Module types (1.4.2)

API documentation for kms_v1.types module.

Request message for [KeyManagementService.AsymmetricDecrypt][google.cl oud.kms.v1.KeyManagementService.AsymmetricDecrypt]. .. attribute:: name

Required. The resource name of the CryptoKeyVersion to use for decryption.

Response message for [KeyManagementService.AsymmetricDecrypt][google.c loud.kms.v1.KeyManagementService.AsymmetricDecrypt]. .. attribute:: plaintext

The decrypted data originally encrypted with the matching public key.

Request message for [KeyManagementService.AsymmetricSign][google.cloud .kms.v1.KeyManagementService.AsymmetricSign]. .. attribute:: name

Required. The resource name of the CryptoKeyVersion to use for signing.

Response message for [KeyManagementService.AsymmetricSign][google.clou d.kms.v1.KeyManagementService.AsymmetricSign]. .. attribute:: signature

The created signature.

Request message for [KeyManagementService.CreateCryptoKey][google.clou d.kms.v1.KeyManagementService.CreateCryptoKey]. .. attribute:: parent

Required. The name of the KeyRing associated with the CryptoKeys.

Required. A CryptoKey with initial field values.

Request message for [KeyManagementService.CreateCryptoKeyVersion][goog le.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]. .. attribute:: parent

Required. The name of the CryptoKey associated with the CryptoKeyVersions.

Request message for [KeyManagementService.CreateImportJob][google.clou d.kms.v1.KeyManagementService.CreateImportJob]. .. attribute:: parent

Required. The name of the KeyRing associated with the ImportJobs.

Required. An ImportJob with initial field values.

Request message for [KeyManagementService.CreateKeyRing][google.cloud. kms.v1.KeyManagementService.CreateKeyRing]. .. attribute:: parent

Required. The resource name of the location associated with the KeyRings, in the format projects/*/locations/*.

Required. A KeyRing with initial field values.

A CryptoKey represents a logical key that can be used for cryptographic operations. A CryptoKey is made up of one or more versions, which represent the actual key material used in cryptographic operations. .. attribute:: name

Output only. The resource name for this CryptoKey in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.

Immutable. The immutable purpose of this CryptoKey.

At [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_ rotation_time], the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via [Cre ateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService. CreateCryptoKeyVersion] and [UpdateCryptoKeyPrimaryVersion][go ogle.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryV ersion] do not affect [next_rotation_time][google.cloud.kms. v1.CryptoKey.next_rotation_time]. Keys with purpose [ENCRYPT_DEC RYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_ DECRYPT] support automatic rotation. For other keys, this field must be omitted.

[next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rot ation_time] will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If [rotation_period][google.cloud.kms.v1 .CryptoKey.rotation_period] is set, [next_rotation_time][go ogle.cloud.kms.v1.CryptoKey.next_rotation_time] must also be set. Keys with purpose [ENCRYPT_DEC RYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_ DECRYPT] support automatic rotation. For other keys, this field must be omitted.

Labels with user-defined metadata. For more information, see Labeling Keys </kms/docs/labeling-keys>__.

A CryptoKeyVersion represents an individual cryptographic key, and the associated key material. An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.E NABLED] version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS. .. attribute:: name

Output only. The resource name for this CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cr yptoKeyVersions/*.

Output only. The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.

Output only. Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with [protection_level ][google.cloud.kms.v1.CryptoKeyVersion.protection_level] HSM.

Output only. The time this CryptoKeyVersion's key material was generated.

Output only. The time this CryptoKeyVersion's key material was destroyed. Only present if state is [DESTRO YED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionStat e.DESTROYED].

Output only. The time at which this CryptoKeyVersion's key material was imported.

ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level.

A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTempl ate] specifies the properties to use when creating a new CryptoKeyVersion, either manually with [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManageme ntService.CreateCryptoKeyVersion] or automatically as a result of auto-rotation. .. attribute:: protection_level

ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.

Request message for [KeyManagementService.Decrypt][google.cloud.kms.v1 .KeyManagementService.Decrypt]. .. attribute:: name

Required. The resource name of the CryptoKey to use for decryption. The server will choose the appropriate version.

Optional. Optional data that must match the data originally supplied in [EncryptRequest.additional_authenticated_data][g oogle.cloud.kms.v1.EncryptRequest.additional_authenticated_d ata].

Response message for [KeyManagementService.Decrypt][google.cloud.kms.v 1.KeyManagementService.Decrypt]. .. attribute:: plaintext

The decrypted data originally supplied in [EncryptRequest.plai ntext][google.cloud.kms.v1.EncryptRequest.plaintext].

Request message for [KeyManagementService.DestroyCryptoKeyVersion][goo gle.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]. .. attribute:: name

Required. The resource name of the CryptoKeyVersion to destroy.

A Digest holds a cryptographic message digest. .. attribute:: digest

Required. The message digest.

A message digest produced with the SHA-384 algorithm.

API documentation for kms_v1.types.Duration class.

Request message for [KeyManagementService.Encrypt][google.cloud.kms.v1 .KeyManagementService.Encrypt]. .. attribute:: name

Required. The resource name of the CryptoKey or CryptoKeyVersion to use for encryption. If a CryptoKey is specified, the server will use its [primary version][google.cloud.kms.v1.CryptoKey.primary].

Optional. Optional data that, if specified, must also be provided during decryption through [DecryptRequest.additional _authenticated_data][google.cloud.kms.v1.DecryptRequest.addit ional_authenticated_data]. The maximum size depends on the key version's [protection_level][google.cloud.kms.v1.CryptoKe yVersionTemplate.protection_level]. For SOFTWARE keys, the AAD must be no larger than 64KiB. For HSM keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.

Response message for [KeyManagementService.Encrypt][google.cloud.kms.v 1.KeyManagementService.Encrypt]. .. attribute:: name

The resource name of the CryptoKeyVersion used in encryption. Check this field to verify that the intended resource was used for encryption.

ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level. .. attribute:: external_key_uri

The URI for an external resource that this CryptoKeyVersion represents.

API documentation for kms_v1.types.FieldMask class.

Request message for [KeyManagementService.GetCryptoKey][google.cloud.k ms.v1.KeyManagementService.GetCryptoKey]. .. attribute:: name

Required. The name of the CryptoKey to get.

Request message for [KeyManagementService.GetCryptoKeyVersion][google. cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion]. .. attribute:: name

Required. The name of the CryptoKeyVersion to get.

Request message for [KeyManagementService.GetImportJob][google.cloud.k ms.v1.KeyManagementService.GetImportJob]. .. attribute:: name

Required. The name of the ImportJob to get.

Request message for [KeyManagementService.GetKeyRing][google.cloud.kms .v1.KeyManagementService.GetKeyRing]. .. attribute:: name

Required. The name of the KeyRing to get.

Request message for [KeyManagementService.GetPublicKey][google.cloud.k ms.v1.KeyManagementService.GetPublicKey]. .. attribute:: name

Required. The name of the CryptoKeyVersion public key to get.

Request message for [KeyManagementService.ImportCryptoKeyVersion][goog le.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. .. attribute:: parent

Required. The name of the CryptoKey to be imported into.

Required. The name of the ImportJob that was used to wrap this key material.

Wrapped key material produced with [RSA_OAEP_3072_SHA1_AES _256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3 072_SHA1_AES_256] or [RSA_OAEP_4096_SHA1_AES_256][goog le.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_ AES_256]. This field contains the concatenation of two wrapped keys: .. raw:: html

.. raw:: html
1. An ephemeral AES-256 wrapping key wrapped with the [public_key][google.cloud.kms.v1.ImportJob.public_key] using RSAES-OAEP with SHA-1, MGF1 with SHA-1, and an empty label. .. raw:: html
.. raw:: html
2. The key to be imported, wrapped with the ephemeral AES-256 key using AES-KWP (RFC 5649). .. raw:: html
.. raw:: html

If importing symmetric key material, it is expected that the unwrapped key contains plain bytes. If importing asymmetric key material, it is expected that the unwrapped key is in PKCS#8-encoded DER format (the PrivateKeyInfo structure from RFC 5208). This format is the same as the format produced by PKCS#11 mechanism CKM_RSA_AES_KEY_WRAP.

An ImportJob can be used to create CryptoKeys and CryptoKeyVersions using pre- existing key material, generated outside of Cloud KMS. When an ImportJob is created, Cloud KMS will generate a "wrapping key", which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation is complete, the state will be set to ACTIVE and the [public_key][google.cloud.kms.v1.ImportJob.public_key] can be fetched. The fetched public key can then be used to wrap your pre- existing key material. Once the key material is wrapped, it can be imported into a new CryptoKeyVersion in an existing CryptoKey by calling [Import CryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCrypt oKeyVersion]. Multiple CryptoKeyVersions can be imported with a single ImportJob. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key. An ImportJob expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the ImportJob's public key. For more information, see Importing a key <https://cloud.google.com/kms/docs/importing-a-key>__. .. attribute:: name

Output only. The resource name for this ImportJob in the format projects/*/locations/*/keyRings/*/importJobs/*.

Required. Immutable. The protection level of the ImportJob. This must match the [protection_level][google.cloud.kms.v1.CryptoKeyVersionTe mplate.protection_level] of the [version_template][google.cl oud.kms.v1.CryptoKey.version_template] on the CryptoKey you attempt to import into.

Output only. The time this ImportJob's key material was generated.

Output only. The time this ImportJob expired. Only present if state is [EX PIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED].

Output only. The public key with which to wrap key material prior to import. Only returned if state is ACTIVE.

Contains an HSM-generated attestation about a key operation. For more information, see Verifying attestations. .. attribute:: format

Output only. The format of the attestation data.

A KeyRing is a toplevel logical grouping of CryptoKeys. .. attribute:: name

Output only. The resource name for the KeyRing in the format projects/*/locations/*/keyRings/*.

Request message for [KeyManagementService.ListCryptoKeyVersions][googl e.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions]. .. attribute:: parent

Required. The resource name of the CryptoKey to list, in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.

Optional. Optional pagination token, returned earlier via [Lis tCryptoKeyVersionsResponse.next_page_token][google.cloud.kms .v1.ListCryptoKeyVersionsResponse.next_page_token].

Optional. Only include resources that match the filter in the response. For more information, see Sorting and filtering list results <https://cloud.google.com/kms/docs/sorting-and- filtering>__.

Response message for [KeyManagementService.ListCryptoKeyVersions][goog le.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions]. .. attribute:: crypto_key_versions

The list of CryptoKeyVersions.

The total number of CryptoKeyVersions that matched the query.

Request message for [KeyManagementService.ListCryptoKeys][google.cloud .kms.v1.KeyManagementService.ListCryptoKeys]. .. attribute:: parent

Required. The resource name of the KeyRing to list, in the format projects/*/locations/*/keyRings/*.

Optional. Optional pagination token, returned earlier via [Lis tCryptoKeysResponse.next_page_token][google.cloud.kms.v1.Lis tCryptoKeysResponse.next_page_token].

Optional. Only include resources that match the filter in the response. For more information, see Sorting and filtering list results <https://cloud.google.com/kms/docs/sorting-and- filtering>__.

Response message for [KeyManagementService.ListCryptoKeys][google.clou d.kms.v1.KeyManagementService.ListCryptoKeys]. .. attribute:: crypto_keys

The list of CryptoKeys.

The total number of CryptoKeys that matched the query.

Request message for [KeyManagementService.ListImportJobs][google.cloud .kms.v1.KeyManagementService.ListImportJobs]. .. attribute:: parent

Required. The resource name of the KeyRing to list, in the format projects/*/locations/*/keyRings/*.

Optional. Optional pagination token, returned earlier via [Lis tImportJobsResponse.next_page_token][google.cloud.kms.v1.Lis tImportJobsResponse.next_page_token].

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, see Sorting and filtering list results <https://cloud.google.com/kms/docs/sorting-and-filtering>__.

Response message for [KeyManagementService.ListImportJobs][google.clou d.kms.v1.KeyManagementService.ListImportJobs]. .. attribute:: import_jobs

The list of ImportJobs.

The total number of ImportJobs that matched the query.

Request message for [KeyManagementService.ListKeyRings][google.cloud.k ms.v1.KeyManagementService.ListKeyRings]. .. attribute:: parent

Required. The resource name of the location associated with the KeyRings, in the format projects/*/locations/*.

Optional. Optional pagination token, returned earlier via [Lis tKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListK eyRingsResponse.next_page_token].

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, see Sorting and filtering list results <https://cloud.google.com/kms/docs/sorting-and-filtering>__.

Response message for [KeyManagementService.ListKeyRings][google.cloud. kms.v1.KeyManagementService.ListKeyRings]. .. attribute:: key_rings

The list of KeyRings.

The total number of KeyRings that matched the query.

Cloud KMS metadata for the given google.cloud.location.Location. .. attribute:: hsm_available

Indicates whether CryptoKeys with [protection_level][google.cloud.kms.v1.CryptoKeyVersionT emplate.protection_level] HSM can be created in this location.

The public key for a given CryptoKeyVersion. Obtained via GetPublicKey. .. attribute:: pem

The public key, encoded in PEM format. For more information, see the RFC 7468 <https://tools.ietf.org/html/rfc7468> sections for General Considerations <https://tools.ietf.org/html/rfc7468#section-2> and Textual Encoding of Subject Public Key Info.

Request message for [KeyManagementService.RestoreCryptoKeyVersion][goo gle.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]. .. attribute:: name

Required. The resource name of the CryptoKeyVersion to restore.

API documentation for kms_v1.types.Timestamp class.

Request message for [KeyManagementService.UpdateCryptoKeyPrimaryVersio n][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVers ion]. .. attribute:: name

Required. The resource name of the CryptoKey to update.

Request message for [KeyManagementService.UpdateCryptoKey][google.clou d.kms.v1.KeyManagementService.UpdateCryptoKey]. .. attribute:: crypto_key

Required. CryptoKey with updated values.

Request message for [KeyManagementService.UpdateCryptoKeyVersion][goog le.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion]. .. attribute:: crypto_key_version

Required. CryptoKeyVersion with updated values.