Create and delete keys

The AO performs key management operations through the kubectl command to access the Management API server.

Before you begin

Before performing KMS operations, configure kubectl to access the Management API server and get the necessary permissions.

Configure Management API server access

Configure kubectl to access the Management API server:

If you have not already done so, get a kubeconfig file for the Management API server using the gdcloud CLI-line interface (CLI).
Set the MANAGEMENT_API_SERVER environment variable:
```
export MANAGEMENT_API_SERVER=PATH_TO_KUBECONFIG
```
Replace PATH_TO_KUBECONFIG with the path of the generated kubeconfig file.

Required permissions

To get the permissions you need, ask your Organization IAM Admin to grant you the following KMS roles in your project:

To create and list keys, request the KMS Creator (kms-creator) role.
To create, list, and delete keys, request the KMS Admin (kms-admin) role.

Create a key

Complete the following steps:

Create a key in the project namespace. The following example creates the AEAD key:
```
kubectl --kubeconfig MANAGEMENT_API_SERVER \
apply -f - << EOF
apiVersion: "kms.gdc.goog/v1"
kind: AEADKey
metadata:
  name: KEY_NAME
  namespace: PROJECT
spec:
  algorithm: AES_256_GCM
EOF
```
Replace the following variables:
- MANAGEMENT_API_SERVER: the kubeconfig file of the Management API server. Sign in and generate the kubeconfig file if you don't have one.
- KEY_NAME: a name for the key you want to create—for example: key-1.
- PROJECT: the name of the project—for example: kms-test1.

Verify the key creation:

kubectl --kubeconfig MANAGEMENT_API_SERVER \
  get aeadkey KEY_NAME \
  --namespace=PROJECT -o yaml

If the key creation is successful, you see the value True in the READY column.

Delete a key

Complete the following steps:

Delete the key in the project namespace:
```
kubectl --kubeconfig MANAGEMENT_API_SERVER \
  delete KEY_PRIMITIVE KEY_NAME \
  --namespace=PROJECT
```
Replace the following variables:
- MANAGEMENT_API_SERVER: the kubeconfig file of the Management API server. Sign in and generate the kubeconfig file if you don't have one.
- KEY_PRIMITIVE: the key you want to delete—for example: aeadkey for the AEAD key.
- KEY_NAME: the name of the key you want to delete—for example: key-1.
- PROJECT: the name of the project—for example: kms-test1.

Verify the key deletion, and ensure you don't see the key in return:

kubectl --kubeconfig MANAGEMENT_API_SERVER \
  get KEY_PRIMITIVE  KEY_NAME \
  --namespace=PROJECT

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-06 UTC.