ONTAP 9.15.1 commands

security key-manager external gcp enable

Create and enable a Google Cloud KMS configuration

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

This command enables the Google Cloud Key Management Service (GCKMS) associated with the given Vserver. A GCP project and GCKMS must be deployed on the GCP portal prior to running this command. GCKMS can ony be enabled on a data Vserver that doesn’t already have a key manager configured. GCKMS cannot be enabled in a MetroCluster environment.

Parameters

-vserver <Vserver Name> - Vserver

Use this parameter to specify the Vserver on which the GCKMS is to be enabled.

-project-id <text> - Google Cloud KMS Project (Application) ID

Use this parameter to specify the project ID of the deployed GCP project.

-key-ring-name <text> - Google Cloud KMS Key Ring Name

Use this parameter to specify the key ring name of the deployed GCP project.

-key-ring-location <text> - Google Cloud KMS Key Ring Location

Use this parameter to specify the location of the key ring.

-key-name <text> - Google Cloud KMS Key Encryption Key Name

Use this parameter to specify the key name of the GCKMS Key Encryption Key (KEK).

[-port <integer>] - Google Cloud KMS Port Number

Use this parameter to specify the port of the deployed Google Cloud KMS.

[-cloudkms-host <text>] - Google Cloud KMS Host’s Subdomain

Use this parameter to specify the Google Cloud KMS Host’s Subdomain.

[-verify {true|false}] - Verify Identity of Google Cloud KMS?

Use this parameter to specify whether to verify the identity of Google Cloud KMS.

[-verify-host {true|false}] - Verify Identity of Google Cloud KMS’s Hostname?

Use this parameter to specify whether to verify the identity of Google Cloud KMS hostname.

[-verify-ip {true|false}] - Verify Identity of Google Cloud KMS’s IP Address?

Use this parameter to specify whether to verify the identity of Google Cloud KMS ip address.

[-proxy-type {http|https}] - Proxy Type

Use this parameter to specify the proxy type.

[-proxy-host <text>] - Proxy Host

Use this parameter to specify the proxy hostname.

[-proxy-port <integer>] - Proxy Port

Use this parameter to specify the proxy port.

[-proxy-username <text>] - Proxy Username

Use this parameter to specify the proxy username.

[-proxy-password <text>] - Proxy Password

Use this parameter to specify the proxy password.

[-oauth-host <text>] - Google Cloud KMS Authorization Host

Use this parameter to specify the host name of the Open Authorization server.

[-oauth-url <text>] - Google Cloud KMS Authorization Url

Use this parameter to specify the URL of the Open Authorization access token.

[-timeout <integer>] - Google Cloud Platform Connection Timeout in Seconds

Use this parameter to specify the Google Cloud connection timeout in seconds.

[-privileged-account <text>] - Google Cloud Privileged Service Account

Use this parameter to specify a privileged service account (email address) with both cloudkms.cryptoKeyVersions.useToEncrypt and cloudkms.cryptoKeyVersions.useToDecrypt permissions. If this parameter is specified, any calls made to the GCKMS will first use iam.serviceAccounts.getAccessToken to impersonate the privileged account.

Examples

The following example enables the GCKMS for Vserver v1. The parameters in the example command identify a Google Cloud Platform (GCP) project application deployed on the GCP. The GCP project application has a Project ID "test_project", a key ring name "key_ring_for_test_project", a key ring location "secure_location_for_key_ring", a key name "testKEK" and OAuth server at 10.12.34.1.

cluster-1::*> security key-manager external gcp enable -vserver v1 -project-id test_project -key-ring-name key_ring_for_test_project -key-ring-location secure_location_for_key_ring -key-name testKEK -oauth-host 10.12.34.1

Enter the contents of the Google Cloud Key Management Service account key file (json file): Press <Enter> when done
Top of Page