v(ndZddlmZddlmZddlmZddlmZddlmZddl m Z ddl m Z ddl m Z dd l mZdd lmZej"ej$ej&j(ej&j*ej&j,Gd d ej.Zy )z Create a key.)absolute_import)division)unicode_literals)base) exceptions)flags)maps) resource_args) labels_utilc,eZdZdZedZdZdZy)CreateaCreate a new key. Creates a new key within the given keyring. The flag `--purpose` is always required when creating a key. The flag `--default-algorithm` is required when creating a symmetric signing key, an asymmetric key, or an external key. Algorithm and purpose should be compatible. The optional flags `--rotation-period` and `--next-rotation-time` define a rotation schedule for the key. A schedule can also be defined by the `--create-rotation-schedule` command. The flag `--next-rotation-time` must be in ISO 8601 or RFC3339 format, and `rotation-period` must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d). The optional flag `--protection-level` specifies the physical environment where crypto operations with the key happen. The default is ``software''; use ``hsm'' to create a hardware-backed key, ``external'' to create an externally backed key, or ``external-vpc'' to create an external key over vpc. The optional flag `--labels` defines a user specified key/value pair for the given key. The flag `--skip-initial-version-creation` creates a CryptoKey with no versions. If you import into the CryptoKey, or create a new version in that CryptoKey, there will be no primary version until one is set using the `--set-primary-version` command. You must include `--skip-initial-version-creation` when creating a CryptoKey with protection level ``external'' or ``external-vpc''. The optional flag `--import-only` restricts the key to imported key versions only. To do so, the flag `--skip-initial-version-creation` must also be set. The optional flag `--destroy-scheduled-duration` defines the destroy schedule for the key, and must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d). The flag `--crypto-key-backend` defines the resource name for the backend where the key resides. Required for ``external-vpc'' keys. The optional flag `--allowed-access-reasons` defines the Key Access Justifications Policy for the key, and is specified as a comma separated list of zero or more justification codes defined in https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes. The key must be enrolled in Key Access Justifications to use this flag. ## EXAMPLES The following command creates a key named ``frodo'' with protection level ``software'' within the keyring ``fellowship'' and location ``us-east1'': $ {command} frodo \ --location=us-east1 \ --keyring=fellowship \ --purpose=encryption The following command creates a key named ``strider'' with protection level ``software'' within the keyring ``rangers'' and location ``global'' with a specified rotation schedule: $ {command} strider \ --location=global --keyring=rangers \ --purpose=encryption \ --rotation-period=30d \ --next-rotation-time=2017-10-12T12:34:56.1234Z The following command creates a raw encryption key named ``foo'' with protection level ``software'' within the keyring ``fellowship'' and location ``us-east1'' with two specified labels: $ {command} foo \ --location=us-east1 \ --keyring=fellowship \ --purpose=raw-encryption \ --default-algorithm=aes-128-cbc --labels=env=prod,team=kms The following command creates an asymmetric key named ``samwise'' with protection level ``software'' and default algorithm ``ec-sign-p256-sha256'' within the keyring ``fellowship'' and location ``us-east1'': $ {command} samwise \ --location=us-east1 \ --keyring=fellowship \ --purpose=asymmetric-signing \ --default-algorithm=ec-sign-p256-sha256 The following command creates a key named ``gimli'' with protection level ``hsm'' and default algorithm ``google-symmetric-encryption'' within the keyring ``fellowship'' and location ``us-east1'': $ {command} gimli \ --location=us-east1 \ --keyring=fellowship \ --purpose=encryption \ --protection-level=hsm The following command creates a key named ``legolas'' with protection level ``external'' and default algorithm ``external-symmetric-encryption'' within the keyring ``fellowship'' and location ``us-central1'': $ {command} legolas \ --location=us-central1 \ --keyring=fellowship \ --purpose=encryption \ --default-algorithm=external-symmetric-encryption \ --protection-level=external --skip-initial-version-creation The following command creates a key named ``bilbo'' with protection level ``external-vpc'' and default algorithm ``external-symmetric-encryption'' and an EkmConnection of ``eagles'' within the keyring ``fellowship'' and location ``us-central1'': $ {command} bilbo \ --location=us-central1 \ --keyring=fellowship \ --purpose=encryption \ --default-algorithm=external-symmetric-encryption \ --protection-level=external-vpc --skip-initial-version-creation --crypto-key-backend="projects/$(gcloud config get project)/ locations/us-central1/ekmConnections/eagles" The following command creates a key named ``arwen'' with protection level ``software'' within the keyring ``fellowship'' and location ``us-east1'' with a Key Access Justifications policy that allows access reasons ``customer-initiated-access'' and ``google-initiated-system-operation'': $ {command} arwen \ --location=us-east1 \ --keyring=fellowship \ --purpose=encryption \ --allowed-access-reasons=customer-initiated-access,google-initiated-system-operation ctj|ddtj|tj|tj |t j||jdttjjdd|jjtjtj |tj"|tj$|tj&|tj(|tj*|y)NTkeyz --purposezThe "purpose" of the key.)choicesrequiredhelp)r AddKmsKeyResourceArgForKMSrAddRotationPeriodFlagAddNextRotationTimeFlag!AddSkipInitialVersionCreationFlagr AddCreateLabelsFlags add_argumentsortedr PURPOSE_MAPkeys display_infoAddCacheUpdaterKeyRingCompleterAddProtectionLevelFlagAddDefaultAlgorithmFlagAddImportOnlyFlagAddDestroyScheduledDurationFlagAddCryptoKeyBackendFlagAddAllowedAccessReasonsFlag)parsers lib/surface/kms/keys/create.pyArgsz Create.Argss,,VT5A ' !!&) ++F3$$V, t'',,./ ( *  ''(>(>?   ( !!&) F# ))&1 !!&) %%f-c "tj}tj|j}tj |}|j sT|jdk7r>tjdj|jdj|d|_|j |vr>tjdj|jdj||jjj}|j}|j|j!|j#|j%||j'tj(j+|j,tj.j+|j t1j2||j$j4|j6|j8|j:}t=j>||j@t=jB||j@t=jD||j@t=jF||j@|S) N encryptionzm--default-algorithm needs to be specified when creating a key with --purpose={}. The valid algorithms are: {}z, zgoogle-symmetric-encryptionzbDefault algorithm and purpose are incompatible. Here are the valid algorithms for --purpose={}: {})protectionLevel algorithm)purposeversionTemplatelabels importOnlycryptoKeyBackend)parent cryptoKeyId cryptoKeyskipInitialVersionCreation)$ cloudkms_baseGetMessagesModuler rr-VALID_ALGORITHMS_MAPdefault_algorithmkms_exceptions ArgumentErrorformatjoinCONCEPTSrParseParent8CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest RelativeNameName CryptoKeyCryptoKeyVersionTemplatePROTECTION_LEVEL_MAPPERGetEnumForChoiceprotection_levelALGORITHM_MAPPERr ParseCreateArgs LabelsValue import_onlycrypto_key_backendskip_initial_version_creationrSetNextRotationTimer4SetRotationPeriodSetDestroyScheduledDuration SetKeyAccessJustificationsPolicy)selfargsmessagesr-valid_algorithmscrypto_key_ref parent_refreqs r&_CreateRequestzCreate._CreateRequests$..0Ht||,G009  ! !  %** ::@& dii(89;;< < =d %55  ( ( ,,2F4<<3799=M3N-P QQ ]]&&,,.N&&(J  K K&&("'')$$$== $ < < M M))!+//@@**,>- ..t/7/A/A/M/MO''!44% 6$(#E#E L GC  dCMM2 D#--0 %%dCMM: **4? Jr(c~tj}|jj|j |S)N)r6GetClientInstance&projects_locations_keyRings_cryptoKeysr rZ)rSrTclients r&Runz Create.Runs7  , , .F  8 8 ? ? D! ##r(N)__name__ __module__ __qualname____doc__ staticmethodr'rZr_r(r&r r s( HT..&.`#r(r N)rc __future__rrrgooglecloudsdk.api_lib.cloudkmsrr6googlecloudsdk.calliopegooglecloudsdk.command_lib.kmsrr:rr r $googlecloudsdk.command_lib.util.argsr UniverseCompatible ReleaseTracks ReleaseTrackALPHABETAGA CreateCommandr rer(r&rrs&'A(G0/8<T..33T5F5F5I5IR#T  R#R#r(