v(nSrSSKJr SSKJr SSKJr SSKJr SSKJr SSK J r SSK J r SSK J r SS K Jr SS KJr \R"\R$"\R&R(\R&R*\R&R,5"S S \R.555rg )z Create a key.)absolute_import)division)unicode_literals)base) exceptions)flags)maps) resource_args) labels_utilc4\rSrSrSr\S5rSrSrSr g)CreateaCreate a new key. Creates a new key within the given keyring. The flag `--purpose` is always required when creating a key. The flag `--default-algorithm` is required when creating a symmetric signing key, an asymmetric key, or an external key. Algorithm and purpose should be compatible. The optional flags `--rotation-period` and `--next-rotation-time` define a rotation schedule for the key. A schedule can also be defined by the `--create-rotation-schedule` command. The flag `--next-rotation-time` must be in ISO 8601 or RFC3339 format, and `rotation-period` must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d). The optional flag `--protection-level` specifies the physical environment where crypto operations with the key happen. The default is ``software''; use ``hsm'' to create a hardware-backed key, ``external'' to create an externally backed key, or ``external-vpc'' to create an external key over vpc. The optional flag `--labels` defines a user specified key/value pair for the given key. The flag `--skip-initial-version-creation` creates a CryptoKey with no versions. If you import into the CryptoKey, or create a new version in that CryptoKey, there will be no primary version until one is set using the `--set-primary-version` command. You must include `--skip-initial-version-creation` when creating a CryptoKey with protection level ``external'' or ``external-vpc''. The optional flag `--import-only` restricts the key to imported key versions only. To do so, the flag `--skip-initial-version-creation` must also be set. The optional flag `--destroy-scheduled-duration` defines the destroy schedule for the key, and must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d). The flag `--crypto-key-backend` defines the resource name for the backend where the key resides. Required for ``external-vpc'' keys. The optional flag `--allowed-access-reasons` defines the Key Access Justifications Policy for the key, and is specified as a comma separated list of zero or more justification codes defined in https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes. The key must be enrolled in Key Access Justifications to use this flag. ## EXAMPLES The following command creates a key named ``frodo'' with protection level ``software'' within the keyring ``fellowship'' and location ``us-east1'': $ {command} frodo \ --location=us-east1 \ --keyring=fellowship \ --purpose=encryption The following command creates a key named ``strider'' with protection level ``software'' within the keyring ``rangers'' and location ``global'' with a specified rotation schedule: $ {command} strider \ --location=global --keyring=rangers \ --purpose=encryption \ --rotation-period=30d \ --next-rotation-time=2017-10-12T12:34:56.1234Z The following command creates a raw encryption key named ``foo'' with protection level ``software'' within the keyring ``fellowship'' and location ``us-east1'' with two specified labels: $ {command} foo \ --location=us-east1 \ --keyring=fellowship \ --purpose=raw-encryption \ --default-algorithm=aes-128-cbc --labels=env=prod,team=kms The following command creates an asymmetric key named ``samwise'' with protection level ``software'' and default algorithm ``ec-sign-p256-sha256'' within the keyring ``fellowship'' and location ``us-east1'': $ {command} samwise \ --location=us-east1 \ --keyring=fellowship \ --purpose=asymmetric-signing \ --default-algorithm=ec-sign-p256-sha256 The following command creates a key named ``gimli'' with protection level ``hsm'' and default algorithm ``google-symmetric-encryption'' within the keyring ``fellowship'' and location ``us-east1'': $ {command} gimli \ --location=us-east1 \ --keyring=fellowship \ --purpose=encryption \ --protection-level=hsm The following command creates a key named ``legolas'' with protection level ``external'' and default algorithm ``external-symmetric-encryption'' within the keyring ``fellowship'' and location ``us-central1'': $ {command} legolas \ --location=us-central1 \ --keyring=fellowship \ --purpose=encryption \ --default-algorithm=external-symmetric-encryption \ --protection-level=external --skip-initial-version-creation The following command creates a key named ``bilbo'' with protection level ``external-vpc'' and default algorithm ``external-symmetric-encryption'' and an EkmConnection of ``eagles'' within the keyring ``fellowship'' and location ``us-central1'': $ {command} bilbo \ --location=us-central1 \ --keyring=fellowship \ --purpose=encryption \ --default-algorithm=external-symmetric-encryption \ --protection-level=external-vpc --skip-initial-version-creation --crypto-key-backend="projects/$(gcloud config get project)/ locations/us-central1/ekmConnections/eagles" The following command creates a key named ``arwen'' with protection level ``software'' within the keyring ``fellowship'' and location ``us-east1'' with a Key Access Justifications policy that allows access reasons ``customer-initiated-access'' and ``google-initiated-system-operation'': $ {command} arwen \ --location=us-east1 \ --keyring=fellowship \ --purpose=encryption \ --allowed-access-reasons=customer-initiated-access,google-initiated-system-operation c[R"USS5 [R"U5 [R"U5 [R "U5 [ R"U5 URS[[RR55SSS9 URR[R5 [R "U5 [R""U5 [R$"U5 [R&"U5 [R("U5 [R*"U5 g)NTkeyz --purposezThe "purpose" of the key.)choicesrequiredhelp)r AddKmsKeyResourceArgForKMSrAddRotationPeriodFlagAddNextRotationTimeFlag!AddSkipInitialVersionCreationFlagr AddCreateLabelsFlags add_argumentsortedr PURPOSE_MAPkeys display_infoAddCacheUpdaterKeyRingCompleterAddProtectionLevelFlagAddDefaultAlgorithmFlagAddImportOnlyFlagAddDestroyScheduledDurationFlagAddCryptoKeyBackendFlagAddAllowedAccessReasonsFlag)parsers lib/surface/kms/keys/create.pyArgs Create.Argss,,VT5A ' !!&) ++F3$$V, t'',,./ ( *  ''(>(>?   ( !!&) F# ))&1 !!&) %%f-c ([R"5n[RURn[R UnUR (dVURS:wa?[R"SRURSRU555eSUlUR U;a?[R"SRURSRU555eURRR5nUR5nURUR!5UR#5UR%UUR'[R(R+UR,5[R.R+UR 5S9[0R2"UUR$R45UR6UR8S9UR:S9n[<R>"XR@5 [<RB"XR@5 [<RD"XR@5 [<RF"XR@5 U$) N encryptionzm--default-algorithm needs to be specified when creating a key with --purpose={}. The valid algorithms are: {}z, zgoogle-symmetric-encryptionzbDefault algorithm and purpose are incompatible. Here are the valid algorithms for --purpose={}: {})protectionLevel algorithm)purposeversionTemplatelabels importOnlycryptoKeyBackend)parent cryptoKeyId cryptoKeyskipInitialVersionCreation)$ cloudkms_baseGetMessagesModuler rr/VALID_ALGORITHMS_MAPdefault_algorithmkms_exceptions ArgumentErrorformatjoinCONCEPTSrParseParent8CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest RelativeNameName CryptoKeyCryptoKeyVersionTemplatePROTECTION_LEVEL_MAPPERGetEnumForChoiceprotection_levelALGORITHM_MAPPERr ParseCreateArgs LabelsValue import_onlycrypto_key_backendskip_initial_version_creationrSetNextRotationTimer6SetRotationPeriodSetDestroyScheduledDuration SetKeyAccessJustificationsPolicy)selfargsmessagesr/valid_algorithmscrypto_key_ref parent_refreqs r'_CreateRequestCreate._CreateRequests..0Ht||,G009  ! !  %** ::@& dii(89;;< < =d %55  ( ( ,,2F4<<3799=M3N-P QQ ]]&&,,.N&&(J  K K&&("'')$$$== $ < < M M))!+//@@**,>- ..t/7/A/A/M/MO''!44% 6$(#E#E L GC  dMM2 D--0 %%dMM: **4? Jr*c[R"5nURRUR U55$)N)r8GetClientInstance&projects_locations_keyRings_cryptoKeysr r\)rUrVclients r'Run Create.Runs7  , , .F  8 8 ? ? D! ##r*N) __name__ __module__ __qualname____firstlineno____doc__ staticmethodr(r\rb__static_attributes__rdr*r'r r s( HT..&.`#r*r N)ri __future__rrrgooglecloudsdk.api_lib.cloudkmsrr8googlecloudsdk.calliopegooglecloudsdk.command_lib.kmsrr<rr r $googlecloudsdk.command_lib.util.argsr UniverseCompatible ReleaseTracks ReleaseTrackALPHABETAGA CreateCommandr rdr*r'rxs&'A(G0/8<T..33T5F5F5I5IR#T  R#R#r*