Types for Cloud Key Management Service (KMS) API Client#
-
class
google.cloud.kms_v1.types.
AsymmetricDecryptRequest
# Request message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
-
name
# Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for decryption.
-
ciphertext
# Required. The data encrypted with the named [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]’s public key using OAEP.
-
ciphertext
Field google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext
-
name
Field google.cloud.kms.v1.AsymmetricDecryptRequest.name
-
-
class
google.cloud.kms_v1.types.
AsymmetricDecryptResponse
# Response message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
-
plaintext
# The decrypted data originally encrypted with the matching public key.
-
plaintext
Field google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext
-
-
class
google.cloud.kms_v1.types.
AsymmetricSignRequest
# Request message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
-
name
# Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for signing.
-
digest
# Required. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version’s [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
-
digest
Field google.cloud.kms.v1.AsymmetricSignRequest.digest
-
name
Field google.cloud.kms.v1.AsymmetricSignRequest.name
-
-
class
google.cloud.kms_v1.types.
AsymmetricSignResponse
# Response message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
-
signature
# The created signature.
-
signature
Field google.cloud.kms.v1.AsymmetricSignResponse.signature
-
-
class
google.cloud.kms_v1.types.
CreateCryptoKeyRequest
# Request message for [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey].
-
parent
# Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey].
-
crypto_key_id
# Required. It must be unique within a KeyRing and match the regular expression
[a-zA-Z0-9_-]{1,63}
-
crypto_key
# A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field values.
-
skip_initial_version_creation
# If set to true, the request will create a [CryptoKey][google.cloud.kms.v1.CryptoKey] without any [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. You must manually call [CreateCryptoKeyVersion][google.cloud.kms.v 1.KeyManagementService.CreateCryptoKeyVersion] or [ImportCrypt oKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCr yptoKeyVersion] before you can use this [CryptoKey][google.cloud.kms.v1.CryptoKey].
-
crypto_key
Field google.cloud.kms.v1.CreateCryptoKeyRequest.crypto_key
-
crypto_key_id
Field google.cloud.kms.v1.CreateCryptoKeyRequest.crypto_key_id
-
parent
Field google.cloud.kms.v1.CreateCryptoKeyRequest.parent
-
skip_initial_version_creation
Field google.cloud.kms.v1.CreateCryptoKeyRequest.skip_initial_version_creation
-
-
class
google.cloud.kms_v1.types.
CreateCryptoKeyVersionRequest
# Request message for [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].
-
parent
# Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
-
crypto_key_version
# A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with initial field values.
-
crypto_key_version
Field google.cloud.kms.v1.CreateCryptoKeyVersionRequest.crypto_key_version
-
parent
Field google.cloud.kms.v1.CreateCryptoKeyVersionRequest.parent
-
-
class
google.cloud.kms_v1.types.
CreateImportJobRequest
# Request message for [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob].
-
parent
# Required. The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] associated with the [ImportJobs][google.cloud.kms.v1.ImportJob].
-
import_job_id
# Required. It must be unique within a KeyRing and match the regular expression
[a-zA-Z0-9_-]{1,63}
-
import_job
# Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field values.
-
import_job
Field google.cloud.kms.v1.CreateImportJobRequest.import_job
-
import_job_id
Field google.cloud.kms.v1.CreateImportJobRequest.import_job_id
-
parent
Field google.cloud.kms.v1.CreateImportJobRequest.parent
-
-
class
google.cloud.kms_v1.types.
CreateKeyRingRequest
# Request message for [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].
-
parent
# Required. The resource name of the location associated with the [KeyRings][google.cloud.kms.v1.KeyRing], in the format
projects/*/locations/*
.
-
key_ring_id
# Required. It must be unique within a location and match the regular expression
[a-zA-Z0-9_-]{1,63}
-
key_ring
# A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field values.
-
key_ring
Field google.cloud.kms.v1.CreateKeyRingRequest.key_ring
-
key_ring_id
Field google.cloud.kms.v1.CreateKeyRingRequest.key_ring_id
-
parent
Field google.cloud.kms.v1.CreateKeyRingRequest.parent
-
-
class
google.cloud.kms_v1.types.
CryptoKey
# A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic operations.
A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of one or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.
-
name
# Output only. The resource name for this [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*
.
-
primary
# Output only. A copy of the “primary” [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that will be used by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] when this [CryptoKey][google.cloud.kms.v1.CryptoKey] is given in [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.na me]. The [CryptoKey][google.cloud.kms.v1.CryptoKey]’s primary version can be updated via [UpdateCryptoKeyPrimaryVersion][goo gle.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVe rsion]. All keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT_DEC RYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_ DECRYPT] have a primary. For other keys, this field will be omitted.
-
purpose
# The immutable purpose of this [CryptoKey][google.cloud.kms.v1.CryptoKey].
-
create_time
# Output only. The time at which this [CryptoKey][google.cloud.kms.v1.CryptoKey] was created.
-
next_rotation_time
# At [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_ rotation_time], the Key Management Service will automatically: 1. Create a new version of this [CryptoKey][google.cloud.kms.v1.CryptoKey]. 2. Mark the new version as primary. Key rotations performed manually via [Cre ateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService. CreateCryptoKeyVersion] and [UpdateCryptoKeyPrimaryVersion][go ogle.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryV ersion] do not affect [next_rotation_time][google.cloud.kms. v1.CryptoKey.next_rotation_time]. Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT_DEC RYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_ DECRYPT] support automatic rotation. For other keys, this field must be omitted.
-
rotation_schedule
# Controls the rate of automatic rotation.
-
rotation_period
# [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rot ation_time] will be advanced by this period when the service automatically rotates a key. Must be at least one day. If [ro tation_period][google.cloud.kms.v1.CryptoKey.rotation_period ] is set, [next_rotation_time][google.cloud.kms.v1.CryptoKey .next_rotation_time] must also be set. Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT_DEC RYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_ DECRYPT] support automatic rotation. For other keys, this field must be omitted.
-
version_template
# A template describing settings for new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances. The properties of new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances created by either [CreateCryptoKeyVersion][google.cl oud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or auto-rotation are controlled by this template.
-
labels
# Labels with user-defined metadata. For more information, see Labeling Keys.
-
class
LabelsEntry
# -
key
# Field google.cloud.kms.v1.CryptoKey.LabelsEntry.key
-
value
# Field google.cloud.kms.v1.CryptoKey.LabelsEntry.value
-
-
create_time
Field google.cloud.kms.v1.CryptoKey.create_time
-
labels
Field google.cloud.kms.v1.CryptoKey.labels
-
name
Field google.cloud.kms.v1.CryptoKey.name
-
next_rotation_time
Field google.cloud.kms.v1.CryptoKey.next_rotation_time
-
primary
Field google.cloud.kms.v1.CryptoKey.primary
-
purpose
Field google.cloud.kms.v1.CryptoKey.purpose
-
rotation_period
Field google.cloud.kms.v1.CryptoKey.rotation_period
-
version_template
Field google.cloud.kms.v1.CryptoKey.version_template
-
-
class
google.cloud.kms_v1.types.
CryptoKeyVersion
# A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the associated key material.
An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.
For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.
-
name
# Output only. The resource name for this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*/cr yptoKeyVersions/*
.
-
state
# The current state of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
-
protection_level
# Output only. The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] describing how crypto operations are performed with this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
-
algorithm
# Output only. The [CryptoKeyVersionAlgorithm][google.cloud.kms. v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] that this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] supports.
-
attestation
# Output only. Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with [protection_level ][google.cloud.kms.v1.CryptoKeyVersion.protection_level] [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
-
create_time
# Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was created.
-
generate_time
# Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]’s key material was generated.
-
destroy_time
# Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]’s key material is scheduled for destruction. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is [DESTRO Y_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVe rsionState.DESTROY_SCHEDULED].
-
destroy_event_time
# Output only. The time this CryptoKeyVersion’s key material was destroyed. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is [DESTRO YED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionStat e.DESTROYED].
-
import_job
# Output only. The name of the [ImportJob][google.cloud.kms.v1.ImportJob] used to import this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only present if the underlying key material was imported.
-
import_time
# Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]’s key material was imported.
-
import_failure_reason
# Output only. The root cause of an import failure. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is [IMP ORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVer sionState.IMPORT_FAILED].
-
algorithm
Field google.cloud.kms.v1.CryptoKeyVersion.algorithm
-
attestation
Field google.cloud.kms.v1.CryptoKeyVersion.attestation
-
create_time
Field google.cloud.kms.v1.CryptoKeyVersion.create_time
-
destroy_event_time
Field google.cloud.kms.v1.CryptoKeyVersion.destroy_event_time
-
destroy_time
Field google.cloud.kms.v1.CryptoKeyVersion.destroy_time
-
generate_time
Field google.cloud.kms.v1.CryptoKeyVersion.generate_time
-
import_failure_reason
Field google.cloud.kms.v1.CryptoKeyVersion.import_failure_reason
-
import_job
Field google.cloud.kms.v1.CryptoKeyVersion.import_job
-
import_time
Field google.cloud.kms.v1.CryptoKeyVersion.import_time
-
name
Field google.cloud.kms.v1.CryptoKeyVersion.name
-
protection_level
Field google.cloud.kms.v1.CryptoKeyVersion.protection_level
-
state
Field google.cloud.kms.v1.CryptoKeyVersion.state
-
-
class
google.cloud.kms_v1.types.
CryptoKeyVersionTemplate
# A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTemplate] specifies the properties to use when creating a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], either manually with [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or automatically as a result of auto-rotation.
-
protection_level
# [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this template. Immutable. Defaults to [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE].
-
algorithm
# Required. [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.Cry ptoKeyVersionAlgorithm] to use when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurp ose.ENCRYPT_DECRYPT].
-
algorithm
Field google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm
-
protection_level
Field google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level
-
-
class
google.cloud.kms_v1.types.
DecryptRequest
# Request message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
-
name
# Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The server will choose the appropriate version.
-
ciphertext
# Required. The encrypted data originally returned in [EncryptRe sponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphert ext].
-
additional_authenticated_data
# Optional data that must match the data originally supplied in [EncryptRequest.additional_authenticated_data][google.cloud. kms.v1.EncryptRequest.additional_authenticated_data].
-
additional_authenticated_data
Field google.cloud.kms.v1.DecryptRequest.additional_authenticated_data
-
ciphertext
Field google.cloud.kms.v1.DecryptRequest.ciphertext
-
name
Field google.cloud.kms.v1.DecryptRequest.name
-
-
class
google.cloud.kms_v1.types.
DecryptResponse
# Response message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
-
plaintext
# The decrypted data originally supplied in [EncryptRequest.plai ntext][google.cloud.kms.v1.EncryptRequest.plaintext].
-
plaintext
Field google.cloud.kms.v1.DecryptResponse.plaintext
-
-
class
google.cloud.kms_v1.types.
DestroyCryptoKeyVersionRequest
# Request message for [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].
-
name
# The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy.
-
name
Field google.cloud.kms.v1.DestroyCryptoKeyVersionRequest.name
-
-
class
google.cloud.kms_v1.types.
Digest
# A [Digest][google.cloud.kms.v1.Digest] holds a cryptographic message digest.
-
digest
# Required. The message digest.
-
sha256
# A message digest produced with the SHA-256 algorithm.
-
sha384
# A message digest produced with the SHA-384 algorithm.
-
sha512
# A message digest produced with the SHA-512 algorithm.
-
sha256
Field google.cloud.kms.v1.Digest.sha256
-
sha384
Field google.cloud.kms.v1.Digest.sha384
-
sha512
Field google.cloud.kms.v1.Digest.sha512
-
-
class
google.cloud.kms_v1.types.
Duration
# -
nanos
# Field google.protobuf.Duration.nanos
-
seconds
# Field google.protobuf.Duration.seconds
-
-
class
google.cloud.kms_v1.types.
EncryptRequest
# Request message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
-
name
# Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] or [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for encryption. If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server will use its [primary version][google.cloud.kms.v1.CryptoKey.primary].
-
plaintext
# Required. The data to encrypt. Must be no larger than 64KiB. The maximum size depends on the key version’s [protection_lev el][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_l evel]. For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the plaintext must be no larger than 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.
-
additional_authenticated_data
# Optional data that, if specified, must also be provided during decryption through [DecryptRequest.additional_authenticated_ data][google.cloud.kms.v1.DecryptRequest.additional_authentic ated_data]. The maximum size depends on the key version’s [p rotection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate .protection_level]. For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the AAD must be no larger than 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.
-
additional_authenticated_data
Field google.cloud.kms.v1.EncryptRequest.additional_authenticated_data
-
name
Field google.cloud.kms.v1.EncryptRequest.name
-
plaintext
Field google.cloud.kms.v1.EncryptRequest.plaintext
-
-
class
google.cloud.kms_v1.types.
EncryptResponse
# Response message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
-
name
# The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in encryption.
-
ciphertext
# The encrypted data.
-
ciphertext
Field google.cloud.kms.v1.EncryptResponse.ciphertext
-
name
Field google.cloud.kms.v1.EncryptResponse.name
-
-
class
google.cloud.kms_v1.types.
GetCryptoKeyRequest
# Request message for [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey].
-
name
# The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to get.
-
name
Field google.cloud.kms.v1.GetCryptoKeyRequest.name
-
-
class
google.cloud.kms_v1.types.
GetCryptoKeyVersionRequest
# Request message for [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].
-
name
# The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get.
-
name
Field google.cloud.kms.v1.GetCryptoKeyVersionRequest.name
-
-
class
google.cloud.kms_v1.types.
GetImportJobRequest
# Request message for [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob].
-
name
# The [name][google.cloud.kms.v1.ImportJob.name] of the [ImportJob][google.cloud.kms.v1.ImportJob] to get.
-
name
Field google.cloud.kms.v1.GetImportJobRequest.name
-
-
class
google.cloud.kms_v1.types.
GetKeyRingRequest
# Request message for [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].
-
name
# The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] to get.
-
name
Field google.cloud.kms.v1.GetKeyRingRequest.name
-
-
class
google.cloud.kms_v1.types.
GetPublicKeyRequest
# Request message for [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
-
name
# The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get.
-
name
Field google.cloud.kms.v1.GetPublicKeyRequest.name
-
-
class
google.cloud.kms_v1.types.
ImportCryptoKeyVersionRequest
# Request message for [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
-
parent
# Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to be imported into.
-
algorithm
# Required. The [algorithm][google.cloud.kms.v1.CryptoKeyVersion .CryptoKeyVersionAlgorithm] of the key being imported. This does not need to match the [version_template][google.cloud.km s.v1.CryptoKey.version_template] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] this version imports into.
-
import_job
# Required. The [name][google.cloud.kms.v1.ImportJob.name] of the [ImportJob][google.cloud.kms.v1.ImportJob] that was used to wrap this key material.
-
wrapped_key_material
# Required. The incoming wrapped key material that is to be imported.
-
rsa_aes_wrapped_key
# Wrapped key material produced with [RSA_OAEP_3072_SHA1_AES _256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3 072_SHA1_AES_256] or [RSA_OAEP_4096_SHA1_AES_256][goog le.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_ AES_256]. This field contains the concatenation of two wrapped keys: .. raw:: html <ol> .. raw:: html <li> An ephemeral AES-256 wrapping key wrapped with the [public_key][google.cloud.kms.v1.ImportJob.public_key] using RSAES-OAEP with SHA-1, MGF1 with SHA-1, and an empty label. .. raw:: html </li> .. raw:: html <li> The key to be imported, wrapped with the ephemeral AES-256 key using AES-KWP (RFC 5649). .. raw:: html </li> .. raw:: html </ol> This format is the same as the format produced by PKCS#11 mechanism CKM_RSA_AES_KEY_WRAP.
-
algorithm
Field google.cloud.kms.v1.ImportCryptoKeyVersionRequest.algorithm
-
import_job
Field google.cloud.kms.v1.ImportCryptoKeyVersionRequest.import_job
-
parent
Field google.cloud.kms.v1.ImportCryptoKeyVersionRequest.parent
-
rsa_aes_wrapped_key
Field google.cloud.kms.v1.ImportCryptoKeyVersionRequest.rsa_aes_wrapped_key
-
-
class
google.cloud.kms_v1.types.
ImportJob
# An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing key material, generated outside of Cloud KMS.
When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will generate a “wrapping key”, which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation is complete, the [state][google.cloud.kms.v1.ImportJob.state] will be set to [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the [public_key][google.cloud.kms.v1.ImportJob.public_key] can be fetched. The fetched public key can then be used to wrap your pre-existing key material.
Once the key material is wrapped, it can be imported into a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be imported with a single [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key.
An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the [ImportJob][google.cloud.kms.v1.ImportJob]’s public key.
For more information, see Importing a key.
-
name
# Output only. The resource name for this [ImportJob][google.cloud.kms.v1.ImportJob] in the format
projects/*/locations/*/keyRings/*/importJobs/*
.
-
import_method
# Required and immutable. The wrapping method to be used for incoming key material.
-
protection_level
# Required and immutable. The protection level of the [ImportJob][google.cloud.kms.v1.ImportJob]. This must match the [protection_level][google.cloud.kms.v1.CryptoKeyVersionTe mplate.protection_level] of the [version_template][google.cl oud.kms.v1.CryptoKey.version_template] on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you attempt to import into.
-
create_time
# Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] was created.
-
generate_time
# Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]’s key material was generated.
-
expire_time
# Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] is scheduled for expiration and can no longer be used to import key material.
-
expire_event_time
# Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob] expired. Only present if [state][google.cloud.kms.v1.ImportJob.state] is [EX PIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED].
-
state
# Output only. The current state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used.
-
public_key
# Output only. The public key with which to wrap key material prior to import. Only returned if [state][google.cloud.kms.v1.ImportJob.state] is [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE].
-
attestation
# Output only. Statement that was generated and signed by the key creator (for example, an HSM) at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only present if the chosen [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] is one with a protection level of [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
-
class
WrappingPublicKey
# The public key component of the wrapping key. For details of the type of key this public key corresponds to, see the [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod].
-
pem
# The public key, encoded in PEM format. For more information, see the RFC 7468 sections for General Considerations and [Textual Encoding of Subject Public Key Info] (https://tools.ietf.org/html/rfc7468#section-13).
-
pem
Field google.cloud.kms.v1.ImportJob.WrappingPublicKey.pem
-
-
attestation
Field google.cloud.kms.v1.ImportJob.attestation
-
create_time
Field google.cloud.kms.v1.ImportJob.create_time
-
expire_event_time
Field google.cloud.kms.v1.ImportJob.expire_event_time
-
expire_time
Field google.cloud.kms.v1.ImportJob.expire_time
-
generate_time
Field google.cloud.kms.v1.ImportJob.generate_time
-
import_method
Field google.cloud.kms.v1.ImportJob.import_method
-
name
Field google.cloud.kms.v1.ImportJob.name
-
protection_level
Field google.cloud.kms.v1.ImportJob.protection_level
-
public_key
Field google.cloud.kms.v1.ImportJob.public_key
-
state
Field google.cloud.kms.v1.ImportJob.state
-
-
class
google.cloud.kms_v1.types.
KeyOperationAttestation
# Contains an HSM-generated attestation about a key operation. For more information, see [Verifying attestations] (https://cloud.google.com/kms/docs/attest-key).
-
format
# Output only. The format of the attestation data.
-
content
# Output only. The attestation data provided by the HSM when the key operation was performed.
-
content
Field google.cloud.kms.v1.KeyOperationAttestation.content
-
format
Field google.cloud.kms.v1.KeyOperationAttestation.format
-
-
class
google.cloud.kms_v1.types.
KeyRing
# A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
-
name
# Output only. The resource name for the [KeyRing][google.cloud.kms.v1.KeyRing] in the format
projects/*/locations/*/keyRings/*
.
-
create_time
# Output only. The time at which this [KeyRing][google.cloud.kms.v1.KeyRing] was created.
-
create_time
Field google.cloud.kms.v1.KeyRing.create_time
-
name
Field google.cloud.kms.v1.KeyRing.name
-
-
class
google.cloud.kms_v1.types.
ListCryptoKeyVersionsRequest
# Request message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
-
parent
# Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*
.
-
page_size
# Optional limit on the number of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to include in the response. Further [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can subsequently be obtained by including the [ListCryptoKeyVersio nsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKe yVersionsResponse.next_page_token] in a subsequent request. If unspecified, the server will pick an appropriate default.
-
page_token
# Optional pagination token, returned earlier via [ListCryptoKey VersionsResponse.next_page_token][google.cloud.kms.v1.ListCr yptoKeyVersionsResponse.next_page_token].
-
view
# The fields to include in the response.
-
filter
# Optional. Only include resources that match the filter in the response.
-
order_by
# Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order.
-
filter
Field google.cloud.kms.v1.ListCryptoKeyVersionsRequest.filter
-
order_by
Field google.cloud.kms.v1.ListCryptoKeyVersionsRequest.order_by
-
page_size
Field google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_size
-
page_token
Field google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token
-
parent
Field google.cloud.kms.v1.ListCryptoKeyVersionsRequest.parent
-
view
Field google.cloud.kms.v1.ListCryptoKeyVersionsRequest.view
-
-
class
google.cloud.kms_v1.types.
ListCryptoKeyVersionsResponse
# Response message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
-
crypto_key_versions
# The list of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
-
next_page_token
# A token to retrieve next page of results. Pass this value in [ ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1. ListCryptoKeyVersionsRequest.page_token] to retrieve the next page of results.
-
total_size
# The total number of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] that matched the query.
-
crypto_key_versions
Field google.cloud.kms.v1.ListCryptoKeyVersionsResponse.crypto_key_versions
-
next_page_token
Field google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token
-
total_size
Field google.cloud.kms.v1.ListCryptoKeyVersionsResponse.total_size
-
-
class
google.cloud.kms_v1.types.
ListCryptoKeysRequest
# Request message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
-
parent
# Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format
projects/*/locations/*/keyRings/*
.
-
page_size
# Optional limit on the number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] to include in the response. Further [CryptoKeys][google.cloud.kms.v1.CryptoKey] can subsequently be obtained by including the [ListCryptoKeysR esponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysR esponse.next_page_token] in a subsequent request. If unspecified, the server will pick an appropriate default.
-
page_token
# Optional pagination token, returned earlier via [ListCryptoKey sResponse.next_page_token][google.cloud.kms.v1.ListCryptoKey sResponse.next_page_token].
-
version_view
# The fields of the primary version to include in the response.
-
filter
# Optional. Only include resources that match the filter in the response.
-
order_by
# Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order.
-
filter
Field google.cloud.kms.v1.ListCryptoKeysRequest.filter
-
order_by
Field google.cloud.kms.v1.ListCryptoKeysRequest.order_by
-
page_size
Field google.cloud.kms.v1.ListCryptoKeysRequest.page_size
-
page_token
Field google.cloud.kms.v1.ListCryptoKeysRequest.page_token
-
parent
Field google.cloud.kms.v1.ListCryptoKeysRequest.parent
-
version_view
Field google.cloud.kms.v1.ListCryptoKeysRequest.version_view
-
-
class
google.cloud.kms_v1.types.
ListCryptoKeysResponse
# Response message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
-
crypto_keys
# The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
-
next_page_token
# A token to retrieve next page of results. Pass this value in [ ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCry ptoKeysRequest.page_token] to retrieve the next page of results.
-
total_size
# The total number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] that matched the query.
-
crypto_keys
Field google.cloud.kms.v1.ListCryptoKeysResponse.crypto_keys
-
next_page_token
Field google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token
-
total_size
Field google.cloud.kms.v1.ListCryptoKeysResponse.total_size
-
-
class
google.cloud.kms_v1.types.
ListImportJobsRequest
# Request message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
-
parent
# Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format
projects/*/locations/*/keyRings/*
.
-
page_size
# Optional limit on the number of [ImportJobs][google.cloud.kms.v1.ImportJob] to include in the response. Further [ImportJobs][google.cloud.kms.v1.ImportJob] can subsequently be obtained by including the [ListImportJobsR esponse.next_page_token][google.cloud.kms.v1.ListImportJobsR esponse.next_page_token] in a subsequent request. If unspecified, the server will pick an appropriate default.
-
page_token
# Optional pagination token, returned earlier via [ListImportJob sResponse.next_page_token][google.cloud.kms.v1.ListImportJob sResponse.next_page_token].
-
filter
# Optional. Only include resources that match the filter in the response.
-
order_by
# Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order.
-
filter
Field google.cloud.kms.v1.ListImportJobsRequest.filter
-
order_by
Field google.cloud.kms.v1.ListImportJobsRequest.order_by
-
page_size
Field google.cloud.kms.v1.ListImportJobsRequest.page_size
-
page_token
Field google.cloud.kms.v1.ListImportJobsRequest.page_token
-
parent
Field google.cloud.kms.v1.ListImportJobsRequest.parent
-
-
class
google.cloud.kms_v1.types.
ListImportJobsResponse
# Response message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
-
import_jobs
# The list of [ImportJobs][google.cloud.kms.v1.ImportJob].
-
next_page_token
# A token to retrieve next page of results. Pass this value in [ ListImportJobsRequest.page_token][google.cloud.kms.v1.ListImp ortJobsRequest.page_token] to retrieve the next page of results.
-
total_size
# The total number of [ImportJobs][google.cloud.kms.v1.ImportJob] that matched the query.
-
import_jobs
Field google.cloud.kms.v1.ListImportJobsResponse.import_jobs
-
next_page_token
Field google.cloud.kms.v1.ListImportJobsResponse.next_page_token
-
total_size
Field google.cloud.kms.v1.ListImportJobsResponse.total_size
-
-
class
google.cloud.kms_v1.types.
ListKeyRingsRequest
# Request message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
-
parent
# Required. The resource name of the location associated with the [KeyRings][google.cloud.kms.v1.KeyRing], in the format
projects/*/locations/*
.
-
page_size
# Optional limit on the number of [KeyRings][google.cloud.kms.v1.KeyRing] to include in the response. Further [KeyRings][google.cloud.kms.v1.KeyRing] can subsequently be obtained by including the [ListKeyRingsRespons e.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse. next_page_token] in a subsequent request. If unspecified, the server will pick an appropriate default.
-
page_token
# Optional pagination token, returned earlier via [ListKeyRingsR esponse.next_page_token][google.cloud.kms.v1.ListKeyRingsRes ponse.next_page_token].
-
filter
# Optional. Only include resources that match the filter in the response.
-
order_by
# Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order.
-
filter
Field google.cloud.kms.v1.ListKeyRingsRequest.filter
-
order_by
Field google.cloud.kms.v1.ListKeyRingsRequest.order_by
-
page_size
Field google.cloud.kms.v1.ListKeyRingsRequest.page_size
-
page_token
Field google.cloud.kms.v1.ListKeyRingsRequest.page_token
-
parent
Field google.cloud.kms.v1.ListKeyRingsRequest.parent
-
-
class
google.cloud.kms_v1.types.
ListKeyRingsResponse
# Response message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
-
key_rings
# The list of [KeyRings][google.cloud.kms.v1.KeyRing].
-
next_page_token
# A token to retrieve next page of results. Pass this value in [ ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRi ngsRequest.page_token] to retrieve the next page of results.
-
total_size
# The total number of [KeyRings][google.cloud.kms.v1.KeyRing] that matched the query.
-
key_rings
Field google.cloud.kms.v1.ListKeyRingsResponse.key_rings
-
next_page_token
Field google.cloud.kms.v1.ListKeyRingsResponse.next_page_token
-
total_size
Field google.cloud.kms.v1.ListKeyRingsResponse.total_size
-
-
class
google.cloud.kms_v1.types.
LocationMetadata
# Cloud KMS metadata for the given [google.cloud.location.Location][google.cloud.location.Location].
-
hsm_available
# Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with [protection_level][google.cloud.kms.v1.CryptoKeyVersionT emplate.protection_level] [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be created in this location.
-
hsm_available
Field google.cloud.kms.v1.LocationMetadata.hsm_available
-
-
class
google.cloud.kms_v1.types.
PublicKey
# The public key for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
-
pem
# The public key, encoded in PEM format. For more information, see the RFC 7468 sections for General Considerations and [Textual Encoding of Subject Public Key Info] (https://tools.ietf.org/html/rfc7468#section-13).
-
algorithm
# The [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKey VersionAlgorithm] associated with this key.
-
algorithm
Field google.cloud.kms.v1.PublicKey.algorithm
-
pem
Field google.cloud.kms.v1.PublicKey.pem
-
-
class
google.cloud.kms_v1.types.
RestoreCryptoKeyVersionRequest
# Request message for [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].
-
name
# The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore.
-
name
Field google.cloud.kms.v1.RestoreCryptoKeyVersionRequest.name
-
-
class
google.cloud.kms_v1.types.
Timestamp
# -
nanos
# Field google.protobuf.Timestamp.nanos
-
seconds
# Field google.protobuf.Timestamp.seconds
-
-
class
google.cloud.kms_v1.types.
UpdateCryptoKeyPrimaryVersionRequest
# Request message for [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
-
name
# The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.
-
crypto_key_version_id
# The id of the child [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.
-
crypto_key_version_id
Field google.cloud.kms.v1.UpdateCryptoKeyPrimaryVersionRequest.crypto_key_version_id
-
name
Field google.cloud.kms.v1.UpdateCryptoKeyPrimaryVersionRequest.name
-
-
class
google.cloud.kms_v1.types.
UpdateCryptoKeyRequest
# Request message for [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey].
-
crypto_key
# [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values.
-
update_mask
# Required list of fields to be updated in this request.
-
crypto_key
Field google.cloud.kms.v1.UpdateCryptoKeyRequest.crypto_key
-
update_mask
Field google.cloud.kms.v1.UpdateCryptoKeyRequest.update_mask
-
-
class
google.cloud.kms_v1.types.
UpdateCryptoKeyVersionRequest
# Request message for [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].
-
crypto_key_version
# [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with updated values.
-
update_mask
# Required list of fields to be updated in this request.
-
crypto_key_version
Field google.cloud.kms.v1.UpdateCryptoKeyVersionRequest.crypto_key_version
-
update_mask
Field google.cloud.kms.v1.UpdateCryptoKeyVersionRequest.update_mask
-