gcloud alpha kms keys update

NAME
gcloud alpha kms keys update - update a key
SYNOPSIS
gcloud alpha kms keys update(KEY :--keyring=KEYRING--location=LOCATION)[--allowed-access-reasons=[ALLOWED_ACCESS_REASONS,…]][--default-algorithm=DEFAULT_ALGORITHM][--next-rotation-time=NEXT_ROTATION_TIME][--primary-version=PRIMARY_VERSION][--remove-key-access-justifications-policy][--remove-rotation-schedule][--rotation-period=ROTATION_PERIOD][--update-labels=[KEY=VALUE,…]][--clear-labels    |--remove-labels=[KEY,…]][GCLOUD_WIDE_FLAG]
DESCRIPTION
(ALPHA) 1. Update the rotation schedule for the given key.

Updates the rotation schedule for the given key. The schedule automaticallycreates a new primary version for the key according tonext-rotation-time androtation-period flags.

Flagnext-rotation-time must be in ISO 8601 or RFC3339 format, androtation-period must be in the form INTEGER[UNIT], where units canbe one of seconds (s), minutes (m), hours (h) or days (d).

Key rotations performed manually viaupdate-primary-version and theversioncreate do not affect the storednext-rotation-time.

2. Remove the rotation schedule for the given key withremove-rotation-schedule flag.

3. Update/Remove the labels for the given key withupdate-labelsand/orremove-labels flags.

4. Update the primary version for the given key withprimary-version flag.

5. Update the Key Access Justifications policy for the given key withallowed-access-reasons flag to allow specified reasons. The keymust be enrolled in Key Access Justifications to use this flag.

6. Remove the Key Access Justifications policy for the given key withremove-key-access-justifications-policy flag. The key must beenrolled in Key Access Justifications to use this flag.

7. Update the Key Access Justifications policy for the given key withallowed_access_reasons flag to allow zero access reasons. Thiseffectively disables the key, because a policy is configured to reject allaccess reasons. The key must be enrolled in Key Access Justifications to usethis flag.

EXAMPLES
The following command sets a 30 day rotation period for the key namedfrodo within the keyringfellowship and locationglobal starting at the specified time:
gcloudalphakmskeysupdatefrodo--location=global--keyring=fellowship--rotation-period=30d--next-rotation-time=2017-10-12T12:34:56.1234Z

The following command removes the rotation schedule for the key namedfrodo within the keyringfellowship and locationglobal:

gcloudalphakmskeysupdatefrodo--location=global--keyring=fellowship--remove-rotation-schedule

The following command updates the labels value for the key namedfrodo within the keyringfellowship and locationglobal. If the label key does not exist at the time, it will beadded:

gcloudalphakmskeysupdatefrodo--location=global--keyring=fellowship--update-labels=k1=v1

The following command removes labels k1 and k2 from the key namedfrodo within the keyringfellowship and locationglobal:

gcloudalphakmskeysupdatefrodo--location=global--keyring=fellowship--remove-labels=k1,k2

The following command updates the primary version for the key namedfrodo within the keyringfellowship and locationglobal:

gcloudalphakmskeysupdatefrodo--location=global--keyring=fellowship--primary-version=1

The following command updates the default algorithm for the key namedfrodo within the keyringfellowship and locationglobal, assuming the key originally has purpose'asymmetric-encryption' and algorithm 'rsa-decrypt-oaep-2048-sha256':

gcloudalphakmskeysupdatefrodo--location=global--keyring=fellowship--default-algorithm=rsa-decrypt-oaep-4096-sha256

The following command updates the Key Access Justifications policy for the keynamedfrodo within the keyringfellowship and locationglobal to allow onlycustomer-initiated-access andgoogle-initiated-system-operation:

gcloudalphakmskeysupdatefrodo--location=global--keyring=fellowship--allowed-access-reasons=customer-initiated-access,google-initiated-system-operation

The following command removes the Key Access Justifications policy for the keynamedfrodo within the keyringfellowship and locationglobal, which results in all access reasonsbeing allowed:

gcloudalphakmskeysupdatefrodo--location=global--keyring=fellowship--remove-key-access-justifications-policy

The following command updates the Key Access Justifications policy for the keynamedfrodo within the keyringfellowship and locationglobal to allow only zero access reasons,effectively disabling the key:

gcloudalphakmskeysupdatefrodo--location=global--keyring=fellowship--allowed-access-reasons=
POSITIONAL ARGUMENTS
Key resource - The KMS key resource. The arguments in this group can be used tospecify the attributes of this resource. (NOTE) Some attributes are not givenarguments in this group but can be set in other ways.

To set theproject attribute:

  • provide the argumentkey on the command line with a fully specifiedname;
  • set the propertycore/project.

This must be specified.

KEY
ID of the key or fully qualified identifier for the key.

To set thekey attribute:

  • provide the argumentkey on the command line.

This positional argument must be specified if any of the other arguments in thisgroup are specified.

--keyring=KEYRING
The KMS keyring of the key.

To set thekeyring attribute:

  • provide the argumentkey on the command line with a fully specifiedname;
  • provide the argument--keyring on the command line.
--location=LOCATION
The Google Cloud location for the key.

To set thelocation attribute:

  • provide the argumentkey on the command line with a fully specifiedname;
  • provide the argument--location on the command line.
FLAGS
--allowed-access-reasons=[ALLOWED_ACCESS_REASONS,…]
The list of allowed Key Access Justifications access reasons on the key. The keymust be enrolled in Key Access Justifications to configure this field. Bydefault, this field is absent, and all justification codes are allowed. For moreinformation about justification codes, seehttps://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes.ALLOWED_ACCESS_REASONS must be one of:customer-authorized-workflow-servicing,customer-initiated-access,customer-initiated-support,google-initiated-review,google-initiated-service,google-initiated-system-operation,google-response-to-production-alert,modified-customer-initiated-access,modified-google-initiated-system-operation,reason-not-expected,reason-unspecified,third-party-data-request.
--default-algorithm=DEFAULT_ALGORITHM
The default algorithm for the crypto key. For more information about choosing analgorithm, seehttps://cloud.google.com/kms/docs/algorithms.DEFAULT_ALGORITHM must be one of:aes-128-cbc,aes-128-ctr,aes-128-gcm,aes-256-cbc,aes-256-ctr,aes-256-gcm,ec-sign-ed25519,ec-sign-p256-sha256,ec-sign-p384-sha384,ec-sign-secp256k1-sha256,external-symmetric-encryption,google-symmetric-encryption,hmac-sha1,hmac-sha224,hmac-sha256,hmac-sha384,hmac-sha512,kem-xwing,ml-kem-1024,ml-kem-768,pq-sign-hash-slh-dsa-sha2-128s-sha256,pq-sign-ml-dsa-65,pq-sign-slh-dsa-sha2-128s,rsa-decrypt-oaep-2048-sha1,rsa-decrypt-oaep-2048-sha256,rsa-decrypt-oaep-3072-sha1,rsa-decrypt-oaep-3072-sha256,rsa-decrypt-oaep-4096-sha1,rsa-decrypt-oaep-4096-sha256,rsa-decrypt-oaep-4096-sha512,rsa-sign-pkcs1-2048-sha256,rsa-sign-pkcs1-3072-sha256,rsa-sign-pkcs1-4096-sha256,rsa-sign-pkcs1-4096-sha512,rsa-sign-pss-2048-sha256,rsa-sign-pss-3072-sha256,rsa-sign-pss-4096-sha256,rsa-sign-pss-4096-sha512,rsa-sign-raw-pkcs1-2048,rsa-sign-raw-pkcs1-3072,rsa-sign-raw-pkcs1-4096.
--next-rotation-time=NEXT_ROTATION_TIME
Next automatic rotation time of the key. See $gcloud topic datetimes forinformation on time formats.
--primary-version=PRIMARY_VERSION
Primary version to make primary.
--remove-key-access-justifications-policy
Removes the Key Access Justifications policy on the key, making alljustification codes allowed.
--remove-rotation-schedule
Remove any existing rotation schedule on the key.
--rotation-period=ROTATION_PERIOD
Automatic rotation period of the key. See $gcloud topic datetimes forinformation on duration formats.
--update-labels=[KEY=VALUE,…]
List of label KEY=VALUE pairs to update. If a label exists, its value ismodified. Otherwise, a new label is created.

Keys must start with a lowercase character and contain only hyphens(-), underscores (_), lowercase characters, andnumbers. Values must contain only hyphens (-), underscores(_), lowercase characters, and numbers.

At most one of these can be specified:
--clear-labels
Remove all labels. If--update-labels is also specified then--clear-labels is applied first.

For example, to remove all labels:

gcloudalphakmskeysupdate--clear-labels

To remove all existing labels and create two new labels,foo andbaz:

gcloudalphakmskeysupdate--clear-labels--update-labelsfoo=bar,baz=qux
--remove-labels=[KEY,…]
List of label keys to remove. If a label does not exist it is silently ignored.If--update-labels is also specified then--update-labels is applied first.
GCLOUD WIDE FLAGS
These flags are available to all commands:--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.

Run$gcloud help for details.

NOTES
This command is currently in alpha and might change without notice. If thiscommand fails with API permission errors despite specifying the correct project,you might be trying to access an API with an invitation-only early accessallowlist. These variants are also available:
gcloudkmskeysupdate
gcloudbetakmskeysupdate

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-09-16 UTC.