Cloud Key Management Service (KMS) API

Manages keys and performs cryptographic operations in a central cloud service, for direct use by other cloud resources and applications.


The Service name is needed to create RPC client stubs.

CreateKeyHandle Creates a new KeyHandle, triggering the provisioning of a new CryptoKey for CMEK use with the given resource type in the configured key project and the same location.
GetKeyHandle Returns the KeyHandle.
ListKeyHandles Lists KeyHandles.

GetAutokeyConfig Returns the AutokeyConfig for a folder.
ShowEffectiveAutokeyConfig Returns the effective Cloud KMS Autokey configuration for a given project.
UpdateAutokeyConfig Updates the AutokeyConfig for a folder.

CreateEkmConnection Creates a new EkmConnection in a given Project and Location.
GetEkmConfig Returns the EkmConfig singleton resource for a given project and location.
GetEkmConnection Returns metadata for a given EkmConnection.
ListEkmConnections Lists EkmConnections.
UpdateEkmConfig Updates the EkmConfig singleton resource for a given project and location.
UpdateEkmConnection Updates an EkmConnection's metadata.
VerifyConnectivity Verifies that Cloud KMS can successfully connect to the external key manager specified by an EkmConnection.

AsymmetricDecrypt Decrypts data that was encrypted with a public key retrieved from GetPublicKey corresponding to a CryptoKeyVersion with CryptoKey.purpose ASYMMETRIC_DECRYPT.
AsymmetricSign Signs data using a CryptoKeyVersion with CryptoKey.purpose ASYMMETRIC_SIGN, producing a signature that can be verified with the public key retrieved from GetPublicKey.
CreateCryptoKey Create a new CryptoKey within a KeyRing.
CreateCryptoKeyVersion Create a new CryptoKeyVersion in a CryptoKey.
CreateImportJob Create a new ImportJob within a KeyRing.
CreateKeyRing Create a new KeyRing in a given Project and Location.
Decrypt Decrypts data that was protected by Encrypt.
DestroyCryptoKeyVersion Schedule a CryptoKeyVersion for destruction.
Encrypt Encrypts data, so that it can only be recovered by a call to Decrypt.
GenerateRandomBytes Generate random bytes using the Cloud KMS randomness source in the provided location.
GetCryptoKey Returns metadata for a given CryptoKey, as well as its primary CryptoKeyVersion.
GetCryptoKeyVersion Returns metadata for a given CryptoKeyVersion.
GetImportJob Returns metadata for a given ImportJob.
GetKeyRing Returns metadata for a given KeyRing.
GetPublicKey Returns the public key for the given CryptoKeyVersion.
ImportCryptoKeyVersion Import wrapped key material into a CryptoKeyVersion.
ListCryptoKeyVersions Lists CryptoKeyVersions.
ListCryptoKeys Lists CryptoKeys.
ListImportJobs Lists ImportJobs.
ListKeyRings Lists KeyRings.
MacSign Signs data using a CryptoKeyVersion with CryptoKey.purpose MAC, producing a tag that can be verified by another source with the same key.
MacVerify Verifies MAC tag using a CryptoKeyVersion with CryptoKey.purpose MAC, and returns a response that indicates whether or not the verification was successful.
RawDecrypt Decrypts data that was originally encrypted using a raw cryptographic mechanism.
RawEncrypt Encrypts data using portable cryptographic primitives.
RestoreCryptoKeyVersion Restore a CryptoKeyVersion in the DESTROY_SCHEDULED state.
UpdateCryptoKey Update a CryptoKey.
UpdateCryptoKeyPrimaryVersion Update the version of a CryptoKey that will be used in Encrypt.
UpdateCryptoKeyVersion Update a CryptoKeyVersion's metadata.

GetLocation Gets information about a location.
ListLocations Lists information about the supported locations for this service.


GetIamPolicy Gets the access control policy for a resource.
SetIamPolicy Sets the access control policy on the specified resource.
TestIamPermissions Returns permissions that a caller has on the specified resource.


GetOperation Gets the latest state of a long-running operation.