Key and Keyring
gcloud kms keyrings create keyring4 \
--location us-east1
gcloud kms keys create key4 \
--location us-east1 \
--keyring keyring3 \
--purpose encryption \
--skip-initial-version-creation \
--import-only
#Create the import job
gcloud kms import-jobs create job4 \
--location us-east1 \
--keyring keyring4 \
--import-method rsa-oaep-3072-sha1-aes-256 \
--protection-level software
#Checking the state of the import job
gcloud kms import-jobs describe job4 \
--location us-east1 \
--keyring keyring4 \
--format="value(state)"
#Import key
gcloud kms keys versions import \
--import-job job3 \
--location us-east1 \
--keyring keyring3 \
--key key3 \
--algorithm google-symmetric-encryption \
--target-key-file /home/den/Altenar/HashicorpVault/keys/wrapped.bin
gcloud kms keys add-iam-policy-binding key3 \
--location us-east1 \
--keyring keyring3 \
--member serviceAccount:vault-server@vault-325318.iam.gserviceaccount.com \
--role roles/cloudkms.admin \
--role roles/cloudkms.cryptoKeyEncrypterDecrypter \
--project vault-325318
#Create cluster
gcloud container clusters create vault \
--cluster-version 1.19 \
--enable-autorepair \
--enable-autoupgrade \
--enable-ip-alias \
--machine-type n1-standard-1 \
--node-version 1.19 \
--num-nodes 1 \
--region us-east1 \
--scopes cloud-platform \
--service-account "vault-server@vault-325318.iam.gserviceaccount.com"
gcloud kms keys set-primary-version key4 --version=1 --keyring=keyring3 --location=us-east1
gcloud kms encrypt --key=key3 --keyring=keyring3 --location=us-east1 --plaintext-file=/home/den/Altenar/HashicorpVault/keys/text --ciphertext-file=/home/den/Altenar/HashicorpVault/keys/ciphertext
gcloud kms decrypt \
--location=us-east1 \
--keyring=keyring3 \
--key=key4 \
--ciphertext-file=/home/den/Altenar/HashicorpVault/keys/ciphertext \
--plaintext-file=/home/den/Altenar/HashicorpVault/keys/decrypted.dec
ERROR: (gcloud.kms.decrypt) INVALID_ARGUMENT: Decryption failed: verify that 'name' refers to the correct CryptoKey.
gcloud kms keys list --keyring=keyring4 --location=us-east1
projects/vault-325318/locations/us-east1/keyRings/keyring4/cryptoKeys/key4
gcloud kms keys describe key4 --keyring=keyring4 --location=us-east1
# createTime: '2021-09-21T09:31:51.405890279Z'
# destroyScheduledDuration: 86400s
# importOnly: true
# name: projects/vault-325318/locations/us-east1/keyRings/keyring4/cryptoKeys/key4
# primary:
# algorithm: GOOGLE_SYMMETRIC_ENCRYPTION
# createTime: '2021-09-21T09:47:13.710829824Z'
# importJob: projects/vault-325318/locations/us-east1/keyRings/keyring4/importJobs/job4
# importTime: '2021-09-21T09:47:13.728149910Z'
# name: projects/vault-325318/locations/us-east1/keyRings/keyring4/cryptoKeys/key4/cryptoKeyVersions/1
# protectionLevel: SOFTWARE
# reimportEligible: true
# state: ENABLED
# purpose: ENCRYPT_DECRYPT
# versionTemplate:
# algorithm: GOOGLE_SYMMETRIC_ENCRYPTION
# protectionLevel: SOFTWARE
gcloud kms keys describe key3 --keyring=keyring3 --location=us-east1
# createTime: '2021-09-21T09:21:38.037600739Z'
# destroyScheduledDuration: 86400s
# importOnly: true
# name: projects/vault-325318/locations/us-east1/keyRings/keyring3/cryptoKeys/key3
# primary:
# algorithm: GOOGLE_SYMMETRIC_ENCRYPTION
# createTime: '2021-09-21T10:20:20.123165644Z'
# importJob: projects/vault-325318/locations/us-east1/keyRings/keyring3/importJobs/job3
# importTime: '2021-09-21T10:20:20.141650771Z'
# name: projects/vault-325318/locations/us-east1/keyRings/keyring3/cryptoKeys/key3/cryptoKeyVersions/1
# protectionLevel: SOFTWARE
# reimportEligible: true
# state: ENABLED
# purpose: ENCRYPT_DECRYPT
# versionTemplate:
# algorithm: GOOGLE_SYMMETRIC_ENCRYPTION
# protectionLevel: SOFTWARE
gcloud iam service-accounts keys list --iam-account=vault-server@vault-325318.iam.gserviceaccount.com
gcloud iam service-accounts keys create vault-server.json --iam-account=vault-server@vault-325318.iam.gserviceaccount.com
gcloud kms keys add-iam-policy-binding key4 \
--location us-east1 \
--keyring keyring4 \
--member serviceAccount:vault-server@vault-325318.iam.gserviceaccount.com \
--role roles/cloudkms.admin \
--role roles/cloudkms.cryptoKeyEncrypterDecrypter \
--project vault-325318
Last updated
Was this helpful?