Types for Cloud Key Management Service (KMS) API Client#

class google.cloud.kms_v1.types.AsymmetricDecryptRequest#

Request message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].

name#

Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for decryption.

ciphertext#

Required. The data encrypted with the named [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]’s public key using OAEP.

ciphertext

Field google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext

name

Field google.cloud.kms.v1.AsymmetricDecryptRequest.name

class google.cloud.kms_v1.types.AsymmetricDecryptResponse#

Response message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].

plaintext#

The decrypted data originally encrypted with the matching public key.

plaintext

Field google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext

class google.cloud.kms_v1.types.AsymmetricSignRequest#

Request message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].

name#

Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for signing.

digest#

Required. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version’s [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].

digest

Field google.cloud.kms.v1.AsymmetricSignRequest.digest

name

Field google.cloud.kms.v1.AsymmetricSignRequest.name

class google.cloud.kms_v1.types.AsymmetricSignResponse#

Response message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].

signature#

The created signature.

signature

Field google.cloud.kms.v1.AsymmetricSignResponse.signature

class google.cloud.kms_v1.types.CreateCryptoKeyRequest#

Request message for [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey].

parent#

Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey].

crypto_key_id#

Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

crypto_key#

A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field values.

skip_initial_version_creation#

If set to true, the request will create a [CryptoKey][google.cloud.kms.v1.CryptoKey] without any [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. You must manually call [CreateCryptoKeyVersion][google.cloud.kms.v 1.KeyManagementService.CreateCryptoKeyVersion] or [ImportCrypt oKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCr yptoKeyVersion] before you can use this [CryptoKey][google.cloud.kms.v1.CryptoKey].

crypto_key

Field google.cloud.kms.v1.CreateCryptoKeyRequest.crypto_key

crypto_key_id

Field google.cloud.kms.v1.CreateCryptoKeyRequest.crypto_key_id

parent

Field google.cloud.kms.v1.CreateCryptoKeyRequest.parent

skip_initial_version_creation

Field google.cloud.kms.v1.CreateCryptoKeyRequest.skip_initial_version_creation

class google.cloud.kms_v1.types.CreateCryptoKeyVersionRequest#

Request message for [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].

parent#

Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].

crypto_key_version#

A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with initial field values.

crypto_key_version

Field google.cloud.kms.v1.CreateCryptoKeyVersionRequest.crypto_key_version

parent

Field google.cloud.kms.v1.CreateCryptoKeyVersionRequest.parent

class google.cloud.kms_v1.types.CreateImportJobRequest#

Request message for [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob].

parent#

Required. The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] associated with the [ImportJobs][google.cloud.kms.v1.ImportJob].

import_job_id#

Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

import_job#

Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field values.

import_job

Field google.cloud.kms.v1.CreateImportJobRequest.import_job

import_job_id

Field google.cloud.kms.v1.CreateImportJobRequest.import_job_id

parent

Field google.cloud.kms.v1.CreateImportJobRequest.parent

class google.cloud.kms_v1.types.CreateKeyRingRequest#

Request message for [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].

parent#

Required. The resource name of the location associated with the [KeyRings][google.cloud.kms.v1.KeyRing], in the format projects/*/locations/*.

key_ring_id#

Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}

key_ring#

A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field values.

key_ring

Field google.cloud.kms.v1.CreateKeyRingRequest.key_ring

key_ring_id

Field google.cloud.kms.v1.CreateKeyRingRequest.key_ring_id

parent

Field google.cloud.kms.v1.CreateKeyRingRequest.parent

class google.cloud.kms_v1.types.CryptoKey#

A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic operations.

A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of one or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.

name#

Output only. The resource name for this [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.

primary#

Output only. A copy of the “primary” [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that will be used by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] when this [CryptoKey][google.cloud.kms.v1.CryptoKey] is given in [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.na me]. The [CryptoKey][google.cloud.kms.v1.CryptoKey]’s primary version can be updated via [UpdateCryptoKeyPrimaryVersion][goo gle.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVe rsion]. All keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT_DEC RYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_ DECRYPT] have a primary. For other keys, this field will be omitted.

purpose#

The immutable purpose of this [CryptoKey][google.cloud.kms.v1.CryptoKey].

create_time#

Output only. The time at which this [CryptoKey][google.cloud.kms.v1.CryptoKey] was created.

next_rotation_time#

At [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_ rotation_time], the Key Management Service will automatically: 1. Create a new version of this [CryptoKey][google.cloud.kms.v1.CryptoKey]. 2. Mark the new version as primary. Key rotations performed manually via [Cre ateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService. CreateCryptoKeyVersion] and [UpdateCryptoKeyPrimaryVersion][go ogle.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryV ersion] do not affect [next_rotation_time][google.cloud.kms. v1.CryptoKey.next_rotation_time]. Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT_DEC RYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_ DECRYPT] support automatic rotation. For other keys, this field must be omitted.

rotation_schedule#

Controls the rate of automatic rotation.

rotation_period#

[next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rot ation_time] will be advanced by this period when the service automatically rotates a key. Must be at least one day. If [ro tation_period][google.cloud.kms.v1.CryptoKey.rotation_period ] is set, [next_rotation_time][google.cloud.kms.v1.CryptoKey .next_rotation_time] must also be set. Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT_DEC RYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_ DECRYPT] support automatic rotation. For other keys, this field must be omitted.

version_template#

A template describing settings for new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances. The properties of new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances created by either [CreateCryptoKeyVersion][google.cl oud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or auto-rotation are controlled by this template.

labels#

Labels with user-defined metadata. For more information, see Labeling Keys.

class LabelsEntry#
key#

Field google.cloud.kms.v1.CryptoKey.LabelsEntry.key

value#

Field google.cloud.kms.v1.CryptoKey.LabelsEntry.value

create_time

Field google.cloud.kms.v1.CryptoKey.create_time

labels

Field google.cloud.kms.v1.CryptoKey.labels

name

Field google.cloud.kms.v1.CryptoKey.name

next_rotation_time

Field google.cloud.kms.v1.CryptoKey.next_rotation_time

primary

Field google.cloud.kms.v1.CryptoKey.primary

purpose

Field google.cloud.kms.v1.CryptoKey.purpose

rotation_period

Field google.cloud.kms.v1.CryptoKey.rotation_period

version_template

Field google.cloud.kms.v1.CryptoKey.version_template

class google.cloud.kms_v1.types.CryptoKeyVersion#

A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the associated key material.

An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.

For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

name#

Output only. The resource name for this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cr yptoKeyVersions/*.

state#

The current state of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].

protection_level#

Output only. The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] describing how crypto operations are performed with this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].

algorithm#

Output only. The [CryptoKeyVersionAlgorithm][google.cloud.kms. v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] that this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] supports.

attestation#

Output only. Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with [protection_level ][google.cloud.kms.v1.CryptoKeyVersion.protection_level] [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].

create_time#

Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was created.

generate_time#

Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]’s key material was generated.

destroy_time#

Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]’s key material is scheduled for destruction. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is [DESTRO Y_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVe rsionState.DESTROY_SCHEDULED].

destroy_event_time#

Output only. The time this CryptoKeyVersion’s key material was destroyed. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is [DESTRO YED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionStat e.DESTROYED].

import_job#

Output only. The name of the [ImportJob][google.cloud.kms.v1.ImportJob] used to import this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only present if the underlying key material was imported.

import_time#

Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]’s key material was imported.

import_failure_reason#

Output only. The root cause of an import failure. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is [IMP ORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVer sionState.IMPORT_FAILED].

algorithm

Field google.cloud.kms.v1.CryptoKeyVersion.algorithm

attestation

Field google.cloud.kms.v1.CryptoKeyVersion.attestation

create_time

Field google.cloud.kms.v1.CryptoKeyVersion.create_time

destroy_event_time

Field google.cloud.kms.v1.CryptoKeyVersion.destroy_event_time

destroy_time

Field google.cloud.kms.v1.CryptoKeyVersion.destroy_time

generate_time

Field google.cloud.kms.v1.CryptoKeyVersion.generate_time

import_failure_reason

Field google.cloud.kms.v1.CryptoKeyVersion.import_failure_reason

import_job

Field google.cloud.kms.v1.CryptoKeyVersion.import_job

import_time

Field google.cloud.kms.v1.CryptoKeyVersion.import_time

name

Field google.cloud.kms.v1.CryptoKeyVersion.name

protection_level

Field google.cloud.kms.v1.CryptoKeyVersion.protection_level

state

Field google.cloud.kms.v1.CryptoKeyVersion.state

class google.cloud.kms_v1.types.CryptoKeyVersionTemplate#

A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTemplate] specifies the properties to use when creating a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], either manually with [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or automatically as a result of auto-rotation.

protection_level#

[ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this template. Immutable. Defaults to [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE].

algorithm#

Required. [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.Cry ptoKeyVersionAlgorithm] to use when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurp ose.ENCRYPT_DECRYPT].

algorithm

Field google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm

protection_level

Field google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level

class google.cloud.kms_v1.types.DecryptRequest#

Request message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].

name#

Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The server will choose the appropriate version.

ciphertext#

Required. The encrypted data originally returned in [EncryptRe sponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphert ext].

additional_authenticated_data#

Optional data that must match the data originally supplied in [EncryptRequest.additional_authenticated_data][google.cloud. kms.v1.EncryptRequest.additional_authenticated_data].

additional_authenticated_data

Field google.cloud.kms.v1.DecryptRequest.additional_authenticated_data

ciphertext

Field google.cloud.kms.v1.DecryptRequest.ciphertext

name

Field google.cloud.kms.v1.DecryptRequest.name

class google.cloud.kms_v1.types.DecryptResponse#

Response message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].

plaintext#

The decrypted data originally supplied in [EncryptRequest.plai ntext][google.cloud.kms.v1.EncryptRequest.plaintext].

plaintext

Field google.cloud.kms.v1.DecryptResponse.plaintext

class google.cloud.kms_v1.types.DestroyCryptoKeyVersionRequest#

Request message for [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].

name#

The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy.

name

Field google.cloud.kms.v1.DestroyCryptoKeyVersionRequest.name

class google.cloud.kms_v1.types.Digest#

A [Digest][google.cloud.kms.v1.Digest] holds a cryptographic message digest.

digest#

Required. The message digest.

sha256#

A message digest produced with the SHA-256 algorithm.

sha384#

A message digest produced with the SHA-384 algorithm.

sha512#

A message digest produced with the SHA-512 algorithm.

sha256

Field google.cloud.kms.v1.Digest.sha256

sha384

Field google.cloud.kms.v1.Digest.sha384

sha512

Field google.cloud.kms.v1.Digest.sha512

class google.cloud.kms_v1.types.Duration#
nanos#

Field google.protobuf.Duration.nanos

seconds#

Field google.protobuf.Duration.seconds

class google.cloud.kms_v1.types.EncryptRequest#

Request message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].

name#

Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] or [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for encryption. If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server will use its [primary version][google.cloud.kms.v1.CryptoKey.primary].

plaintext#

Required. The data to encrypt. Must be no larger than 64KiB. The maximum size depends on the key version’s [protection_lev el][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_l evel]. For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the plaintext must be no larger than 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.

additional_authenticated_data#

Optional data that, if specified, must also be provided during decryption through [DecryptRequest.additional_authenticated_ data][google.cloud.kms.v1.DecryptRequest.additional_authentic ated_data]. The maximum size depends on the key version’s [p rotection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate .protection_level]. For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the AAD must be no larger than 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.

additional_authenticated_data

Field google.cloud.kms.v1.EncryptRequest.additional_authenticated_data

name

Field google.cloud.kms.v1.EncryptRequest.name

plaintext

Field google.cloud.kms.v1.EncryptRequest.plaintext

class google.cloud.kms_v1.types.EncryptResponse#

Response message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].

name#

The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in encryption.

ciphertext#

The encrypted data.

ciphertext

Field google.cloud.kms.v1.EncryptResponse.ciphertext

name

Field google.cloud.kms.v1.EncryptResponse.name

class google.cloud.kms_v1.types.FieldMask#
paths#

Field google.protobuf.FieldMask.paths

class google.cloud.kms_v1.types.GetCryptoKeyRequest#

Request message for [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey].

name#

The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to get.

name

Field google.cloud.kms.v1.GetCryptoKeyRequest.name

class google.cloud.kms_v1.types.GetCryptoKeyVersionRequest#

Request message for [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].

name#

The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get.

name

Field google.cloud.kms.v1.GetCryptoKeyVersionRequest.name

class google.cloud.kms_v1.types.GetImportJobRequest#

Request message for [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob].

name#

The [name][google.cloud.kms.v1.ImportJob.name] of the [ImportJob][google.cloud.kms.v1.ImportJob] to get.

name

Field google.cloud.kms.v1.GetImportJobRequest.name

class google.cloud.kms_v1.types.GetKeyRingRequest#

Request message for [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].

name#

The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] to get.

name

Field google.cloud.kms.v1.GetKeyRingRequest.name

class google.cloud.kms_v1.types.GetPublicKeyRequest#

Request message for [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].

name#

The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get.

name

Field google.cloud.kms.v1.GetPublicKeyRequest.name

class google.cloud.kms_v1.types.ImportCryptoKeyVersionRequest#

Request message for [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].

parent#

Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to be imported into.

algorithm#

Required. The [algorithm][google.cloud.kms.v1.CryptoKeyVersion .CryptoKeyVersionAlgorithm] of the key being imported. This does not need to match the [version_template][google.cloud.km s.v1.CryptoKey.version_template] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] this version imports into.

import_job#

Required. The [name][google.cloud.kms.v1.ImportJob.name] of the [ImportJob][google.cloud.kms.v1.ImportJob] that was used to wrap this key material.

wrapped_key_material#

Required. The incoming wrapped key material that is to be imported.

rsa_aes_wrapped_key#

Wrapped key material produced with [RSA_OAEP_3072_SHA1_AES _256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3 072_SHA1_AES_256] or [RSA_OAEP_4096_SHA1_AES_256][goog le.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_ AES_256]. This field contains the concatenation of two wrapped keys: .. raw:: html <ol> .. raw:: html <li> An ephemeral AES-256 wrapping key wrapped with the [public_key][google.cloud.kms.v1.ImportJob.public_key] using RSAES-OAEP with SHA-1, MGF1 with SHA-1, and an empty label. .. raw:: html </li> .. raw:: html <li> The key to be imported, wrapped with the ephemeral AES-256 key using AES-KWP (RFC 5649). .. raw:: html </li> .. raw:: html </ol> This format is the same as the format produced by PKCS#11 mechanism CKM_RSA_AES_KEY_WRAP.

algorithm

Field google.cloud.kms.v1.ImportCryptoKeyVersionRequest.algorithm

import_job

Field google.cloud.kms.v1.ImportCryptoKeyVersionRequest.import_job

parent

Field google.cloud.kms.v1.ImportCryptoKeyVersionRequest.parent

rsa_aes_wrapped_key

Field google.cloud.kms.v1.ImportCryptoKeyVersionRequest.rsa_aes_wrapped_key

class google.cloud.kms_v1.types.ImportJob#

An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing key material, generated outside of Cloud KMS.

When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will generate a “wrapping key”, which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation is complete, the [state][google.cloud.kms.v1.ImportJob.state] will be set to [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the [public_key][google.cloud.kms.v1.ImportJob.public_key] can be fetched. The fetched public key can then be used to wrap your pre-existing key material.

Once the key material is wrapped, it can be imported into a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be imported with a single [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key.

An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the [ImportJob][google.cloud.kms.v1.ImportJob]’s public key.

For more information, see Importing a key.

name#

Output only. The resource name for this [ImportJob][google.cloud.kms.v1.ImportJob] in the format projects/*/locations/*/keyRings/*/importJobs/*.

import_method#

Required and immutable. The wrapping method to be used for incoming key material.

protection_level#

Required and immutable. The protection level of the [ImportJob][google.cloud.kms.v1.ImportJob]. This must match the [protection_level][google.cloud.kms.v1.CryptoKeyVersionTe mplate.protection_level] of the [version_template][google.cl oud.kms.v1.CryptoKey.version_template] on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you attempt to import into.

create_time#

Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] was created.

generate_time#

Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]’s key material was generated.

expire_time#

Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] is scheduled for expiration and can no longer be used to import key material.

expire_event_time#

Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob] expired. Only present if [state][google.cloud.kms.v1.ImportJob.state] is [EX PIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED].

state#

Output only. The current state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used.

public_key#

Output only. The public key with which to wrap key material prior to import. Only returned if [state][google.cloud.kms.v1.ImportJob.state] is [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE].

attestation#

Output only. Statement that was generated and signed by the key creator (for example, an HSM) at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only present if the chosen [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] is one with a protection level of [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].

class WrappingPublicKey#

The public key component of the wrapping key. For details of the type of key this public key corresponds to, see the [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod].

pem#

The public key, encoded in PEM format. For more information, see the RFC 7468 sections for General Considerations and [Textual Encoding of Subject Public Key Info] (https://tools.ietf.org/html/rfc7468#section-13).

pem

Field google.cloud.kms.v1.ImportJob.WrappingPublicKey.pem

attestation

Field google.cloud.kms.v1.ImportJob.attestation

create_time

Field google.cloud.kms.v1.ImportJob.create_time

expire_event_time

Field google.cloud.kms.v1.ImportJob.expire_event_time

expire_time

Field google.cloud.kms.v1.ImportJob.expire_time

generate_time

Field google.cloud.kms.v1.ImportJob.generate_time

import_method

Field google.cloud.kms.v1.ImportJob.import_method

name

Field google.cloud.kms.v1.ImportJob.name

protection_level

Field google.cloud.kms.v1.ImportJob.protection_level

public_key

Field google.cloud.kms.v1.ImportJob.public_key

state

Field google.cloud.kms.v1.ImportJob.state

class google.cloud.kms_v1.types.KeyOperationAttestation#

Contains an HSM-generated attestation about a key operation. For more information, see [Verifying attestations] (https://cloud.google.com/kms/docs/attest-key).

format#

Output only. The format of the attestation data.

content#

Output only. The attestation data provided by the HSM when the key operation was performed.

content

Field google.cloud.kms.v1.KeyOperationAttestation.content

format

Field google.cloud.kms.v1.KeyOperationAttestation.format

class google.cloud.kms_v1.types.KeyRing#

A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey].

name#

Output only. The resource name for the [KeyRing][google.cloud.kms.v1.KeyRing] in the format projects/*/locations/*/keyRings/*.

create_time#

Output only. The time at which this [KeyRing][google.cloud.kms.v1.KeyRing] was created.

create_time

Field google.cloud.kms.v1.KeyRing.create_time

name

Field google.cloud.kms.v1.KeyRing.name

class google.cloud.kms_v1.types.ListCryptoKeyVersionsRequest#

Request message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].

parent#

Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.

page_size#

Optional limit on the number of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to include in the response. Further [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can subsequently be obtained by including the [ListCryptoKeyVersio nsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKe yVersionsResponse.next_page_token] in a subsequent request. If unspecified, the server will pick an appropriate default.

page_token#

Optional pagination token, returned earlier via [ListCryptoKey VersionsResponse.next_page_token][google.cloud.kms.v1.ListCr yptoKeyVersionsResponse.next_page_token].

view#

The fields to include in the response.

filter#

Optional. Only include resources that match the filter in the response.

order_by#

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order.

filter

Field google.cloud.kms.v1.ListCryptoKeyVersionsRequest.filter

order_by

Field google.cloud.kms.v1.ListCryptoKeyVersionsRequest.order_by

page_size

Field google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_size

page_token

Field google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token

parent

Field google.cloud.kms.v1.ListCryptoKeyVersionsRequest.parent

view

Field google.cloud.kms.v1.ListCryptoKeyVersionsRequest.view

class google.cloud.kms_v1.types.ListCryptoKeyVersionsResponse#

Response message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].

crypto_key_versions#

The list of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].

next_page_token#

A token to retrieve next page of results. Pass this value in [ ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1. ListCryptoKeyVersionsRequest.page_token] to retrieve the next page of results.

total_size#

The total number of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] that matched the query.

crypto_key_versions

Field google.cloud.kms.v1.ListCryptoKeyVersionsResponse.crypto_key_versions

next_page_token

Field google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token

total_size

Field google.cloud.kms.v1.ListCryptoKeyVersionsResponse.total_size

class google.cloud.kms_v1.types.ListCryptoKeysRequest#

Request message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].

parent#

Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format projects/*/locations/*/keyRings/*.

page_size#

Optional limit on the number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] to include in the response. Further [CryptoKeys][google.cloud.kms.v1.CryptoKey] can subsequently be obtained by including the [ListCryptoKeysR esponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysR esponse.next_page_token] in a subsequent request. If unspecified, the server will pick an appropriate default.

page_token#

Optional pagination token, returned earlier via [ListCryptoKey sResponse.next_page_token][google.cloud.kms.v1.ListCryptoKey sResponse.next_page_token].

version_view#

The fields of the primary version to include in the response.

filter#

Optional. Only include resources that match the filter in the response.

order_by#

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order.

filter

Field google.cloud.kms.v1.ListCryptoKeysRequest.filter

order_by

Field google.cloud.kms.v1.ListCryptoKeysRequest.order_by

page_size

Field google.cloud.kms.v1.ListCryptoKeysRequest.page_size

page_token

Field google.cloud.kms.v1.ListCryptoKeysRequest.page_token

parent

Field google.cloud.kms.v1.ListCryptoKeysRequest.parent

version_view

Field google.cloud.kms.v1.ListCryptoKeysRequest.version_view

class google.cloud.kms_v1.types.ListCryptoKeysResponse#

Response message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].

crypto_keys#

The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey].

next_page_token#

A token to retrieve next page of results. Pass this value in [ ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCry ptoKeysRequest.page_token] to retrieve the next page of results.

total_size#

The total number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] that matched the query.

crypto_keys

Field google.cloud.kms.v1.ListCryptoKeysResponse.crypto_keys

next_page_token

Field google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token

total_size

Field google.cloud.kms.v1.ListCryptoKeysResponse.total_size

class google.cloud.kms_v1.types.ListImportJobsRequest#

Request message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].

parent#

Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format projects/*/locations/*/keyRings/*.

page_size#

Optional limit on the number of [ImportJobs][google.cloud.kms.v1.ImportJob] to include in the response. Further [ImportJobs][google.cloud.kms.v1.ImportJob] can subsequently be obtained by including the [ListImportJobsR esponse.next_page_token][google.cloud.kms.v1.ListImportJobsR esponse.next_page_token] in a subsequent request. If unspecified, the server will pick an appropriate default.

page_token#

Optional pagination token, returned earlier via [ListImportJob sResponse.next_page_token][google.cloud.kms.v1.ListImportJob sResponse.next_page_token].

filter#

Optional. Only include resources that match the filter in the response.

order_by#

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order.

filter

Field google.cloud.kms.v1.ListImportJobsRequest.filter

order_by

Field google.cloud.kms.v1.ListImportJobsRequest.order_by

page_size

Field google.cloud.kms.v1.ListImportJobsRequest.page_size

page_token

Field google.cloud.kms.v1.ListImportJobsRequest.page_token

parent

Field google.cloud.kms.v1.ListImportJobsRequest.parent

class google.cloud.kms_v1.types.ListImportJobsResponse#

Response message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].

import_jobs#

The list of [ImportJobs][google.cloud.kms.v1.ImportJob].

next_page_token#

A token to retrieve next page of results. Pass this value in [ ListImportJobsRequest.page_token][google.cloud.kms.v1.ListImp ortJobsRequest.page_token] to retrieve the next page of results.

total_size#

The total number of [ImportJobs][google.cloud.kms.v1.ImportJob] that matched the query.

import_jobs

Field google.cloud.kms.v1.ListImportJobsResponse.import_jobs

next_page_token

Field google.cloud.kms.v1.ListImportJobsResponse.next_page_token

total_size

Field google.cloud.kms.v1.ListImportJobsResponse.total_size

class google.cloud.kms_v1.types.ListKeyRingsRequest#

Request message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].

parent#

Required. The resource name of the location associated with the [KeyRings][google.cloud.kms.v1.KeyRing], in the format projects/*/locations/*.

page_size#

Optional limit on the number of [KeyRings][google.cloud.kms.v1.KeyRing] to include in the response. Further [KeyRings][google.cloud.kms.v1.KeyRing] can subsequently be obtained by including the [ListKeyRingsRespons e.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse. next_page_token] in a subsequent request. If unspecified, the server will pick an appropriate default.

page_token#

Optional pagination token, returned earlier via [ListKeyRingsR esponse.next_page_token][google.cloud.kms.v1.ListKeyRingsRes ponse.next_page_token].

filter#

Optional. Only include resources that match the filter in the response.

order_by#

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order.

filter

Field google.cloud.kms.v1.ListKeyRingsRequest.filter

order_by

Field google.cloud.kms.v1.ListKeyRingsRequest.order_by

page_size

Field google.cloud.kms.v1.ListKeyRingsRequest.page_size

page_token

Field google.cloud.kms.v1.ListKeyRingsRequest.page_token

parent

Field google.cloud.kms.v1.ListKeyRingsRequest.parent

class google.cloud.kms_v1.types.ListKeyRingsResponse#

Response message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].

key_rings#

The list of [KeyRings][google.cloud.kms.v1.KeyRing].

next_page_token#

A token to retrieve next page of results. Pass this value in [ ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRi ngsRequest.page_token] to retrieve the next page of results.

total_size#

The total number of [KeyRings][google.cloud.kms.v1.KeyRing] that matched the query.

key_rings

Field google.cloud.kms.v1.ListKeyRingsResponse.key_rings

next_page_token

Field google.cloud.kms.v1.ListKeyRingsResponse.next_page_token

total_size

Field google.cloud.kms.v1.ListKeyRingsResponse.total_size

class google.cloud.kms_v1.types.LocationMetadata#

Cloud KMS metadata for the given [google.cloud.location.Location][google.cloud.location.Location].

hsm_available#

Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with [protection_level][google.cloud.kms.v1.CryptoKeyVersionT emplate.protection_level] [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be created in this location.

hsm_available

Field google.cloud.kms.v1.LocationMetadata.hsm_available

class google.cloud.kms_v1.types.PublicKey#

The public key for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].

pem#

The public key, encoded in PEM format. For more information, see the RFC 7468 sections for General Considerations and [Textual Encoding of Subject Public Key Info] (https://tools.ietf.org/html/rfc7468#section-13).

algorithm#

The [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKey VersionAlgorithm] associated with this key.

algorithm

Field google.cloud.kms.v1.PublicKey.algorithm

pem

Field google.cloud.kms.v1.PublicKey.pem

class google.cloud.kms_v1.types.RestoreCryptoKeyVersionRequest#

Request message for [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].

name#

The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore.

name

Field google.cloud.kms.v1.RestoreCryptoKeyVersionRequest.name

class google.cloud.kms_v1.types.Timestamp#
nanos#

Field google.protobuf.Timestamp.nanos

seconds#

Field google.protobuf.Timestamp.seconds

class google.cloud.kms_v1.types.UpdateCryptoKeyPrimaryVersionRequest#

Request message for [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].

name#

The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.

crypto_key_version_id#

The id of the child [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.

crypto_key_version_id

Field google.cloud.kms.v1.UpdateCryptoKeyPrimaryVersionRequest.crypto_key_version_id

name

Field google.cloud.kms.v1.UpdateCryptoKeyPrimaryVersionRequest.name

class google.cloud.kms_v1.types.UpdateCryptoKeyRequest#

Request message for [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey].

crypto_key#

[CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values.

update_mask#

Required list of fields to be updated in this request.

crypto_key

Field google.cloud.kms.v1.UpdateCryptoKeyRequest.crypto_key

update_mask

Field google.cloud.kms.v1.UpdateCryptoKeyRequest.update_mask

class google.cloud.kms_v1.types.UpdateCryptoKeyVersionRequest#

Request message for [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].

crypto_key_version#

[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with updated values.

update_mask#

Required list of fields to be updated in this request.

crypto_key_version

Field google.cloud.kms.v1.UpdateCryptoKeyVersionRequest.crypto_key_version

update_mask

Field google.cloud.kms.v1.UpdateCryptoKeyVersionRequest.update_mask