Module types (1.3.0)

API documentation for kms_v1.types module.

Request message for KeyManagementService.AsymmetricDecrypt.

Required. The data encrypted with the named CryptoKeyVersion's public key using OAEP.

Response message for KeyManagementService.AsymmetricDecrypt.

Request message for KeyManagementService.AsymmetricSign.

Required. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version's algorithm.

Response message for KeyManagementService.AsymmetricSign.

Request message for KeyManagementService.CreateCryptoKey.

Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call [CreateCryptoKeyVersion][google.cloud.kms.v 1.KeyManagementService.CreateCryptoKeyVersion] or [ImportCrypt oKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCr yptoKeyVersion] before you can use this CryptoKey.

Request message for KeyManagementService.CreateCryptoKeyVersion.

Required. A CryptoKeyVersion with initial field values.

Request message for KeyManagementService.CreateImportJob.

Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

Request message for KeyManagementService.CreateKeyRing.

Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}

A CryptoKey represents a logical key that can be used for cryptographic operations.

A CryptoKey is made up of one or more versions, which represent the actual key material used in cryptographic operations.

Output only. A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.na me]. The CryptoKey's primary version can be updated via [UpdateCryptoKeyPrimaryVersion][goo gle.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVe rsion]. Keys with purpose [ENCRYPT_DEC RYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_ DECRYPT] may have a primary. For other keys, this field will be omitted.

Output only. The time at which this CryptoKey was created.

Controls the rate of automatic rotation.

A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either [CreateCryptoKeyVersion][google.cl oud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or auto-rotation are controlled by this template.

A CryptoKeyVersion represents an individual cryptographic key, and the associated key material.

An ENABLED version can be used for cryptographic operations.

For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

The current state of the CryptoKeyVersion.

Output only. The [CryptoKeyVersionAlgorithm][google.cloud.kms. v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] that this CryptoKeyVersion supports.

Output only. The time at which this CryptoKeyVersion was created.

Output only. The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is [DESTRO Y_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVe rsionState.DESTROY_SCHEDULED].

Output only. The name of the ImportJob used to import this CryptoKeyVersion. Only present if the underlying key material was imported.

Output only. The root cause of an import failure. Only present if state is [IMP ORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVer sionState.IMPORT_FAILED].

A CryptoKeyVersionTemplate specifies the properties to use when creating a new CryptoKeyVersion, either manually with CreateCryptoKeyVersion or automatically as a result of auto-rotation.

Required. [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.Cry ptoKeyVersionAlgorithm] to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurp ose.ENCRYPT_DECRYPT].

Request message for KeyManagementService.Decrypt.

Required. The encrypted data originally returned in [EncryptRe sponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphert ext].

Response message for KeyManagementService.Decrypt.

Request message for KeyManagementService.DestroyCryptoKeyVersion.

A Digest holds a cryptographic message digest.

A message digest produced with the SHA-256 algorithm.

A message digest produced with the SHA-512 algorithm.

API documentation for kms_v1.types.Duration class.

Request message for KeyManagementService.Encrypt.

Required. The data to encrypt. Must be no larger than 64KiB. The maximum size depends on the key version's [protection_lev el][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_l evel]. For SOFTWARE keys, the plaintext must be no larger than 64KiB. For HSM keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.

Response message for KeyManagementService.Encrypt.

The encrypted data.

API documentation for kms_v1.types.FieldMask class.

Request message for KeyManagementService.GetCryptoKey.

Request message for KeyManagementService.GetCryptoKeyVersion.

Request message for KeyManagementService.GetImportJob.

Request message for KeyManagementService.GetKeyRing.

Request message for KeyManagementService.GetPublicKey.

Request message for KeyManagementService.ImportCryptoKeyVersion.

Required. The [algorithm][google.cloud.kms.v1.CryptoKeyVersion .CryptoKeyVersionAlgorithm] of the key being imported. This does not need to match the [version_template][google.cloud.km s.v1.CryptoKey.version_template] of the CryptoKey this version imports into.

Required. The incoming wrapped key material that is to be imported.

An ImportJob can be used to create CryptoKeys and CryptoKeyVersions using pre-existing key material, generated outside of Cloud KMS.

When an ImportJob is created, Cloud KMS will generate a "wrapping key", which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation is complete, the state will be set to ACTIVE and the [public_key][google.cloud.kms.v1.ImportJob.public_key] can be fetched. The fetched public key can then be used to wrap your pre-existing key material.

Once the key material is wrapped, it can be imported into a new CryptoKeyVersion in an existing CryptoKey by calling ImportCryptoKeyVersion. Multiple CryptoKeyVersions can be imported with a single ImportJob. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key.

An ImportJob expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the ImportJob's public key.

For more information, see Importing a key <https://cloud.google.com/kms/docs/importing-a-key>__.

Required. Immutable. The wrapping method to be used for incoming key material.

Output only. The time at which this ImportJob was created.

Output only. The time at which this ImportJob is scheduled for expiration and can no longer be used to import key material.

Output only. The current state of the ImportJob, indicating if it can be used.

Output only. Statement that was generated and signed by the key creator (for example, an HSM) at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only present if the chosen ImportMethod is one with a protection level of HSM.

Contains an HSM-generated attestation about a key operation. For more information, see Verifying attestations.

Output only. The attestation data provided by the HSM when the key operation was performed.

A KeyRing is a toplevel logical grouping of CryptoKeys.

Output only. The time at which this KeyRing was created.

Request message for KeyManagementService.ListCryptoKeyVersions.

Optional. Optional limit on the number of CryptoKeyVersions to include in the response. Further CryptoKeyVersions can subsequently be obtained by including the [ListCryptoKeyVersio nsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKe yVersionsResponse.next_page_token] in a subsequent request. If unspecified, the server will pick an appropriate default.

The fields to include in the response.

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, see Sorting and filtering list results <https://cloud.google.com/kms/docs/sorting-and-filtering>__.

Response message for KeyManagementService.ListCryptoKeyVersions.

A token to retrieve next page of results. Pass this value in [ ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1. ListCryptoKeyVersionsRequest.page_token] to retrieve the next page of results.

Request message for KeyManagementService.ListCryptoKeys.

Optional. Optional limit on the number of CryptoKeys to include in the response. Further CryptoKeys can subsequently be obtained by including the [ListCryptoKeysR esponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysR esponse.next_page_token] in a subsequent request. If unspecified, the server will pick an appropriate default.

The fields of the primary version to include in the response.

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, see Sorting and filtering list results <https://cloud.google.com/kms/docs/sorting-and-filtering>__.

Response message for KeyManagementService.ListCryptoKeys.

A token to retrieve next page of results. Pass this value in [ ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCry ptoKeysRequest.page_token] to retrieve the next page of results.

Request message for KeyManagementService.ListImportJobs.

Optional. Optional limit on the number of ImportJobs to include in the response. Further ImportJobs can subsequently be obtained by including the [ListImportJobsR esponse.next_page_token][google.cloud.kms.v1.ListImportJobsR esponse.next_page_token] in a subsequent request. If unspecified, the server will pick an appropriate default.

Optional. Only include resources that match the filter in the response. For more information, see Sorting and filtering list results <https://cloud.google.com/kms/docs/sorting-and- filtering>__.

Response message for KeyManagementService.ListImportJobs.

A token to retrieve next page of results. Pass this value in [ ListImportJobsRequest.page_token][google.cloud.kms.v1.ListImp ortJobsRequest.page_token] to retrieve the next page of results.

Request message for KeyManagementService.ListKeyRings.

Optional. Optional limit on the number of KeyRings to include in the response. Further KeyRings can subsequently be obtained by including the [ListKeyRingsRespons e.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse. next_page_token] in a subsequent request. If unspecified, the server will pick an appropriate default.

Optional. Only include resources that match the filter in the response. For more information, see Sorting and filtering list results <https://cloud.google.com/kms/docs/sorting-and- filtering>__.

Response message for KeyManagementService.ListKeyRings.

A token to retrieve next page of results. Pass this value in [ ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRi ngsRequest.page_token] to retrieve the next page of results.

Cloud KMS metadata for the given google.cloud.location.Location.

The public key for a given CryptoKeyVersion. Obtained via GetPublicKey.

The [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKey VersionAlgorithm] associated with this key.

Request message for KeyManagementService.RestoreCryptoKeyVersion.

API documentation for kms_v1.types.Timestamp class.

Request message for KeyManagementService.UpdateCryptoKeyPrimaryVersion.

Required. The id of the child CryptoKeyVersion to use as primary.

Request message for KeyManagementService.UpdateCryptoKey.

Required. List of fields to be updated in this request.

Request message for KeyManagementService.UpdateCryptoKeyVersion.

Required. List of fields to be updated in this request.