- NAME
-
- gcloud secrets replication update - update a secret replica's metadata
- SYNOPSIS
-
-
gcloud secrets replication updateSECRET[--remove-cmek|--location=REPLICA-LOCATION--set-kms-key=SET-KMS-KEY] [GCLOUD_WIDE_FLAG …]
-
- DESCRIPTION
- Update a secret replica's metadata (e.g. cmek policy). This command will return
an error if given a secret that does not exist or if given a location that the
given secret doesn't exist in.
The --remove-kms-key flag is only valid for Secrets that have an automatic replication policy or exist in a single location. To remove keys from a Secret with multiple user managed replicas, please use the set-replication command.
- EXAMPLES
- To remove CMEK from a secret called 'my-secret', run:
gcloud secrets replication update my-secret --remove-cmekTo set the CMEK key on an automatic secret called my-secret to a specified KMS key, run:
gcloud secrets replication update my-secret --set-kms-key = projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-keyTo set the CMEK key on a secret called my-secret to a specified KMS key in a specified location in its replication, run:
gcloud secrets replication update my-secret --set-kms-key = projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key --location = us-central1 - POSITIONAL ARGUMENTS
-
- Secret resource - The secret to update. This represents a Cloud resource. (NOTE)
Some attributes are not given arguments in this group but can be set in other
ways.
To set the
projectattribute:- provide the argument
SECRETon the command line with a fully specified name; - provide the argument
--projecton the command line; - set the property
core/project.
This must be specified.
-
SECRET - ID of the secret or fully qualified identifier for the secret.
To set the
secretattribute:- provide the argument
SECRETon the command line.
- provide the argument
- provide the argument
- Secret resource - The secret to update. This represents a Cloud resource. (NOTE)
Some attributes are not given arguments in this group but can be set in other
ways.
- FLAGS
-
- Replication update.
At most one of these can be specified:
-
--remove-cmek - Remove customer managed encryption key so that future versions will be encrypted by a Google managed encryption key.
- Or at least one of these can be specified:
- CMEK Update.
-
--location=REPLICA-LOCATION - Location of replica to update. For secrets with automatic replication policies, this can be omitted.
-
--set-kms-key=SET-KMS-KEY - New KMS key with which to encrypt and decrypt future secret versions.
-
- Replication update.
- GCLOUD WIDE FLAGS
- These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$ gcloud helpfor details. - NOTES
- This variant is also available:
gcloud beta secrets replication update
gcloud secrets replication update
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-05-27 UTC.
