application commands
security key-manager external gcp enable
Suggest changes
-
PDF of this doc site
Collection of separate PDF docs
Creating your file...
Create and enable a Google Cloud KMS configuration
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
This command enables the Google Cloud Key Management Service (GCKMS) associated with the given Vserver. A GCP project and GCKMS must be deployed on the GCP portal prior to running this command. GCKMS can ony be enabled on a data Vserver that doesn't already have a key manager configured. GCKMS cannot be enabled in a MetroCluster environment.
Parameters
-vserver <Vserver Name>- Vserver-
Use this parameter to specify the Vserver on which the GCKMS is to be enabled.
-project-id <text>- Google Cloud KMS Project (Application) ID-
Use this parameter to specify the project ID of the deployed GCP project.
-key-ring-name <text>- Google Cloud KMS Key Ring Name-
Use this parameter to specify the key ring name of the deployed GCP project.
-key-ring-location <text>- Google Cloud KMS Key Ring Location-
Use this parameter to specify the location of the key ring.
-key-name <text>- Google Cloud KMS Key Encryption Key Name-
Use this parameter to specify the key name of the GCKMS Key Encryption Key (KEK).
[-port <integer>]- Google Cloud KMS Port Number-
Use this parameter to specify the port of the deployed Google Cloud KMS.
[-cloudkms-host <text>]- Google Cloud KMS Host's Subdomain-
Use this parameter to specify the Google Cloud KMS Host's Subdomain.
[-verify {true|false}]- Verify Identity of Google Cloud KMS?-
Use this parameter to specify whether to verify the identity of Google Cloud KMS.
[-verify-host {true|false}]- Verify Identity of Google Cloud KMS's Hostname?-
Use this parameter to specify whether to verify the identity of Google Cloud KMS hostname.
[-verify-ip {true|false}]- Verify Identity of Google Cloud KMS's IP Address?-
Use this parameter to specify whether to verify the identity of Google Cloud KMS ip address.
[-proxy-type {http|https}]- Proxy Type-
Use this parameter to specify the proxy type.
[-proxy-host <text>]- Proxy Host-
Use this parameter to specify the proxy hostname.
[-proxy-port <integer>]- Proxy Port-
Use this parameter to specify the proxy port.
[-proxy-username <text>]- Proxy Username-
Use this parameter to specify the proxy username.
[-proxy-password <text>]- Proxy Password-
Use this parameter to specify the proxy password.
[-oauth-host <text>]- Google Cloud KMS Authorization Host-
Use this parameter to specify the host name of the Open Authorization server.
[-oauth-url <text>]- Google Cloud KMS Authorization Url-
Use this parameter to specify the URL of the Open Authorization access token.
[-timeout <integer>]- Google Cloud Platform Connection Timeout in Seconds-
Use this parameter to specify the Google Cloud connection timeout in seconds.
[-privileged-account <text>]- Google Cloud Privileged Service Account-
Use this parameter to specify a privileged service account (email address) with both cloudkms.cryptoKeyVersions.useToEncrypt and cloudkms.cryptoKeyVersions.useToDecrypt permissions. If this parameter is specified, any calls made to the GCKMS will first use iam.serviceAccounts.getAccessToken to impersonate the privileged account.
Examples
The following example enables the GCKMS for Vserver v1. The parameters in the example command identify a Google Cloud Platform (GCP) project application deployed on the GCP. The GCP project application has a Project ID "test_project", a key ring name "key_ring_for_test_project", a key ring location "secure_location_for_key_ring", a key name "testKEK" and OAuth server at 10.12.34.1.
cluster-1::*> security key-manager external gcp enable -vserver v1 -project-id test_project -key-ring-name key_ring_for_test_project -key-ring-location secure_location_for_key_ring -key-name testKEK -oauth-host 10.12.34.1 Enter the contents of the Google Cloud Key Management Service account key file (json file): Press <Enter> when done