gcloud_alpha_kms_keys_create (1)
NAME
- gcloud alpha kms keys create - create a new key
SYNOPSIS
-
gcloud alpha kms keys create KEY --purpose=PURPOSE [--default-algorithm=DEFAULT_ALGORITHM] [--keyring=KEYRING] [--labels=[KEY=VALUE,...]] [--location=LOCATION] [--next-rotation-time=NEXT_ROTATION_TIME] [--protection-level=PROTECTION_LEVEL; default="software"] [--rotation-period=ROTATION_PERIOD] [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(ALPHA) Creates a new key within the given keyring.
The optional flags rotation-period and next-rotation-time define a rotation schedule for the key. A schedule can also be defined by the create-rotation-schedule command.
The flag next-rotation-time must be in ISO 8601 or RFC3339 format, and rotation-period must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d).
The optional flag protection-level specifies the protection level of the created key. The default is software; use "HSM" to create a hardware-backed key.
POSITIONAL ARGUMENTS
-
- KEY
-
Name of the key to create.
REQUIRED FLAGS
-
- --purpose=PURPOSE
-
The "purpose" of the key. PURPOSE must be one of:
asymmetric-encryption, asymmetric-signing, encryption.
OPTIONAL FLAGS
-
- --default-algorithm=DEFAULT_ALGORITHM
-
The default algorithm for the crypto key. DEFAULT_ALGORITHM must be one
of: ec-sign-p256-sha256, ec-sign-p384-sha384,
google-symmetric-encryption, rsa-decrypt-oaep-2048-sha256,
rsa-decrypt-oaep-3072-sha256, rsa-decrypt-oaep-4096-sha256,
rsa-decrypt-oaep-4096-sha512, rsa-sign-pkcs1-2048-sha256,
rsa-sign-pkcs1-3072-sha256, rsa-sign-pkcs1-4096-sha256,
rsa-sign-pkcs1-4096-sha512, rsa-sign-pss-2048-sha256,
rsa-sign-pss-3072-sha256, rsa-sign-pss-4096-sha256,
rsa-sign-pss-4096-sha512.
- --keyring=KEYRING
-
Key ring of the key.
- --labels=[KEY=VALUE,...]
-
List of label KEY=VALUE pairs to add.
Keys must start with a lowercase character and contain only hyphens (-), underscores (_), lowercase characters, and numbers. Values must contain only hyphens (-), underscores (_), lowercase characters, and numbers.
- --location=LOCATION
-
Location of the key.
- --next-rotation-time=NEXT_ROTATION_TIME
-
Next automatic rotation time of the key. See $ gcloud topic datetimes for
information on time formats.
- --protection-level=PROTECTION_LEVEL; default="software"
-
Protection level of the key. PROTECTION_LEVEL must be one of:
software, hsm.
- --rotation-period=ROTATION_PERIOD
-
Automatic rotation period of the key. See $ gcloud topic datetimes for
information on duration formats.
GCLOUD WIDE FLAGS
These flags are available to all commands: --account, --configuration, --flags-file, --flatten, --format, --help, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity. Run $ gcloud help for details.
EXAMPLES
The following command creates a key named frodo within the keyring fellowship and location us-east1:
-
$ gcloud alpha kms keys create frodo \
--location us-east1 \
--keyring fellowship \
--purpose encryption
The following command creates a key named strider within the keyring rangers and location global with a specified rotation schedule:
-
$ gcloud alpha kms keys create strider \
--location global --keyring rangers \
--purpose encryption \
--rotation-period 30d \
--next-rotation-time 2017-10-12T12:34:56.1234Z
The following command creates an asymmetric key named samwise with default algorithm 'ec-sign-p256-sha256' within the keyring fellowship and location us-east1:
-
$ gcloud alpha kms keys create samwise \
--location us-east1 \
--keyring fellowship \
--purpose asymmetric-signing \
--default-algorithm ec-sign-p256-sha256
NOTES
This command is currently in ALPHA and may change without notice. If this command fails with API permission errors despite specifying the right project, you will have to apply for early access and have your projects registered on the API whitelist to use it. To do so, contact Support at cloud.google.com/support These variants are also available:
- $ gcloud kms keys create $ gcloud beta kms keys create