Stay organized with collections
Save and categorize content based on your preferences.
This page shows you how to update the external key reference for a
Cloud EKM key without rotating the key. The new key reference must
point to the same key material as the current key reference. If the key material
has been rotated in the external key management partner system, you must rotate the
key instead.
Use the instructions on this page if your external key management partner system has changed the
key reference for an existing key. For example, the key reference can
change as a result of a change to the hostname of the external key management partner or a
change in their key reference structure.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-23 UTC."],[],[],null,["# Update external key reference\n\nThis page shows you how to update the external key reference for a\nCloud EKM key without rotating the key. The new key reference must\npoint to the same key material as the current key reference. If the key material\nhas been rotated in the external key management partner system, you must [rotate the\nkey](#rotate) instead.\n\nUse the instructions on this page if your external key management partner system has changed the\nkey reference for an existing key. For example, the key reference can\nchange as a result of a change to the hostname of the external key management partner or a\nchange in their key reference structure.\n\nRequired roles\n--------------\n\n\nTo get the permission that\nyou need to update an external key reference,\n\nask your administrator to grant you the\n\n\n[Cloud KMS Admin](/iam/docs/roles-permissions/cloudkms#cloudkms.admin) (`roles/cloudkms.admin`)\nIAM role on your key.\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nThis predefined role contains the\n` cloudkms.cryptoKeyVersions.update`\npermission,\nwhich is required to\nupdate an external key reference.\n\n\nYou might also be able to get\nthis permission\nwith [custom roles](/iam/docs/creating-custom-roles) or\nother [predefined roles](/iam/docs/roles-overview#predefined).\n\nUpdate the URI for a key version without rotation\n-------------------------------------------------\n\nTo update the key reference for a Cloud EKM key that you use over the\ninternet, complete the following steps: \n\n### Console\n\n1. \u003cbr /\u003e\n\n In the Google Cloud console, go to the\n **Key Management** page.\n\n [Go to Key Management](https://console.cloud.google.com/security/kms)\n\n \u003cbr /\u003e\n\n2. Select the key ring, and then select the key and version.\n\n3. Click *more_vert*\n **More** , and then click **View key URI**.\n\n4. Click **Update key URI**.\n\n5. Enter the new key URI, and then click **Save**.\n\n### gcloud CLI\n\nTo update the URI for the key version, use the `gcloud kms versions update`\ncommand: \n\n```sh\ngcloud kms keys versions update KEY_VERSION \\\n --key KEY_NAME \\\n --keyring KEY_RING \\\n --location LOCATION \\\n --external-key-uri NEW_KEY_URI\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eKEY_VERSION\u003c/var\u003e: the key version number.\n- \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e: the name of the key.\n- \u003cvar translate=\"no\"\u003eKEY_RING\u003c/var\u003e: the name of the key ring that contains the key.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the Cloud KMS location of the key ring.\n- \u003cvar translate=\"no\"\u003eNEW_KEY_URI\u003c/var\u003e: the new URI for the existing external key material.\n\n\u003cbr /\u003e\n\nUpdate the key path for a key version without rotation\n------------------------------------------------------\n\nTo update the key reference for a Cloud EKM key that you use over a\nVPC network, complete the following steps: \n\n### Console\n\n1. \u003cbr /\u003e\n\n In the Google Cloud console, go to the\n **Key Management** page.\n\n [Go to Key Management](https://console.cloud.google.com/security/kms)\n\n \u003cbr /\u003e\n\n2. Select the key ring, and then select the key and version.\n\n3. Click **More** *more_vert*\n then **View key path**.\n\n4. Click **Update key path**.\n\n5. Enter the new key path, then click **Save**.\n\n### gcloud CLI\n\nTo update the key path of the key version, use the `gcloud kms versions\nupdate` command: \n\n```sh\ngcloud kms keys versions update KEY_VERSION \\\n --key KEY_NAME \\\n --keyring KEY_RING \\\n --location LOCATION \\\n --ekm-connection-key-path NEW_KEY_PATH\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eKEY_VERSION\u003c/var\u003e: the key version number.\n- \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e: the name of the key.\n- \u003cvar translate=\"no\"\u003eKEY_RING\u003c/var\u003e: the name of the key ring that contains the key.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the Cloud KMS location of the key ring.\n- \u003cvar translate=\"no\"\u003eNEW_KEY_PATH\u003c/var\u003e: the new path for the existing external key material."]]
