Skip to content

feat(KMS): cli integration#835

Open
luxium30 wants to merge 23 commits into
masterfrom
leoloch/sc-175358/kms-integration-with-cli
Open

feat(KMS): cli integration#835
luxium30 wants to merge 23 commits into
masterfrom
leoloch/sc-175358/kms-integration-with-cli

Conversation

@luxium30
Copy link
Copy Markdown

@luxium30 luxium30 commented May 15, 2026
edited
Loading

Description

Commands added:

All commands have a --zone flag to easily target another zone.

key:

  • kms key show ID
  • kms key list --ignore-replica --status XXX
  • kms key create NAME --usage encrypt-decrypt --description XXX --multizone
  • kms key enable ID
  • kms key disable ID
  • kms key rotate ID
  • kms key delete ID --delay-days XXX
  • kms key cancel-delete ID
  • kms key replicate ID ZONE
  • kms key enable-rotation ID --rotation-period XXX
  • kms key disable-rotation ID
  • kms key list-rotation ID

crypto

  • kms crypto encrypt ID PLAINTEXT --encryption-context XXX
  • kms crypto decrypt ID CIPHERTEXT --encryption-context XXX
  • kms crypto generate-data-key ID <--bytes-count XXX | --key-spec XXX> --encryption-context XXX
  • kms crypto reencrypt SRC_ID DEST_ID CIPHERTEXT --source-encryption-context XXX --dest-encryption-context XXX

Output

kms key list

┼──────────────────────────────────────┼──────────────────────────────────────────────────────┼────────────┼──────────────────┼───────────┼─────────────────────────────┼
│                  ID                  │                         NAME                         │ ORIGINZONE │      STATUS      │ MULTIZONE │          REPLICAS           │
┼──────────────────────────────────────┼──────────────────────────────────────────────────────┼────────────┼──────────────────┼───────────┼─────────────────────────────┼
│ 019e1783-a083-76b0-a903-73e883b94a1c │ a2                                                   │ ch-gva-2   │ enabled          │ false     │                             │
│ 019e1785-3642-773f-ba76-f19adb5467ba │ a3                                                   │ ch-gva-2   │ enabled          │ false     │                             │
│ 019e1cf6-7810-7512-9ba4-6d19cdd429e9 │ a4                                                   │ ch-gva-2   │ enabled          │ false     │                             │
│ 019e2023-23ac-75f7-a24d-31f0d1053fd2 │ kms-canary-keylifecycle-ch-gva-2-1778655634312805000 │ ch-gva-2   │ pending-deletion │ false     │                             │
│ 019e2029-d77b-7811-b2d4-2dca52f4ac5c │ kms-canary-keylifecycle-ch-gva-2-1778656073555519000 │ ch-gva-2   │ pending-deletion │ false     │                             │
│ 019e202b-3343-7b21-a1c6-320a6beb1196 │ kms-canary-keylifecycle-ch-gva-2-1778656162585813000 │ ch-gva-2   │ pending-deletion │ false     │                             │
│ 019e2034-7cdf-7151-8115-2e1947d00d18 │ kms-canary-keylifecycle-ch-gva-2-1778656771259583000 │ ch-gva-2   │ pending-deletion │ false     │                             │
│ 019e2034-d30c-7ec6-9190-0e364878f689 │ kms-canary-multizone-ch-gva-2-1778656793321428000    │ ch-gva-2   │ disabled         │ true      │ de-fra-1, at-vie-1, ch-dk-2 │
│ 019e2039-157e-7db8-8c86-ec5ddf65fafd │ Default                                              │ ch-gva-2   │ enabled          │ true      │ de-fra-1, at-vie-1, ch-dk-2 │
│ 019e2090-936e-7857-b03b-277cb09726eb │ kms-canary-keylifecycle-ch-gva-2-1778662806309327000 │ ch-gva-2   │ pending-deletion │ false     │                             │
│ 019e2090-e4f7-7975-bdc6-a67f3d92fc9a │ kms-canary-keylifecycle-ch-gva-2-1778662827181757000 │ ch-gva-2   │ pending-deletion │ false     │                             │
│ 019e20cb-6f0b-72c2-8e37-ce47c21afb6b │ kms-canary-keylifecycle-ch-gva-2-1778666663604396000 │ ch-gva-2   │ pending-deletion │ false     │                             │
│ 019e20cc-1963-7acf-a0ba-b3bf15bba25a │ kms-canary-keylifecycle-ch-gva-2-1778666707213761000 │ ch-gva-2   │ pending-deletion │ false     │                             │
│ 019e2318-ddfe-7871-a8f6-213137e94b9e │ hello123                                             │ ch-gva-2   │ enabled          │ false     │                             │
│ 019e2b73-2b29-7b01-9c22-f1b93a8757dd │ hello1233                                            │ ch-gva-2   │ enabled          │ false     │                             │
│ 019e2b7f-d48d-79be-8ff2-ecd9ce2a5f9b │ hello1233 usage: encrypt-decrypt                     │ ch-gva-2   │ enabled          │ false     │                             │
│ 019e3a93-7f49-730a-9e86-7927e6c52b84 │ byebye                                               │ ch-gva-2   │ enabled          │ false     │                             │
│ 019e3aa0-7fd9-7449-a93a-85578c57d628 │ byeby2e                                              │ ch-gva-2   │ enabled          │ false     │                             │
│ 019e3aa1-5281-74aa-88f7-c214531dfb45 │ byebye2                                              │ ch-gva-2   │ enabled          │ false     │                             │
│ 019e3ab8-ceb9-7e9f-941b-5db3c265427c │ blabla                                               │ ch-gva-2   │ enabled          │ true      │ de-fra-1, at-vie-1, ch-dk-2 │
┼──────────────────────────────────────┼──────────────────────────────────────────────────────┼────────────┼──────────────────┼───────────┼─────────────────────────────┼

kms key show ID

┼─────────────────┼───────────────────────────────────────────────────┼
│     KMS KEY     │                                                   │
┼─────────────────┼───────────────────────────────────────────────────┼
│ ID              │ 019e2039-157e-7db8-8c86-ec5ddf65fafd              │
│ Name            │ Default                                           │
│ Created At      │ 2026-05-13 07:24:32.51101951 +0000 UTC            │
│ Multizone       │ true                                              │
│ Origin Zone     │ ch-gva-2                                          │
│ Status          │ enabled                                           │
│ Replicas Status │ at-vie-1, ch-dk-2, de-fra-1                       │
│ Material        │ auto: false                                       │
│                 │ createdAt: 2026-05-13 07:24:32.51101951 +0000 UTC │
│                 │ version: 1                                        │
│ Rotation        │ auto: true                                        │
│                 │ count: 0                                          │
│                 │ nextAt: 2027-05-13 07:24:32.515024172 +0000 UTC   │
│                 │ rotationPeriod: 365                               │
│ Usage           │ encrypt-decrypt                                   │
│ Source          │ exoscale-kms                                      │
│ Description     │ Exoscale KMS default key.                         │
┼─────────────────┼───────────────────────────────────────────────────┼

kms key list-rotation ID

┼─────────┼─────────────────────────────────────────┼───────────┼
│ VERSION │               ROTATED AT                │ AUTOMATIC │
┼─────────┼─────────────────────────────────────────┼───────────┼
│ 2       │ 2026-05-18 13:54:02.348056112 +0000 UTC │ false     │
│ 3       │ 2026-05-18 13:54:08.274114393 +0000 UTC │ false     │
│ 4       │ 2026-05-18 16:08:40.611917076 +0000 UTC │ false     │
│ 5       │ 2026-05-18 16:08:41.78315071 +0000 UTC  │ false     │
│ 6       │ 2026-05-18 16:08:42.717906733 +0000 UTC │ false     │
┼─────────┼─────────────────────────────────────────┼───────────┼

Checklist

(For exoscale contributors)

  • Changelog updated (under Unreleased block, and add the Pull Request #number for each bit you add to the CHANGELOG.md)
  • Testing

Testing

Tested in preprod with go run main.go kms ...

@luxium30 luxium30 marked this pull request as draft May 19, 2026 07:00
@luxium30 luxium30 marked this pull request as ready for review May 19, 2026 09:00
@luxium30 luxium30 requested review from emilehreich and jbelo May 19, 2026 09:00
emilehreich
emilehreich requested changes May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@emilehreich emilehreich left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not entirely convinced by the way the operations are defined here. The separation between operations on a "key" and operations on a "rotation" doesn't match the logic of our API. It essentially treats "rotation" as a resource in itself, when it is actually an operation on a key.

On one hand, we have key lifecycle operations, where you operate directly on a key to change its state: in that case, it makes sense to have a command like kms key . On the other hand, we have cryptographic operations that use these keys to perform tasks unrelated to the key's state. For those, I would expect something like kms <crypto-op> --key <id > <required-params>.

Additionally, in the current split, rotation commands are spread across two different categories, which is confusing (e.g., kms rotation <> and kms key rotate <>).

Lastly, you are using the keyword "delete" for the schedule-key-deletion operation. I think the command should clearly reflect that it is a schedule and not an immediate deletion. Users will surely be confused by this.

@luxium30 luxium30 requested a review from emilehreich May 26, 2026 15:18
@kobajagi
Copy link
Copy Markdown
Contributor

kobajagi commented May 28, 2026

Also keep in mind that command organization should follow Portal design and vice versa.

emilehreich
emilehreich requested changes May 28, 2026
View reviewed changes
Comment thread cmd/kms/crypto/crypto_reencrypt.go
Comment on lines +28 to +34
func (c *cryptoReencryptCmd) CmdShort() string {
return "Re-encrypts data from a KMS key to another KMS key."
}

func (c *cryptoReencryptCmd) CmdLong() string {
return "Re-encrypts data from a KMS key to another KMS key."
}
Copy link
Copy Markdown
Contributor

@emilehreich emilehreich May 28, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Applicable for all commands (except when the command is augmented with increase filtering capabilities): please use the same description as the ones on our API spec.
https://community.exoscale.com/reference/api/kms/cryptographic-operations/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@emilehreich emilehreich emilehreich requested changes

@jbelo jbelo Awaiting requested review from jbelo

Assignees

@luxium30 luxium30

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@luxium30 @kobajagi @emilehreich