View keys by project

This page shows you how to view key rings and keys in your Google Cloud project resource.

Before you begin

Before you can view key rings and keys, complete the setup steps described in this section.

Enable APIs

To view key rings and keys using an API, enable the Cloud KMS Inventory API.

Enable the API

Required roles

To get the permissions that you need to view keys, ask your administrator to grant you the Cloud KMS Viewer (roles/cloudkms.viewer) IAM role on your project. For more information about granting roles, see Manage access.

This predefined role contains the permissions required to view keys. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to view keys:

  • cloudkms.keyRings.list
  • cloudkms.cryptoKeys.list
  • cloudkms.locations.list
  • resourcemanager.projects.get

You might also be able to get these permissions with custom roles or other predefined roles.

View key rings

Console

  1. In the Google Cloud console, go to the Key Rings page.

    Go to Key Rings

  2. Optional: To filter your list of key rings, enter your search terms in the filter_list Filter box and then press Enter.

  3. Optional: To sort the list by the values in a column, click the column heading.

While viewing your key rings, you can select a key ring to view details about the associated keys and import jobs.

View keys

Use the Google Cloud console to view the keys created in your project resource.

Console

  1. In the Google Cloud console, go to the Key Inventory page.

    Go to Key Inventory

  2. Optional: To filter your list of keys, enter your search terms in the filter_list Filter box and then press Enter.

  3. Optional: To sort the list by the values in a column, click the column heading.

gcloud CLI

To use Cloud KMS on the command line, first Install or upgrade to the latest version of Google Cloud CLI.

gcloud kms inventory list-keys --project PROJECT_ID

Replace PROJECT_ID with the name of the project for which you want to view the list of keys.

For information on all flags and possible values, run the command with the --help flag.

API

These examples use curl as an HTTP client to demonstrate using the API. For more information about access control, see Accessing the Cloud KMS API. 

curl "https://kmsinventory.googleapis.com/v1/projects/PROJECT_ID/cryptoKeys"
    --request "GET" \
    --header "x-goog-user-project: CALLING_PROJECT_ID"
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer TOKEN"

Replace the following:

  • PROJECT_ID: the ID of the project that contains the key ring.
  • CALLING_PROJECT_ID: the ID of the project from which you are calling the KMS Inventory API.

While viewing your keys, you can select a key to view details about the key, including its associated key versions.

Key details

The key inventory provides comprehensive information about the cryptographic keys in your project. Properties in the key inventory include the following:

  • Key name: The name of the key.
  • Status: The current key status based on the state of the primary key version. This field applies to symmetric keys only.
    • Available: The primary key version is enabled. The key is available for use to encrypt and decrypt data.
    • Not available: The primary key version is disabled or empty. The key isn't available for use to encrypt data.
    • Available in GCP: For externally managed keys, the key (not necessarily the externally managed key itself) is available for use.
  • Key ring: Name of the parent key ring.
  • Location: Location where key material resides.
  • Current rotation: The date and time the key was last rotated. This field shows when the current key version was created.
  • Rotation frequency: The current rotation frequency of the key.
  • Next rotation: The date of the next scheduled key rotation. A new key version will be created automatically on this date.
  • Protection level: The protection level of the key, for example, HSM or Software.
  • EKM via VPC connection: For external keys accessed over VPC, the name of the EKM via VPC connection that the key uses. This field is hidden by default and is blank for keys with protection levels other than External via VPC.
  • Purpose: The scenario in which the key may be used.
  • Labels: Labels applied on the key.

Limitations

  • The Key ring tab can display at most 1,000 resources (including key rings, keys, and key versions) per location. To view key rings for a project and location with more than 1,000 resources, use the keyRings.list API.

  • The Key inventory tab can display at most 20,000 resources (including key rings, keys, and key versions) per project. To view keys for a project with more than 20,000 resources, use the keyRings.cryptoKeys.list API.