Class EkmConnection (2.20.0)

EkmConnection(mapping=None, *, ignore_unknown_fields=False, **kwargs)

An EkmConnection represents an individual EKM connection. It can be used for creating CryptoKeys and CryptoKeyVersions with a ProtectionLevel of EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], as well as performing cryptographic operations using keys created within the EkmConnection.

Attributes

NameDescription
name str
Output only. The resource name for the EkmConnection in the format projects/*/locations/*/ekmConnections/*.
create_time google.protobuf.timestamp_pb2.Timestamp
Output only. The time at which the EkmConnection was created.
service_resolvers MutableSequence[google.cloud.kms_v1.types.EkmConnection.ServiceResolver]
A list of ServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a single ServiceResolver is supported.
etag str
Optional. Etag of the currently stored EkmConnection.
key_management_mode google.cloud.kms_v1.types.EkmConnection.KeyManagementMode
Optional. Describes who can perform control plane operations on the EKM. If unset, this defaults to MANUAL.
crypto_space_path str
Optional. Identifies the EKM Crypto Space that this EkmConnection maps to. Note: This field is required if KeyManagementMode is CLOUD_KMS.

Classes

KeyManagementMode

KeyManagementMode(value)

KeyManagementMode describes who can perform control plane cryptographic operations using this EkmConnection.

Values: KEY_MANAGEMENT_MODE_UNSPECIFIED (0): Not specified. MANUAL (1): EKM-side key management operations on CryptoKeys created with this EkmConnection must be initiated from the EKM directly and cannot be performed from Cloud KMS. This means that:

    -  When creating a
       <xref uid="google.cloud.kms.v1.CryptoKeyVersion">CryptoKeyVersion</xref>
       associated with this
       <xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref>, the
       caller must supply the key path of pre-existing external
       key material that will be linked to the
       <xref uid="google.cloud.kms.v1.CryptoKeyVersion">CryptoKeyVersion</xref>.
    -  Destruction of external key material cannot be requested
       via the Cloud KMS API and must be performed directly in
       the EKM.
    -  Automatic rotation of key material is not supported.
CLOUD_KMS (2):
    All <xref uid="google.cloud.kms.v1.CryptoKey">CryptoKeys</xref> created with
    this <xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref> use
    EKM-side key management operations initiated from Cloud KMS.
    This means that:

    -  When a
       <xref uid="google.cloud.kms.v1.CryptoKeyVersion">CryptoKeyVersion</xref>
       associated with this
       <xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref> is
       created, the EKM automatically generates new key material
       and a new key path. The caller cannot supply the key path
       of pre-existing external key material.
    -  Destruction of external key material associated with this
       <xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref> can be
       requested by calling
       `DestroyCryptoKeyVersion][EkmService.DestroyCryptoKeyVersion]`.
    -  Automatic rotation of key material is supported.

ServiceResolver

ServiceResolver(mapping=None, *, ignore_unknown_fields=False, **kwargs)

A ServiceResolver represents an EKM replica that can be reached within an EkmConnection.