Skip to main content

security key-manager external gcp enable

Contributors
Suggest changes

Enable a Google Cloud KMS

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

This command enables the Google Cloud Key Management Service (GCKMS) associated with the given Vserver. A GCP project and GCKMS must be deployed on the GCP portal prior to running this command. GCKMS can ony be enabled on a data Vserver that doesn't already have a key manager configured. GCKMS cannot be enabled in a MetroCluster environment.

Parameters

-vserver <Vserver Name> - Vserver

Use this parameter to specify the Vserver on which the GCKMS is to be enabled.

-project-id <text> - Google Cloud KMS Project(Application) ID

Use this parameter to specify the project ID of the deployed GCP project.

-key-ring-name <text> - Google Cloud KMS Key Ring Name

Use this parameter to specify the key ring name of the deployed GCP project.

-key-ring-location <text> - Google Cloud KMS Key Ring Location

Use this parameter to specify the location of the key ring.

-key-name <text> - Google Cloud KMS Key Encryption Key Name

Use this parameter to specify the key name of the GCKMS Key Encryption Key (KEK).

[-oauth-host <text>] - Open Authorization Host Name

Use this parameter to specify the host name of the Open Authorization server.

[-oauth-url <text>] - Open Authorization URL

Use this parameter to specify the URL of the Open Authorization access token.

[-privileged-account <text>] - Google Cloud Privileged Service Account

Use this parameter to specify a privileged service account (email address) with both cloudkms.cryptoKeyVersions.useToEncrypt and cloudkms.cryptoKeyVersions.useToDecrypt permissions. If this parameter is specified, any calls made to the GCKMS will first use iam.serviceAccounts.getAccessToken to impersonate the privileged account.

Examples

The following example enables the GCKMS for Vserver v1. The parameters in the example command identify a Google Cloud Platform (GCP) project application deployed on the GCP. The GCP project application has a Project ID "test_project", a key ring name "key_ring_for_test_project", a key ring location "secure_location_for_key_ring", a key name "testKEK" and OAuth server at 10.12.34.1.

cluster-1::*> security key-manager external gcp enable -vserver v1 -project-id test_project -key-ring-name key_ring_for_test_project -key-ring-location secure_location_for_key_ring -key-name testKEK -oauth-host 10.12.34.1

Enter the contents of the Google Cloud Key Management Service account key file (json file): Press <Enter> when done