stackitcloud · s-inter · Mar 17, 2026 · Mar 18, 2026 · Mar 19, 2026 · Mar 20, 2026
@@ -18,14 +18,21 @@ stackit secrets-manager instance create [flags]
 
   Create a Secrets Manager instance with name "my-instance" and specify IP range which is allowed to access it
   $ stackit secrets-manager instance create --name my-instance --acl 1.2.3.0/24
+
+  Create a Secrets Manager instance with name "my-instance" and configure KMS key options
+  $ stackit secrets-manager instance create --name my-instance --kms-key-id key-id --kms-keyring-id keyring-id --kms-key-version 1 --kms-service-account-email my-service-account-1234567@sa.stackit.cloud
 ```
 
 ### Options
 
 ```
-      --acl strings   List of IP networks in CIDR notation which are allowed to access this instance (default [])
-  -h, --help          Help for "stackit secrets-manager instance create"
-  -n, --name string   Instance name
+      --acl strings                        List of IP networks in CIDR notation which are allowed to access this instance (default [])
+  -h, --help                               Help for "stackit secrets-manager instance create"
+      --kms-key-id string                  ID of the KMS key to use for encryption
+      --kms-key-version int                Version of the KMS key
+      --kms-keyring-id string              ID of the KMS key ring
+      --kms-service-account-email string   Service account email for KMS access
+  -n, --name string                        Instance name
 ```
 
 ### Options inherited from parent commands

@@ -15,13 +15,20 @@ stackit secrets-manager instance update INSTANCE_ID [flags]
 ```
   Update the range of IPs allowed to access a Secrets Manager instance with ID "xxx"
   $ stackit secrets-manager instance update xxx --acl 1.2.3.0/24
+
+  Update the KMS key settings of a Secrets Manager instance with ID "xxx"
+  $ stackit secrets-manager instance update xxx --kms-key-id key-id --kms-keyring-id keyring-id --kms-key-version 1 --kms-service-account-email my-service-account-1234567@sa.stackit.cloud
 ```
 
 ### Options
 
 ```
-      --acl strings   List of IP networks in CIDR notation which are allowed to access this instance (default [])
-  -h, --help          Help for "stackit secrets-manager instance update"
+      --acl strings                        List of IP networks in CIDR notation which are allowed to access this instance (default [])
+  -h, --help                               Help for "stackit secrets-manager instance update"
+      --kms-key-id string                  ID of the KMS key to use for encryption
+      --kms-key-version int                Version of the KMS key
+      --kms-keyring-id string              ID of the KMS key ring
+      --kms-service-account-email string   Service account email for KMS access
 ```
 
 ### Options inherited from parent commands

@@ -23,13 +23,23 @@ import (
 const (
 	instanceNameFlag = "name"
 	aclFlag          = "acl"
+
+	kmsKeyIdFlag               = "kms-key-id"
+	kmsKeyringIdFlag           = "kms-keyring-id"
+	kmsKeyVersionFlag          = "kms-key-version"
+	kmsServiceAccountEmailFlag = "kms-service-account-email"
 )
 
 type inputModel struct {
 	*globalflags.GlobalFlagModel
 
 	InstanceName *string
 	Acls         *[]string
+
+	KmsKeyId               *string
+	KmsKeyringId           *string
+	KmsKeyVersion          *int64
+	KmsServiceAccountEmail *string
 }
 
 func NewCmd(params *types.CmdParams) *cobra.Command {
@@ -45,6 +55,9 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 			examples.NewExample(
 				`Create a Secrets Manager instance with name "my-instance" and specify IP range which is allowed to access it`,
 				`$ stackit secrets-manager instance create --name my-instance --acl 1.2.3.0/24`),
+			examples.NewExample(
+				`Create a Secrets Manager instance with name "my-instance" and configure KMS key options`,
+				`$ stackit secrets-manager instance create --name my-instance --kms-key-id key-id --kms-keyring-id keyring-id --kms-key-version 1 --kms-service-account-email my-service-account-1234567@sa.stackit.cloud`),
 		),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			ctx := context.Background()
@@ -103,8 +116,15 @@ func configureFlags(cmd *cobra.Command) {
 	cmd.Flags().StringP(instanceNameFlag, "n", "", "Instance name")
 	cmd.Flags().Var(flags.CIDRSliceFlag(), aclFlag, "List of IP networks in CIDR notation which are allowed to access this instance")
 
+	cmd.Flags().String(kmsKeyIdFlag, "", "ID of the KMS key to use for encryption")
+	cmd.Flags().String(kmsKeyringIdFlag, "", "ID of the KMS key ring")
+	cmd.Flags().Int64(kmsKeyVersionFlag, 0, "Version of the KMS key")
+	cmd.Flags().String(kmsServiceAccountEmailFlag, "", "Service account email for KMS access")
+
 	err := flags.MarkFlagsRequired(cmd, instanceNameFlag)
 	cobra.CheckErr(err)
+
+	cmd.MarkFlagsRequiredTogether(kmsKeyIdFlag, kmsKeyringIdFlag, kmsKeyVersionFlag, kmsServiceAccountEmailFlag)
 }
 
 func parseInput(p *print.Printer, cmd *cobra.Command, _ []string) (*inputModel, error) {
@@ -114,9 +134,13 @@ func parseInput(p *print.Printer, cmd *cobra.Command, _ []string) (*inputModel,
 	}
 
 	model := inputModel{
-		GlobalFlagModel: globalFlags,
-		InstanceName:    flags.FlagToStringPointer(p, cmd, instanceNameFlag),
-		Acls:            flags.FlagToStringSlicePointer(p, cmd, aclFlag),
+		GlobalFlagModel:        globalFlags,
+		InstanceName:           flags.FlagToStringPointer(p, cmd, instanceNameFlag),
+		Acls:                   flags.FlagToStringSlicePointer(p, cmd, aclFlag),
+		KmsKeyId:               flags.FlagToStringPointer(p, cmd, kmsKeyIdFlag),
+		KmsKeyringId:           flags.FlagToStringPointer(p, cmd, kmsKeyringIdFlag),
+		KmsKeyVersion:          flags.FlagToInt64Pointer(p, cmd, kmsKeyVersionFlag),
+		KmsServiceAccountEmail: flags.FlagToStringPointer(p, cmd, kmsServiceAccountEmailFlag),
 	}
 
 	p.DebugInputModel(model)
@@ -126,9 +150,20 @@ func parseInput(p *print.Printer, cmd *cobra.Command, _ []string) (*inputModel,
 func buildCreateInstanceRequest(ctx context.Context, model *inputModel, apiClient *secretsmanager.APIClient) secretsmanager.ApiCreateInstanceRequest {
 	req := apiClient.CreateInstance(ctx, model.ProjectId)
 
-	req = req.CreateInstancePayload(secretsmanager.CreateInstancePayload{
+	payload := secretsmanager.CreateInstancePayload{
 		Name: model.InstanceName,
-	})
+	}
+
+	if model.KmsKeyId != nil {
+		payload.KmsKey = &secretsmanager.KmsKeyPayload{
+			KeyId:               model.KmsKeyId,
+			KeyRingId:           model.KmsKeyringId,
+			KeyVersion:          model.KmsKeyVersion,
+			ServiceAccountEmail: model.KmsServiceAccountEmail,
+		}
+	}
+
+	req = req.CreateInstancePayload(payload)
 
 	return req
 }

@@ -25,6 +25,13 @@ var testClient = &secretsmanager.APIClient{}
 var testProjectId = uuid.NewString()
 var testInstanceId = uuid.NewString()
 
+const (
+	testKmsKeyId               = "key-id"
+	testKmsKeyringId           = "keyring-id"
+	testKmsKeyVersion          = int64(1)
+	testKmsServiceAccountEmail = "my-service-account-1234567@sa.stackit.cloud"
+)
+
 func fixtureFlagValues(mods ...func(flagValues map[string]string)) map[string]string {
 	flagValues := map[string]string{
 		projectIdFlag:    testProjectId,
@@ -162,6 +169,24 @@ func TestParseInput(t *testing.T) {
 				*model.Acls = append(*model.Acls, "1.2.3.4/32")
 			}),
 		},
+		{
+			description: "kms flags",
+			flagValues: fixtureFlagValues(func(flagValues map[string]string) {
+				delete(flagValues, aclFlag)
+				flagValues[kmsKeyIdFlag] = testKmsKeyId
+				flagValues[kmsKeyringIdFlag] = testKmsKeyringId
+				flagValues[kmsKeyVersionFlag] = "1"
+				flagValues[kmsServiceAccountEmailFlag] = testKmsServiceAccountEmail
+			}),
+			isValid: true,
+			expectedModel: fixtureInputModel(func(model *inputModel) {
+				model.Acls = nil
+				model.KmsKeyId = utils.Ptr(testKmsKeyId)
+				model.KmsKeyringId = utils.Ptr(testKmsKeyringId)
+				model.KmsKeyVersion = utils.Ptr(testKmsKeyVersion)
+				model.KmsServiceAccountEmail = utils.Ptr(testKmsServiceAccountEmail)
+			}),
+		},
 		{
 			description: "project id missing",
 			flagValues: fixtureFlagValues(func(flagValues map[string]string) {
@@ -205,6 +230,28 @@ func TestBuildCreateInstanceRequest(t *testing.T) {
 			model:           fixtureInputModel(),
 			expectedRequest: fixtureRequest(),
 		},
+		{
+			description: "with kms",
+			model: fixtureInputModel(func(model *inputModel) {
+				model.Acls = nil
+				model.KmsKeyId = utils.Ptr(testKmsKeyId)
+				model.KmsKeyringId = utils.Ptr(testKmsKeyringId)
+				model.KmsKeyVersion = utils.Ptr(testKmsKeyVersion)
+				model.KmsServiceAccountEmail = utils.Ptr(testKmsServiceAccountEmail)
+			}),
+			expectedRequest: fixtureRequest(func(request *secretsmanager.ApiCreateInstanceRequest) {
+				payload := secretsmanager.CreateInstancePayload{
+					Name: utils.Ptr("example"),
+					KmsKey: &secretsmanager.KmsKeyPayload{
+						KeyId:               utils.Ptr(testKmsKeyId),
+						KeyRingId:           utils.Ptr(testKmsKeyringId),
+						KeyVersion:          utils.Ptr(testKmsKeyVersion),
+						ServiceAccountEmail: utils.Ptr(testKmsServiceAccountEmail),
+					},
+				}
+				*request = (*request).CreateInstancePayload(payload)
+			}),
+		},
 	}
 
 	for _, tt := range tests {

@@ -128,6 +128,17 @@ func outputResult(p *print.Printer, outputFormat string, instance *secretsmanage
 		table.AddSeparator()
 		table.AddRow("CREATION DATE", utils.PtrString(instance.CreationStartDate))
 		table.AddSeparator()
+		kmsKey := instance.KmsKey
+		showKms := kmsKey != nil && (kmsKey.KeyId != nil || kmsKey.KeyRingId != nil || kmsKey.KeyVersion != nil || kmsKey.ServiceAccountEmail != nil)
+		if showKms {
+			table.AddRow("KMS KEY ID", utils.PtrString(kmsKey.KeyId))
+			table.AddSeparator()
+			table.AddRow("KMS KEYRING ID", utils.PtrString(kmsKey.KeyRingId))
+			table.AddSeparator()
+			table.AddRow("KMS KEY VERSION", utils.PtrString(kmsKey.KeyVersion))
+			table.AddSeparator()
+			table.AddRow("KMS SERVICE ACCOUNT EMAIL", utils.PtrString(kmsKey.ServiceAccountEmail))
+		}
 		// Only show ACL if it's present and not empty
 		if aclList.Acls != nil && len(*aclList.Acls) > 0 {
 			var cidrs []string
@@ -136,6 +147,9 @@ func outputResult(p *print.Printer, outputFormat string, instance *secretsmanage
 				cidrs = append(cidrs, *acl.Cidr)
 			}
 
+			if showKms {
+				table.AddSeparator()
+			}
 			table.AddRow("ACL", strings.Join(cidrs, ","))
 		}
 		err := table.Display(p)

@@ -9,6 +9,7 @@ import (
 	"github.com/stackitcloud/stackit-cli/internal/pkg/globalflags"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/print"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/testutils"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/utils"
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
@@ -247,6 +248,21 @@ func TestOutputResult(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "instance with kms key",
+			args: args{
+				instance: &secretsmanager.Instance{
+					KmsKey: &secretsmanager.KmsKeyPayload{
+						KeyId:               utils.Ptr("key-id"),
+						KeyRingId:           utils.Ptr("keyring-id"),
+						KeyVersion:          utils.Ptr(int64(1)),
+						ServiceAccountEmail: utils.Ptr("my-service-account-1234567@sa.stackit.cloud"),
+					},
+				},
+				aclList: &secretsmanager.ListACLsResponse{},
+			},
+			wantErr: false,
+		},
 	}
 	p := print.NewPrinter()
 	p.Cmd = NewCmd(&types.CmdParams{Printer: p})

@@ -25,13 +25,23 @@ const (
 	instanceIdArg = "INSTANCE_ID"
 
 	aclFlag = "acl"
+
+	kmsKeyIdFlag               = "kms-key-id"
+	kmsKeyringIdFlag           = "kms-keyring-id"
+	kmsKeyVersionFlag          = "kms-key-version"
+	kmsServiceAccountEmailFlag = "kms-service-account-email"
 )
 
 type inputModel struct {
 	*globalflags.GlobalFlagModel
 	InstanceId string
 
 	Acls *[]string
+
+	KmsKeyId               *string
+	KmsKeyringId           *string
+	KmsKeyVersion          *int64
+	KmsServiceAccountEmail *string
 }
 
 func NewCmd(params *types.CmdParams) *cobra.Command {
@@ -44,6 +54,9 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 			examples.NewExample(
 				`Update the range of IPs allowed to access a Secrets Manager instance with ID "xxx"`,
 				"$ stackit secrets-manager instance update xxx --acl 1.2.3.0/24"),
+			examples.NewExample(
+				`Update the KMS key settings of a Secrets Manager instance with ID "xxx"`,
+				"$ stackit secrets-manager instance update xxx --kms-key-id key-id --kms-keyring-id keyring-id --kms-key-version 1 --kms-service-account-email my-service-account-1234567@sa.stackit.cloud"),
 		),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			ctx := context.Background()
@@ -72,7 +85,14 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 
 			// Call API
 			req := buildRequest(ctx, model, apiClient)
-			err = req.Execute()
+			switch request := req.(type) {
+			case secretsmanager.ApiUpdateInstanceRequest:
+				err = request.Execute()
+			case secretsmanager.ApiUpdateACLsRequest:
+				err = request.Execute()
+			default:
+				err = fmt.Errorf("unknown request type")
+			}
 			if err != nil {
 				return fmt.Errorf("update Secrets Manager instance: %w", err)
 			}
@@ -87,6 +107,15 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 
 func configureFlags(cmd *cobra.Command) {
 	cmd.Flags().Var(flags.CIDRSliceFlag(), aclFlag, "List of IP networks in CIDR notation which are allowed to access this instance")
+
+	cmd.Flags().String(kmsKeyIdFlag, "", "ID of the KMS key to use for encryption")
+	cmd.Flags().String(kmsKeyringIdFlag, "", "ID of the KMS key ring")
+	cmd.Flags().Int64(kmsKeyVersionFlag, 0, "Version of the KMS key")
+	cmd.Flags().String(kmsServiceAccountEmailFlag, "", "Service account email for KMS access")
+
+	cmd.MarkFlagsRequiredTogether(kmsKeyIdFlag, kmsKeyringIdFlag, kmsKeyVersionFlag, kmsServiceAccountEmailFlag)
+	cmd.MarkFlagsMutuallyExclusive(aclFlag, kmsKeyIdFlag)
+	cmd.MarkFlagsOneRequired(aclFlag, kmsKeyIdFlag)
 }
 
 func parseInput(p *print.Printer, cmd *cobra.Command, inputArgs []string) (*inputModel, error) {
@@ -99,21 +128,46 @@ func parseInput(p *print.Printer, cmd *cobra.Command, inputArgs []string) (*inpu
 
 	acls := flags.FlagToStringSlicePointer(p, cmd, aclFlag)
 
-	if acls == nil {
-		return nil, &cliErr.EmptyUpdateError{}
-	}
-
 	model := inputModel{
-		GlobalFlagModel: globalFlags,
-		InstanceId:      instanceId,
-		Acls:            acls,
+		GlobalFlagModel:        globalFlags,
+		InstanceId:             instanceId,
+		Acls:                   acls,
+		KmsKeyId:               flags.FlagToStringPointer(p, cmd, kmsKeyIdFlag),
+		KmsKeyringId:           flags.FlagToStringPointer(p, cmd, kmsKeyringIdFlag),
+		KmsKeyVersion:          flags.FlagToInt64Pointer(p, cmd, kmsKeyVersionFlag),
+		KmsServiceAccountEmail: flags.FlagToStringPointer(p, cmd, kmsServiceAccountEmailFlag),
 	}
 
 	p.DebugInputModel(model)
 	return &model, nil
 }
 
-func buildRequest(ctx context.Context, model *inputModel, apiClient *secretsmanager.APIClient) secretsmanager.ApiUpdateACLsRequest {
+func buildRequest(ctx context.Context, model *inputModel, apiClient *secretsmanager.APIClient) interface{ Execute() error } {
+	if model.KmsKeyId != nil {
+		return buildUpdateInstanceRequest(ctx, model, apiClient)
+	}
+
+	return buildUpdateACLsRequest(ctx, model, apiClient)
+}
+
+func buildUpdateInstanceRequest(ctx context.Context, model *inputModel, apiClient *secretsmanager.APIClient) secretsmanager.ApiUpdateInstanceRequest {
+	req := apiClient.UpdateInstance(ctx, model.ProjectId, model.InstanceId)
+
+	payload := secretsmanager.UpdateInstancePayload{
+		KmsKey: &secretsmanager.KmsKeyPayload{
+			KeyId:               model.KmsKeyId,
+			KeyRingId:           model.KmsKeyringId,
+			KeyVersion:          model.KmsKeyVersion,
+			ServiceAccountEmail: model.KmsServiceAccountEmail,
+		},
+	}
+
+	req = req.UpdateInstancePayload(payload)
+
+	return req
+}
+
+func buildUpdateACLsRequest(ctx context.Context, model *inputModel, apiClient *secretsmanager.APIClient) secretsmanager.ApiUpdateACLsRequest {
 	req := apiClient.UpdateACLs(ctx, model.ProjectId, model.InstanceId)
 
 	cidrs := []secretsmanager.UpdateACLPayload{}