gcloud beta kms kaj-config update

gcloud beta kms kaj-config update - updates the KeyAccessJustificationsPolicyConfig of an organization/folder/project

gcloud beta kms kaj-config update (--folder=FOLDER     | --organization=ORGANIZATION     | --project=PROJECT_ID) [--allowed-access-reasons=[ALLOWED_ACCESS_REASONS,…]     | --reset-kaj-policy-config] [GCLOUD_WIDE_FLAG …]

For details about KAJ enums, please check https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes

Note that on successful completion, this command does not display the updated resource by default. To view the updated KeyAccessJustificationsPolicyConfig, use the --format flag, for example, --format=yaml.

gcloud beta kms kaj-config update --folder=123 --allowed-access-reasons=customer-initiated-access

To update the policy for project 'abc' with CUSTOMER_INITIATED_ACCESS and display the updated configuration as YAML, run:

gcloud beta kms kaj-config update --project=abc --allowed-access-reasons=customer-initiated-access --format=yaml

The following command resets the KeyAccessJustificationsPolicyConfig in organizations/123 to a default value (allow-all access reasons).

gcloud beta kms kaj-config update --organizations=123 --reset-kaj-policy-config

The parent of KajPolicyConfig.

Exactly one of these must be specified:

--folder=FOLDER

The ID of the folder under which the KajPolicyConfig exists. Use this flag only if KajPolicyConfig is directly under a folder.

--organization=ORGANIZATION

The ID of the organization under which the KajPolicyConfig exists. Use this flag only if KajPolicyConfig is directly under an organization.

--project=PROJECT_ID

The ID of the project underwhich the KajPolicyConfig exists. Use this flag only if KajPolicyConfig is directly under a project.

The Google Cloud project ID to use for this invocation. If omitted, then the current project is assumed; the current project can be listed using gcloud config list --format='text(core.project)' and can be set using gcloud config set project PROJECTID.

--project and its fallback core/project property play two roles in the invocation. It specifies the project of the resource to operate on. It also specifies the project for API enablement check, quota, and billing. To specify a different project for quota and billing, use --billing-project or billing/quota_project property.

Updates of KAJ Policy Config.

At most one of these can be specified:

--allowed-access-reasons=[ALLOWED_ACCESS_REASONS,…]

List of allowed Key Access Justifications access reasons in this KAJ Policy Config. This flag cannot be empty, if being set. For more information about justification codes, see https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes. ALLOWED_ACCESS_REASONS must be one of: customer-authorized-workflow-servicing, customer-initiated-access, customer-initiated-support, google-initiated-review, google-initiated-service, google-initiated-system-operation, google-response-to-production-alert, modified-customer-initiated-access, modified-google-initiated-system-operation, reason-not-expected, reason-unspecified, third-party-data-request.

--reset-kaj-policy-config

Reset KAJ Policy Config to empty. An empty KAJ Policy Config allows all access reasons.

Run $ gcloud help for details.