update\-labels\fR=[\fIKEY\fR=\fIVALUE\fR,...]] [\fB\-\-clear\-labels\fR\ |\ \fB\-\-remove\-labels\fR=[\fIKEY\fR,...]] [\fIGCLOUD_WIDE_FLAG\ ...\fR]
.SH "DESCRIPTION"
\fB(BETA)\fR 1. Update the rotation schedule for the given key.
Updates the rotation schedule for the given key. The schedule automatically
creates a new primary version for the key according to
\f5next\-rotation\-time\fR and \f5rotation\-period\fR flags.
Flag \f5next\-rotation\-time\fR must be in ISO 8601 or RFC3339 format, and
\f5rotation\-period\fR must be in the form INTEGER[UNIT], where units can be one
of seconds (s), minutes (m), hours (h) or days (d).
Key rotations performed manually via \f5update\-primary\-version\fR and the
version \f5create\fR do not affect the stored \f5next\-rotation\-time\fR.
2. Remove the rotation schedule for the given key with
\f5remove\-rotation\-schedule\fR flag.
3. Update/Remove the labels for the given key with \f5update\-labels\fR and/or
\f5remove\-labels\fR flags.
4. Update the primary version for the given key with \f5primary\-version\fR
flag.
5. Update the Key Access Justifications policy for the given key with
\f5allowed\-access\-reasons\fR flag to allow specified reasons. The key must be
enrolled in Key Access Justifications to use this flag.
6. Remove the Key Access Justifications policy for the given key with
\f5remove\-key\-access\-justifications\-policy\fR flag. The key must be enrolled
in Key Access Justifications to use this flag.
7. Update the Key Access Justifications policy for the given key with
\f5allowed_access_reasons\fR flag to allow zero access reasons. This effectively
disables the key, because a policy is configured to reject all access reasons.
The key must be enrolled in Key Access Justifications to use this flag.
.SH "EXAMPLES"
The following command sets a 30 day rotation period for the key named
\f5frodo\fR within the keyring \f5fellowship\fR and location \f5global\fR
starting at the specified time:
.RS 2m
$ gcloud beta kms keys update frodo \-\-location=global \e
\-\-keyring=fellowship \-\-rotation\-period=30d \e
\-\-next\-rotation\-time=2017\-10\-12T12:34:56.1234Z
.RE
The following command removes the rotation schedule for the key named
\f5frodo\fR within the keyring \f5fellowship\fR and location \f5global\fR:
.RS 2m
$ gcloud beta kms keys update frodo \-\-location=global \e
\-\-keyring=fellowship \-\-remove\-rotation\-schedule
.RE
The following command updates the labels value for the key named \f5frodo\fR
within the keyring \f5fellowship\fR and location \f5global\fR. If the label key
does not exist at the time, it will be added:
.RS 2m
$ gcloud beta kms keys update frodo \-\-location=global \e
\-\-keyring=fellowship \-\-update\-labels=k1=v1
.RE
The following command removes labels k1 and k2 from the key named \f5frodo\fR
within the keyring \f5fellowship\fR and location \f5global\fR:
.RS 2m
$ gcloud beta kms keys update frodo \-\-location=global \e
\-\-keyring=fellowship \-\-remove\-labels=k1,k2
.RE
The following command updates the primary version for the key named \f5frodo\fR
within the keyring \f5fellowship\fR and location \f5global\fR:
.RS 2m
$ gcloud beta kms keys update frodo \-\-location=global \e
\-\-keyring=fellowship \-\-primary\-version=1
.RE
The following command updates the default algorithm for the key named
\f5frodo\fR within the keyring \f5fellowship\fR and location \f5global\fR,
assuming the key originally has purpose 'asymmetric\-encryption' and algorithm
\'rsa\-decrypt\-oaep\-2048\-sha256':
.RS 2m
$ gcloud beta kms keys update frodo \-\-location=global \e
\-\-keyring=fellowship \e
\-\-default\-algorithm=rsa\-decrypt\-oaep\-4096\-sha256
.RE
The following command updates the Key Access Justifications policy for the key
named \f5frodo\fR within the keyring \f5\fIfellowship\fR\fR and location
\f5\fIglobal\fR\fR to allow only \f5\fIcustomer\-initiated\-access\fR\fR and
\f5\fIgoogle\-initiated\-system\-operation\fR\fR:
.RS 2m
$ gcloud beta kms keys update frodo \-\-location=global \e
\-\-keyring=fellowship \e
\-\-allowed\-access\-reasons=customer\-initiated\-access,\e
google\-initiated\-system\-operation
.RE
The following command removes the Key Access Justifications policy for the key
named \f5frodo\fR within the keyring \f5\fIfellowship\fR\fR and location
\f5\fIglobal\fR\fR, which results in all access reasons being allowed:
.RS 2m
$ gcloud beta kms keys update frodo \-\-location=global \e
\-\-keyring=fellowship \-\-remove\-key\-access\-justifications\-policy
.RE
The following command updates the Key Access Justifications policy for the key
named \f5frodo\fR within the keyring \f5\fIfellowship\fR\fR and location
\f5\fIglobal\fR\fR to allow only zero access reasons, effectively disabling the
key:
.RS 2m
$ gcloud beta kms keys update frodo \-\-location=global \e
\-\-keyring=fellowship \-\-allowed\-access\-reasons=
.RE
.SH "POSITIONAL ARGUMENTS"
.RS 2m
.TP 2m
Key resource \- The KMS key resource. The arguments in this group can be used to
specify the attributes of this resource. (NOTE) Some attributes are not given
arguments in this group but can be set in other ways.
To set the \f5project\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5key\fR on the command line with a fully specified name;
.IP "\(em" 2m
set the property \f5core/project\fR.
.RE
.sp
This must be specified.
.RS 2m
.TP 2m
\fIKEY\fR
ID of the key or fully qualified identifier for the key.
To set the \f5key\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5key\fR on the command line.
.RE
.sp
This positional argument must be specified if any of the other arguments in this
group are specified.
.TP 2m
\fB\-\-keyring\fR=\fIKEYRING\fR
The KMS keyring of the key.
To set the \f5keyring\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5key\fR on the command line with a fully specified name;
.IP "\(bu" 2m
provide the argument \f5\-\-keyring\fR on the command line.
.RE
.sp
.TP 2m
\fB\-\-location\fR=\fILOCATION\fR
The Google Cloud location for the key.
To set the \f5location\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5key\fR on the command line with a fully specified name;
.IP "\(bu" 2m
provide the argument \f5\-\-location\fR on the command line.
.RE
.sp
.RE
.RE
.sp
.SH "FLAGS"
.RS 2m
.TP 2m
\fB\-\-allowed\-access\-reasons\fR=[\fIALLOWED_ACCESS_REASONS\fR,...]
The list of allowed Key Access Justifications access reasons on the key. The key
must be enrolled in Key Access Justifications to configure this field. By
default, this field is absent, and all justification codes are allowed. For more
information about justification codes, see
https://cloud.google.com/assured\-workloads/key\-access\-justifications/docs/justification\-codes.
\fIALLOWED_ACCESS_REASONS\fR must be one of:
\fBcustomer\-authorized\-workflow\-servicing\fR,
\fBcustomer\-initiated\-access\fR, \fBcustomer\-initiated\-support\fR,
\fBgoogle\-initiated\-review\fR, \fBgoogle\-initiated\-service\fR,
\fBgoogle\-initiated\-system\-operation\fR,
\fBgoogle\-response\-to\-production\-alert\fR,
\fBmodified\-customer\-initiated\-access\fR,
\fBmodified\-google\-initiated\-system\-operation\fR,
\fBreason\-not\-expected\fR, \fBreason\-unspecified\fR,
\fBthird\-party\-data\-request\fR.
.TP 2m
\fB\-\-default\-algorithm\fR=\fIDEFAULT_ALGORITHM\fR
The default algorithm for the crypto key. For more information about choosing an
algorithm, see https://cloud.google.com/kms/docs/algorithms.
\fIDEFAULT_ALGORITHM\fR must be one of: \fBaes\-128\-cbc\fR,
\fBaes\-128\-ctr\fR, \fBaes\-128\-gcm\fR, \fBaes\-256\-cbc\fR,
\fBaes\-256\-ctr\fR, \fBaes\-256\-gcm\fR, \fBec\-sign\-ed25519\fR,
\fBec\-sign\-p256\-sha256\fR, \fBec\-sign\-p384\-sha384\fR,
\fBec\-sign\-secp256k1\-sha256\fR, \fBexternal\-symmetric\-encryption\fR,
\fBgoogle\-symmetric\-encryption\fR, \fBhmac\-sha1\fR, \fBhmac\-sha224\fR,
\fBhmac\-sha256\fR, \fBhmac\-sha384\fR, \fBhmac\-sha512\fR, \fBkem\-xwing\fR,
\fBml\-kem\-1024\fR, \fBml\-kem\-768\fR,
\fBpq\-sign\-hash\-slh\-dsa\-sha2\-128s\-sha256\fR, \fBpq\-sign\-ml\-dsa\-65\fR,
\fBpq\-sign\-slh\-dsa\-sha2\-128s\fR, \fBrsa\-decrypt\-oaep\-2048\-sha1\fR,
\fBrsa\-decrypt\-oaep\-2048\-sha256\fR, \fBrsa\-decrypt\-oaep\-3072\-sha1\fR,
\fBrsa\-decrypt\-oaep\-3072\-sha256\fR, \fBrsa\-decrypt\-oaep\-4096\-sha1\fR,
\fBrsa\-decrypt\-oaep\-4096\-sha256\fR, \fBrsa\-decrypt\-oaep\-4096\-sha512\fR,
\fBrsa\-sign\-pkcs1\-2048\-sha256\fR, \fBrsa\-sign\-pkcs1\-3072\-sha256\fR,
\fBrsa\-sign\-pkcs1\-4096\-sha256\fR, \fBrsa\-sign\-pkcs1\-4096\-sha512\fR,
\fBrsa\-sign\-pss\-2048\-sha256\fR, \fBrsa\-sign\-pss\-3072\-sha256\fR,
\fBrsa\-sign\-pss\-4096\-sha256\fR, \fBrsa\-sign\-pss\-4096\-sha512\fR,
\fBrsa\-sign\-raw\-pkcs1\-2048\fR, \fBrsa\-sign\-raw\-pkcs1\-3072\fR,
\fBrsa\-sign\-raw\-pkcs1\-4096\fR.
.TP 2m
\fB\-\-next\-rotation\-time\fR=\fINEXT_ROTATION_TIME\fR
Next automatic rotation time of the key. See $ gcloud topic datetimes for
information on time formats.
.TP 2m
\fB\-\-primary\-version\fR=\fIPRIMARY_VERSION\fR
Primary version to make primary.
.TP 2m
\fB\-\-remove\-key\-access\-justifications\-policy\fR
Removes the Key Access Justifications policy on the key, making all
justification codes allowed.
.TP 2m
\fB\-\-remove\-rotation\-schedule\fR
Remove any existing rotation schedule on the key.
.TP 2m
\fB\-\-rotation\-period\fR=\fIROTATION_PERIOD\fR
Automatic rotation period of the key. See $ gcloud topic datetimes for
information on duration formats.
.TP 2m
\fB\-\-update\-labels\fR=[\fIKEY\fR=\fIVALUE\fR,...]
List of label KEY=VALUE pairs to update. If a label exists, its value is
modified. Otherwise, a new label is created.
Keys must start with a lowercase character and contain only hyphens (\f5\-\fR),
underscores (\f5_\fR), lowercase characters, and numbers. Values must contain
only hyphens (\f5\-\fR), underscores (\f5_\fR), lowercase characters, and
numbers.
.TP 2m
At most one of these can be specified:
.RS 2m
.TP 2m
\fB\-\-clear\-labels\fR
Remove all labels. If \f5\-\-update\-labels\fR is also specified then
\f5\-\-clear\-labels\fR is applied first.
For example, to remove all labels:
.RS 2m
$ gcloud beta kms keys update \-\-clear\-labels
.RE
To remove all existing labels and create two new labels, \f5\fIfoo\fR\fR and
\f5\fIbaz\fR\fR:
.RS 2m
$ gcloud beta kms keys update \-\-clear\-labels \e
\-\-update\-labels foo=bar,baz=qux
.RE
.TP 2m
\fB\-\-remove\-labels\fR=[\fIKEY\fR,...]
List of label keys to remove. If a label does not exist it is silently ignored.
If \f5\-\-update\-labels\fR is also specified then \f5\-\-update\-labels\fR is
applied first.
.RE
.RE
.sp
.SH "GCLOUD WIDE FLAGS"
These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.
Run \fB$ gcloud help\fR for details.
.SH "NOTES"
This command is currently in beta and might change without notice. These
variants are also available:
.RS 2m
$ gcloud kms keys update
.RE
.RS 2m
$ gcloud alpha kms keys update
.RE