W3cubDocs

/Ansible 2.9

gcp_kms_crypto_key – Creates a GCP CryptoKey

New in version 2.9.

Synopsis
Requirements
Parameters
Notes
Examples
Return Values
Status

Synopsis

A CryptoKey represents a logical key that can be used for cryptographic operations.

Requirements

The below requirements are needed on the host that executes this module.

python >= 2.6
requests >= 2.18.4
google-auth >= 1.3.0

Parameters

Parameter		Choices/Defaults	Comments
auth_kind string / required		Choices: application machineaccount serviceaccount	The type of credential used.
env_type string			Specifies which Ansible environment you're running this module within. This should not be set unless you know what you're doing. This only alters the User Agent string for any API requests.
key_ring string / required			The KeyRing that this key belongs to. Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`.
labels dictionary			Labels with user-defined metadata to apply to this resource.
name string / required			The resource name for the CryptoKey.
project string			The Google Cloud Platform project to use.
purpose string		Default: "ENCRYPT_DECRYPT"	Immutable purpose of CryptoKey. See https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose for inputs. Some valid choices include: "ENCRYPT_DECRYPT", "ASYMMETRIC_SIGN", "ASYMMETRIC_DECRYPT"
rotation_period string			Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter `s` (seconds). It must be greater than a day (ie, 86400).
scopes list			Array of scopes to be used.
service_account_contents jsonarg			The contents of a Service Account JSON file, either in a dictionary or as a JSON string that represents it.
service_account_email string			An optional service account email address if machineaccount is selected and the user does not wish to use the default email.
service_account_file path			The path of a Service Account JSON file if serviceaccount is selected as type.
state string		Choices: present ← absent	Whether the given object should exist in GCP
version_template dictionary			A template describing settings for new crypto key versions.
	algorithm string / required		The algorithm to use when creating a version based on this template. See the [algorithm reference](https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm) for possible inputs.
	protection_level string		The protection level to use when creating a version based on this template. Some valid choices include: "SOFTWARE", "HSM"

Notes

Note

API Reference: https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys
Creating a key: https://cloud.google.com/kms/docs/creating-keys#create_a_key
for authentication, you can set service_account_file using the c(gcp_service_account_file) env variable.
for authentication, you can set service_account_contents using the c(GCP_SERVICE_ACCOUNT_CONTENTS) env variable.
For authentication, you can set service_account_email using the GCP_SERVICE_ACCOUNT_EMAIL env variable.
For authentication, you can set auth_kind using the GCP_AUTH_KIND env variable.
For authentication, you can set scopes using the GCP_SCOPES env variable.
Environment variables values will only be used if the playbook values are not set.
The service_account_email and service_account_file options are mutually exclusive.

Examples

- name: create a key ring
  gcp_kms_key_ring:
    name: key-key-ring
    location: us-central1
    project: "{{ gcp_project }}"
    auth_kind: "{{ gcp_cred_kind }}"
    service_account_file: "{{ gcp_cred_file }}"
    state: present
  register: keyring

- name: create a crypto key
  gcp_kms_crypto_key:
    name: test_object
    key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key		Returned	Description
creationTime string		success	The time that this resource was created on the server. This is in RFC3339 text format.
keyRing string		success	The KeyRing that this key belongs to. Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`.
labels dictionary		success	Labels with user-defined metadata to apply to this resource.
name string		success	The resource name for the CryptoKey.
purpose string		success	Immutable purpose of CryptoKey. See https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose for inputs.
rotationPeriod string		success	Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter `s` (seconds). It must be greater than a day (ie, 86400).
versionTemplate complex		success	A template describing settings for new crypto key versions.
	algorithm string	success	The algorithm to use when creating a version based on this template. See the [algorithm reference](https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm) for possible inputs.
	protectionLevel string	success	The protection level to use when creating a version based on this template.

Status

This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]

Authors

Google Inc. (@googlecloudplatform)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/gcp_kms_crypto_key_module.html