Skip to content

Kops promote keypair

kops promote keypair

Promote a keypair to be the primary, used for signing.


Promote a keypair to be the primary, used for signing.

If no keypair ID is provided, the most recently added keypair that has a private key will be promoted if it was added after the current primary.

If the keyset is specified as "all", each rotatable keyset will have its most recently added keypair (with a private key and added after the current primary) promoted.

kops promote keypair {KEYSET [ID] | all} [flags]


  # Promote the newest kubernetes-ca keypair to be the primary.
  kops promote keypair kubernetes-ca \
  --name --state s3://my-state-store

  # Promote a specific service-account keypair to be the primary.
  kops promote keypair service-account 5938372002934847 \
  --name --state s3://my-state-store

  # Promote the newest keypair (having a private key) in each rotatable keyset.
  kops promote keypair all \
  --name --state s3://my-state-store


  -h, --help   help for keypair

Options inherited from parent commands

      --add_dir_header                   If true, adds the file directory to the header of the log messages
      --alsologtostderr                  log to standard error as well as files (no effect when -logtostderr=true)
      --config string                    yaml config file (default is $HOME/.kops.yaml)
      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
      --log_dir string                   If non-empty, write log files in this directory (no effect when -logtostderr=true)
      --log_file string                  If non-empty, use this log file (no effect when -logtostderr=true)
      --log_file_max_size uint           Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
      --logtostderr                      log to standard error instead of files (default true)
      --name string                      Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
      --one_output                       If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
      --skip_headers                     If true, avoid header prefixes in the log messages
      --skip_log_headers                 If true, avoid headers when opening log files (no effect when -logtostderr=true)
      --state string                     Location of state storage (kops 'config' file). Overrides KOPS_STATE_STORE environment variable
      --stderrthreshold severity         logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2)
  -v, --v Level                          number for the log level verbosity
      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging