Reputation: 33
Correct use of gcloud --sort-by combined with --limit
I'm using Google Cloud KMS, and I try to get the latest version of a specific asymmetric key with gcloud cli (v492.0). It seems that the --limit flag doesn't take into account the sorting direction provided by --sort-by. Sorting is getting applied after the limit, in my opinion this is wrong and sorting should happen first then the limit.
I currently have 3 versions of my-key. To get the latest version of a specific key I use the following command :
gcloud kms keys versions list \
--key my-key \
--keyring my-keyring \
--location global \
--filter "state:ENABLED" \
--sort-by "~createTime" \
--limit 1
However this command results always in the very first version of the specified key.
NAME STATE
projects/.../my-keyring/cryptoKeys/my-key/cryptoKeyVersions/1 ENABLED
I expected to see cryptoKeyVersions/3 here but I get cryptoKeyVersions/1 instead.
Omitting the --limit flag gives this result:
NAME STATE
projects/.../my-keyring/cryptoKeys/my-key/cryptoKeyVersions/3 ENABLED
projects/.../my-keyring/cryptoKeys/my-key/cryptoKeyVersions/2 ENABLED
projects/.../my-keyring/cryptoKeys/my-key/cryptoKeyVersions/1 ENABLED
So sorting has been applied correctly.
When I issue the same command but with --limit 2:
gcloud kms keys versions list \
--key my-key \
--keyring my-keyring \
--location global \
--filter "state:ENABLED" \
--sort-by "~createTime" \
--limit 2
It gives back two records:
NAME STATE
projects/.../my-keyring/cryptoKeys/my-key/cryptoKeyVersions/2 ENABLED
projects/.../my-keyring/cryptoKeys/my-key/cryptoKeyVersions/1 ENABLED
While I expected to see keyversions 3 and 2. So the obvious reason for this is that limit happens first sorting afterwards.
My questions is: Is this the intended way of working and I got it wrong or is this a bug?
Upvotes: 0
Views: 117
Answers (1)
Reputation: 3260
There is an ongoing GCP issue with order of applying --limit= and --sort-by in this issue tracker, this is an old issue which is still going on, if you want to create a new Issue Tracker thread describing your issue. If you have paid support try create an issue.
You can try another workaround using --format flag to get the latest versions, try below command which gives the latest versions which are enabled:
gcloud kms keys versions list \
--key demo1 \
--keyring demo-1 \
--location global \
--filter "state:ENABLED" \
--sort-by "~createTime" \
--format="value(name)" | \
head -n 2
output :
projects/………../keyRings/demo-1/cryptoKeys/demo1/cryptoKeyVersions/4
projects/………../keyRings/demo-1/cryptoKeys/demo1/cryptoKeyVersions/2
Upvotes: 0
Related Questions
- How to properly use a secret from the Secret Manager in a Cloud Run deployment via gcloud shell
- Destroying Keys With Rotation
- How to enable autoscaling/v2beta2 in google cloud
- gcloud cli filter format and limit behaviour
- Getting error while generating crypto keys using GCloud KMS to access private repo as dependency
- gcloud AttributeError: 'module' object has no attribute 'aes_key_wrap_with_padding'
- GCP DLP unable to run dlp.deidentify_content method get exception The request concerns location 'us-east1' but was sent to location 'global'
- Google's Key Management System: data unencryption after key rotation