Class KeyManagementServiceClient (2.5.0)

KeyManagementServiceClient(*, credentials: Optional[google.auth.credentials.Credentials] = None, transport: Optional[Union[str, google.cloud.kms_v1.services.key_management_service.transports.base.KeyManagementServiceTransport]] = None, client_options: Optional[google.api_core.client_options.ClientOptions] = None, client_info: google.api_core.gapic_v1.client_info.ClientInfo = <google.api_core.gapic_v1.client_info.ClientInfo object>)

Google Cloud Key Management Service

Manages cryptographic keys and operations using those keys. Implements a REST model with the following objects:

KeyRing
CryptoKey
CryptoKeyVersion
ImportJob

If you are using manual gRPC libraries, see Using gRPC with Cloud KMS <https://cloud.google.com/kms/docs/grpc>__.

Properties

transport

Returns the transport used by the client instance.

Returns

Type	Description
`KeyManagementServiceTransport`	The transport used by the client instance.

Methods

KeyManagementServiceClient

KeyManagementServiceClient(*, credentials: Optional[google.auth.credentials.Credentials] = None, transport: Optional[Union[str, google.cloud.kms_v1.services.key_management_service.transports.base.KeyManagementServiceTransport]] = None, client_options: Optional[google.api_core.client_options.ClientOptions] = None, client_info: google.api_core.gapic_v1.client_info.ClientInfo = <google.api_core.gapic_v1.client_info.ClientInfo object>)

Instantiates the key management service client.

Parameters

Name	Description
`credentials`	`Optional[google.auth.credentials.Credentials]` The authorization credentials to attach to requests. These credentials identify the application to the service; if none are specified, the client will attempt to ascertain the credentials from the environment.
`transport`	`Union[str, KeyManagementServiceTransport]` The transport to use. If set to None, a transport is chosen automatically.
`client_options`	`google.api_core.client_options.ClientOptions` Custom options for the client. It won't take effect if a `transport` instance is provided. (1) The `api_endpoint` property can be used to override the default endpoint provided by the client. GOOGLE_API_USE_MTLS_ENDPOINT environment variable can also be used to override the endpoint: "always" (always use the default mTLS endpoint), "never" (always use the default regular endpoint) and "auto" (auto switch to the default mTLS endpoint if client certificate is present, this is the default value). However, the `api_endpoint` property takes precedence if provided. (2) If GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is "true", then the `client_cert_source` property can be used to provide client certificate for mutual TLS transport. If not provided, the default SSL client certificate will be used if present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not set, no client certificate will be used.
`client_info`	`google.api_core.gapic_v1.client_info.ClientInfo` The client info used to send a user-agent string along with API requests. If `None`, then default info will be used. Generally, you only need to set this if you're developing your own client library.

Exceptions

Type	Description
`google.auth.exceptions.MutualTLSChannelError`	If mutual TLS transport creation failed for any reason.

asymmetric_decrypt

asymmetric_decrypt(request: Optional[google.cloud.kms_v1.types.service.AsymmetricDecryptRequest] = None, *, name: Optional[str] = None, ciphertext: Optional[bytes] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Decrypts data that was encrypted with a public key retrieved from xref_GetPublicKey corresponding to a xref_CryptoKeyVersion with xref_CryptoKey.purpose ASYMMETRIC_DECRYPT.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.AsymmetricDecryptRequest` The request object. Request message for KeyManagementService.AsymmetricDecrypt.
`name`	`str` Required. The resource name of the CryptoKeyVersion to use for decryption. This corresponds to the `name` field on the `request` instance; if `request` is provided, this should not be set.
`ciphertext`	`bytes` Required. The data encrypted with the named CryptoKeyVersion's public key using OAEP. This corresponds to the `ciphertext` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.AsymmetricDecryptResponse`	Response message for KeyManagementService.AsymmetricDecrypt.

asymmetric_sign

asymmetric_sign(request: Optional[google.cloud.kms_v1.types.service.AsymmetricSignRequest] = None, *, name: Optional[str] = None, digest: Optional[google.cloud.kms_v1.types.service.Digest] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Signs data using a xref_CryptoKeyVersion with xref_CryptoKey.purpose ASYMMETRIC_SIGN, producing a signature that can be verified with the public key retrieved from xref_GetPublicKey.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.AsymmetricSignRequest` The request object. Request message for KeyManagementService.AsymmetricSign.
`name`	`str` Required. The resource name of the CryptoKeyVersion to use for signing. This corresponds to the `name` field on the `request` instance; if `request` is provided, this should not be set.
`digest`	`google.cloud.kms_v1.types.Digest` Required. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version's algorithm. This corresponds to the `digest` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.AsymmetricSignResponse`	Response message for KeyManagementService.AsymmetricSign.

common_billing_account_path

common_billing_account_path(billing_account: str)

Returns a fully-qualified billing_account string.

common_folder_path

common_folder_path(folder: str)

Returns a fully-qualified folder string.

common_location_path

common_location_path(project: str, location: str)

Returns a fully-qualified location string.

common_organization_path

common_organization_path(organization: str)

Returns a fully-qualified organization string.

common_project_path

common_project_path(project: str)

Returns a fully-qualified project string.

create_crypto_key

create_crypto_key(request: Optional[google.cloud.kms_v1.types.service.CreateCryptoKeyRequest] = None, *, parent: Optional[str] = None, crypto_key_id: Optional[str] = None, crypto_key: Optional[google.cloud.kms_v1.types.resources.CryptoKey] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Create a new xref_CryptoKey within a xref_KeyRing.

xref_CryptoKey.purpose and xref_CryptoKey.version_template.algorithm are required.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.CreateCryptoKeyRequest` The request object. Request message for KeyManagementService.CreateCryptoKey.
`parent`	`str` Required. The name of the KeyRing associated with the CryptoKeys. This corresponds to the `parent` field on the `request` instance; if `request` is provided, this should not be set.
`crypto_key_id`	`str` Required. It must be unique within a KeyRing and match the regular expression `[a-zA-Z0-9_-]{1,63}` This corresponds to the `crypto_key_id` field on the `request` instance; if `request` is provided, this should not be set.
`crypto_key`	`google.cloud.kms_v1.types.CryptoKey` Required. A CryptoKey with initial field values. This corresponds to the `crypto_key` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.CryptoKey`	A CryptoKey represents a logical key that can be used for cryptographic operations. A CryptoKey is made up of zero or more versions, which represent the actual key material used in cryptographic operations.

create_crypto_key_version

create_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.CreateCryptoKeyVersionRequest] = None, *, parent: Optional[str] = None, crypto_key_version: Optional[google.cloud.kms_v1.types.resources.CryptoKeyVersion] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Create a new xref_CryptoKeyVersion in a xref_CryptoKey.

The server will assign the next sequential id. If unset, xref_state will be set to xref_ENABLED.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.CreateCryptoKeyVersionRequest` The request object. Request message for KeyManagementService.CreateCryptoKeyVersion.
`parent`	`str` Required. The name of the CryptoKey associated with the CryptoKeyVersions. This corresponds to the `parent` field on the `request` instance; if `request` is provided, this should not be set.
`crypto_key_version`	`google.cloud.kms_v1.types.CryptoKeyVersion` Required. A CryptoKeyVersion with initial field values. This corresponds to the `crypto_key_version` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.CryptoKeyVersion`	A CryptoKeyVersion represents an individual cryptographic key, and the associated key material. An ENABLED version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

create_import_job

create_import_job(request: Optional[google.cloud.kms_v1.types.service.CreateImportJobRequest] = None, *, parent: Optional[str] = None, import_job_id: Optional[str] = None, import_job: Optional[google.cloud.kms_v1.types.resources.ImportJob] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Create a new xref_ImportJob within a xref_KeyRing.

xref_ImportJob.import_method is required.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.CreateImportJobRequest` The request object. Request message for KeyManagementService.CreateImportJob.
`parent`	`str` Required. The name of the KeyRing associated with the ImportJobs. This corresponds to the `parent` field on the `request` instance; if `request` is provided, this should not be set.
`import_job_id`	`str` Required. It must be unique within a KeyRing and match the regular expression `[a-zA-Z0-9_-]{1,63}` This corresponds to the `import_job_id` field on the `request` instance; if `request` is provided, this should not be set.
`import_job`	`google.cloud.kms_v1.types.ImportJob` Required. An ImportJob with initial field values. This corresponds to the `import_job` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type Description

google.cloud.kms_v1.types.ImportJob An ImportJob can be used to create CryptoKeys and CryptoKeyVersions using pre-existing key material, generated outside of Cloud KMS. When an ImportJob is created, Cloud KMS will generate a "wrapping key", which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of import_method. When the wrapping key generation is complete, the state will be set to ACTIVE and the public_key can be fetched. The fetched public key can then be used to wrap your pre-existing key material. Once the key material is wrapped, it can be imported into a new CryptoKeyVersion in an existing CryptoKey by calling ImportCryptoKeyVersion. Multiple CryptoKeyVersions can be imported with a single ImportJob. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key. An ImportJob expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the ImportJob's public key. For more information, see [Importing a key](\ https://cloud.google.com/kms/docs/importing-a-key).

create_key_ring

create_key_ring(request: Optional[google.cloud.kms_v1.types.service.CreateKeyRingRequest] = None, *, parent: Optional[str] = None, key_ring_id: Optional[str] = None, key_ring: Optional[google.cloud.kms_v1.types.resources.KeyRing] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Create a new xref_KeyRing in a given Project and Location.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.CreateKeyRingRequest` The request object. Request message for KeyManagementService.CreateKeyRing.
`parent`	`str` Required. The resource name of the location associated with the KeyRings, in the format `projects//locations/`. This corresponds to the `parent` field on the `request` instance; if `request` is provided, this should not be set.
`key_ring_id`	`str` Required. It must be unique within a location and match the regular expression `[a-zA-Z0-9_-]{1,63}` This corresponds to the `key_ring_id` field on the `request` instance; if `request` is provided, this should not be set.
`key_ring`	`google.cloud.kms_v1.types.KeyRing` Required. A KeyRing with initial field values. This corresponds to the `key_ring` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.KeyRing`	A KeyRing is a toplevel logical grouping of CryptoKeys.

crypto_key_path

crypto_key_path(project: str, location: str, key_ring: str, crypto_key: str)

Returns a fully-qualified crypto_key string.

crypto_key_version_path

crypto_key_version_path(
    project: str, location: str, key_ring: str, crypto_key: str, crypto_key_version: str
)

Returns a fully-qualified crypto_key_version string.

decrypt

decrypt(request: Optional[google.cloud.kms_v1.types.service.DecryptRequest] = None, *, name: Optional[str] = None, ciphertext: Optional[bytes] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Decrypts data that was protected by xref_Encrypt. The xref_CryptoKey.purpose must be xref_ENCRYPT_DECRYPT.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.DecryptRequest` The request object. Request message for KeyManagementService.Decrypt.
`name`	`str` Required. The resource name of the CryptoKey to use for decryption. The server will choose the appropriate version. This corresponds to the `name` field on the `request` instance; if `request` is provided, this should not be set.
`ciphertext`	`bytes` Required. The encrypted data originally returned in EncryptResponse.ciphertext. This corresponds to the `ciphertext` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.DecryptResponse`	Response message for KeyManagementService.Decrypt.

destroy_crypto_key_version

destroy_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.DestroyCryptoKeyVersionRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Schedule a xref_CryptoKeyVersion for destruction.

Upon calling this method, xref_CryptoKeyVersion.state will be set to xref_DESTROY_SCHEDULED and xref_destroy_time will be set to a time 24 hours in the future, at which point the xref_state will be changed to xref_DESTROYED, and the key material will be irrevocably destroyed.

Before the xref_destroy_time is reached, xref_RestoreCryptoKeyVersion may be called to reverse the process.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.DestroyCryptoKeyVersionRequest` The request object. Request message for KeyManagementService.DestroyCryptoKeyVersion.
`name`	`str` Required. The resource name of the CryptoKeyVersion to destroy. This corresponds to the `name` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.CryptoKeyVersion`	A CryptoKeyVersion represents an individual cryptographic key, and the associated key material. An ENABLED version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

encrypt

encrypt(request: Optional[google.cloud.kms_v1.types.service.EncryptRequest] = None, *, name: Optional[str] = None, plaintext: Optional[bytes] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Encrypts data, so that it can only be recovered by a call to xref_Decrypt. The xref_CryptoKey.purpose must be xref_ENCRYPT_DECRYPT.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.EncryptRequest` The request object. Request message for KeyManagementService.Encrypt.
`name`	`str` Required. The resource name of the CryptoKey or CryptoKeyVersion to use for encryption. If a CryptoKey is specified, the server will use its [primary version][google.cloud.kms.v1.CryptoKey.primary]. This corresponds to the `name` field on the `request` instance; if `request` is provided, this should not be set.
`plaintext`	`bytes` Required. The data to encrypt. Must be no larger than 64KiB. The maximum size depends on the key version's protection_level. For SOFTWARE keys, the plaintext must be no larger than 64KiB. For HSM keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB. This corresponds to the `plaintext` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.EncryptResponse`	Response message for KeyManagementService.Encrypt.

from_service_account_file

from_service_account_file(filename: str, *args, **kwargs)

Creates an instance of this client using the provided credentials file.

Parameter

Name	Description
`filename`	`str` The path to the service account private key json file.

Returns

Type	Description
`KeyManagementServiceClient`	The constructed client.

from_service_account_info

from_service_account_info(info: dict, *args, **kwargs)

Creates an instance of this client using the provided credentials info.

Parameter

Name	Description
`info`	`dict` The service account private key info.

Returns

Type	Description
`KeyManagementServiceClient`	The constructed client.

from_service_account_json

from_service_account_json(filename: str, *args, **kwargs)

Creates an instance of this client using the provided credentials file.

Parameter

Name	Description
`filename`	`str` The path to the service account private key json file.

Returns

Type	Description
`KeyManagementServiceClient`	The constructed client.

generate_random_bytes

generate_random_bytes(request: Optional[google.cloud.kms_v1.types.service.GenerateRandomBytesRequest] = None, *, location: Optional[str] = None, length_bytes: Optional[int] = None, protection_level: Optional[google.cloud.kms_v1.types.resources.ProtectionLevel] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Generate random bytes using the Cloud KMS randomness source in the provided location.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.GenerateRandomBytesRequest` The request object. Request message for KeyManagementService.GenerateRandomBytes.
`location`	`str` The project-specific location in which to generate random bytes. For example, "projects/my- project/locations/us-central1". This corresponds to the `location` field on the `request` instance; if `request` is provided, this should not be set.
`length_bytes`	`int` The length in bytes of the amount of randomness to retrieve. Minimum 8 bytes, maximum 1024 bytes. This corresponds to the `length_bytes` field on the `request` instance; if `request` is provided, this should not be set.
`protection_level`	`google.cloud.kms_v1.types.ProtectionLevel` The ProtectionLevel to use when generating the random data. Defaults to SOFTWARE. This corresponds to the `protection_level` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.GenerateRandomBytesResponse`	Response message for KeyManagementService.GenerateRandomBytes.

get_crypto_key

get_crypto_key(request: Optional[google.cloud.kms_v1.types.service.GetCryptoKeyRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Returns metadata for a given xref_CryptoKey, as well as its xref_primary xref_CryptoKeyVersion.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.GetCryptoKeyRequest` The request object. Request message for KeyManagementService.GetCryptoKey.
`name`	`str` Required. The name of the CryptoKey to get. This corresponds to the `name` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.CryptoKey`	A CryptoKey represents a logical key that can be used for cryptographic operations. A CryptoKey is made up of zero or more versions, which represent the actual key material used in cryptographic operations.

get_crypto_key_version

get_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.GetCryptoKeyVersionRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Returns metadata for a given xref_CryptoKeyVersion.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.GetCryptoKeyVersionRequest` The request object. Request message for KeyManagementService.GetCryptoKeyVersion.
`name`	`str` Required. The name of the CryptoKeyVersion to get. This corresponds to the `name` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.CryptoKeyVersion`	A CryptoKeyVersion represents an individual cryptographic key, and the associated key material. An ENABLED version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

get_iam_policy

get_iam_policy(request: Optional[google.iam.v1.iam_policy_pb2.GetIamPolicyRequest] = None, *, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Gets the IAM access control policy for a function.

Returns an empty policy if the function exists and does not have a policy set.

Parameters

Name	Description
`request`	`.iam_policy_pb2.GetIamPolicyRequest` The request object. Request message for `GetIamPolicy` method.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type Description

.policy_pb2.Policy Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. A Policy is a collection of bindings. A binding binds one or more members to a single role. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions (defined by IAM or configured by users). A binding can optionally specify a condition, which is a logic expression that further constrains the role binding based on attributes about the request and/or target resource. **JSON Example**:: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": ["user:eve@example.com"], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01t00:00:00.000z')",="" }="" }="" ]="" }="" **yaml="" example**::="" bindings:="" -="" members:="" -="" user:mike@example.com="" -="" group:admins@example.com="" -="" domain:google.com="" -="" serviceaccount:my-project-id@appspot.gserviceaccount.com="" role:="" roles/resourcemanager.organizationadmin="" -="" members:="" -="" user:eve@example.com="" role:="" roles/resourcemanager.organizationviewer="" condition:="" title:="" expirable="" access="" description:="" does="" not="" grant="" access="" after="" sep="" 2020="" expression:="" request.time="">< timestamp('2020-10-01t00:00:00.000z')="" for="" a="" description="" of="" iam="" and="" its="" features,="" see="" the="">IAM developer's guide __.

get_import_job

get_import_job(request: Optional[google.cloud.kms_v1.types.service.GetImportJobRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Returns metadata for a given xref_ImportJob.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.GetImportJobRequest` The request object. Request message for KeyManagementService.GetImportJob.
`name`	`str` Required. The name of the ImportJob to get. This corresponds to the `name` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type Description

get_key_ring

get_key_ring(request: Optional[google.cloud.kms_v1.types.service.GetKeyRingRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Returns metadata for a given xref_KeyRing.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.GetKeyRingRequest` The request object. Request message for KeyManagementService.GetKeyRing.
`name`	`str` Required. The name of the KeyRing to get. This corresponds to the `name` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.KeyRing`	A KeyRing is a toplevel logical grouping of CryptoKeys.

get_public_key

get_public_key(request: Optional[google.cloud.kms_v1.types.service.GetPublicKeyRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Returns the public key for the given xref_CryptoKeyVersion. The xref_CryptoKey.purpose must be xref_ASYMMETRIC_SIGN or xref_ASYMMETRIC_DECRYPT.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.GetPublicKeyRequest` The request object. Request message for KeyManagementService.GetPublicKey.
`name`	`str` Required. The name of the CryptoKeyVersion public key to get. This corresponds to the `name` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.PublicKey`	The public key for a given CryptoKeyVersion. Obtained via GetPublicKey.

import_crypto_key_version

import_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.ImportCryptoKeyVersionRequest] = None, *, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Imports a new xref_CryptoKeyVersion into an existing xref_CryptoKey using the wrapped key material provided in the request.

The version ID will be assigned the next sequential id within the xref_CryptoKey.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.ImportCryptoKeyVersionRequest` The request object. Request message for KeyManagementService.ImportCryptoKeyVersion.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.CryptoKeyVersion`	A CryptoKeyVersion represents an individual cryptographic key, and the associated key material. An ENABLED version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

import_job_path

import_job_path(project: str, location: str, key_ring: str, import_job: str)

Returns a fully-qualified import_job string.

key_ring_path

key_ring_path(project: str, location: str, key_ring: str)

Returns a fully-qualified key_ring string.

list_crypto_key_versions

list_crypto_key_versions(request: Optional[google.cloud.kms_v1.types.service.ListCryptoKeyVersionsRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Lists xref_CryptoKeyVersions.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.ListCryptoKeyVersionsRequest` The request object. Request message for KeyManagementService.ListCryptoKeyVersions.
`parent`	`str` Required. The resource name of the CryptoKey to list, in the format `projects//locations//keyRings//cryptoKeys/`. This corresponds to the `parent` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeyVersionsPager`	Response message for KeyManagementService.ListCryptoKeyVersions. Iterating over this object will yield results and resolve additional pages automatically.

list_crypto_keys

list_crypto_keys(request: Optional[google.cloud.kms_v1.types.service.ListCryptoKeysRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Lists xref_CryptoKeys.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.ListCryptoKeysRequest` The request object. Request message for KeyManagementService.ListCryptoKeys.
`parent`	`str` Required. The resource name of the KeyRing to list, in the format `projects//locations//keyRings/*`. This corresponds to the `parent` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeysPager`	Response message for KeyManagementService.ListCryptoKeys. Iterating over this object will yield results and resolve additional pages automatically.

list_import_jobs

list_import_jobs(request: Optional[google.cloud.kms_v1.types.service.ListImportJobsRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Lists xref_ImportJobs.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.ListImportJobsRequest` The request object. Request message for KeyManagementService.ListImportJobs.
`parent`	`str` Required. The resource name of the KeyRing to list, in the format `projects//locations//keyRings/*`. This corresponds to the `parent` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.services.key_management_service.pagers.ListImportJobsPager`	Response message for KeyManagementService.ListImportJobs. Iterating over this object will yield results and resolve additional pages automatically.

list_key_rings

list_key_rings(request: Optional[google.cloud.kms_v1.types.service.ListKeyRingsRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Lists xref_KeyRings.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.ListKeyRingsRequest` The request object. Request message for KeyManagementService.ListKeyRings.
`parent`	`str` Required. The resource name of the location associated with the KeyRings, in the format `projects//locations/`. This corresponds to the `parent` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.services.key_management_service.pagers.ListKeyRingsPager`	Response message for KeyManagementService.ListKeyRings. Iterating over this object will yield results and resolve additional pages automatically.

mac_sign

mac_sign(request: Optional[google.cloud.kms_v1.types.service.MacSignRequest] = None, *, name: Optional[str] = None, data: Optional[bytes] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Signs data using a xref_CryptoKeyVersion with xref_CryptoKey.purpose MAC, producing a tag that can be verified by another source with the same key.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.MacSignRequest` The request object. Request message for KeyManagementService.MacSign.
`name`	`str` Required. The resource name of the CryptoKeyVersion to use for signing. This corresponds to the `name` field on the `request` instance; if `request` is provided, this should not be set.
`data`	`bytes` Required. The data to sign. The MAC tag is computed over this data field based on the specific algorithm. This corresponds to the `data` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.MacSignResponse`	Response message for KeyManagementService.MacSign.

mac_verify

mac_verify(request: Optional[google.cloud.kms_v1.types.service.MacVerifyRequest] = None, *, name: Optional[str] = None, data: Optional[bytes] = None, mac: Optional[bytes] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Verifies MAC tag using a xref_CryptoKeyVersion with xref_CryptoKey.purpose MAC, and returns a response that indicates whether or not the verification was successful.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.MacVerifyRequest` The request object. Request message for KeyManagementService.MacVerify.
`name`	`str` Required. The resource name of the CryptoKeyVersion to use for verification. This corresponds to the `name` field on the `request` instance; if `request` is provided, this should not be set.
`data`	`bytes` Required. The data used previously as a MacSignRequest.data to generate the MAC tag. This corresponds to the `data` field on the `request` instance; if `request` is provided, this should not be set.
`mac`	`bytes` Required. The signature to verify. This corresponds to the `mac` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.MacVerifyResponse`	Response message for KeyManagementService.MacVerify.

parse_common_billing_account_path

parse_common_billing_account_path(path: str)

Parse a billing_account path into its component segments.

parse_common_folder_path

parse_common_folder_path(path: str)

Parse a folder path into its component segments.

parse_common_location_path

parse_common_location_path(path: str)

Parse a location path into its component segments.

parse_common_organization_path

parse_common_organization_path(path: str)

Parse a organization path into its component segments.

parse_common_project_path

parse_common_project_path(path: str)

Parse a project path into its component segments.

parse_crypto_key_path

parse_crypto_key_path(path: str)

Parses a crypto_key path into its component segments.

parse_crypto_key_version_path

parse_crypto_key_version_path(path: str)

Parses a crypto_key_version path into its component segments.

parse_import_job_path

parse_import_job_path(path: str)

Parses a import_job path into its component segments.

parse_key_ring_path

parse_key_ring_path(path: str)

Parses a key_ring path into its component segments.

parse_public_key_path

parse_public_key_path(path: str)

Parses a public_key path into its component segments.

public_key_path

public_key_path(
    project: str, location: str, key_ring: str, crypto_key: str, crypto_key_version: str
)

Returns a fully-qualified public_key string.

restore_crypto_key_version

restore_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.RestoreCryptoKeyVersionRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Restore a xref_CryptoKeyVersion in the xref_DESTROY_SCHEDULED state.

Upon restoration of the CryptoKeyVersion, xref_state will be set to xref_DISABLED, and xref_destroy_time will be cleared.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.RestoreCryptoKeyVersionRequest` The request object. Request message for KeyManagementService.RestoreCryptoKeyVersion.
`name`	`str` Required. The resource name of the CryptoKeyVersion to restore. This corresponds to the `name` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.CryptoKeyVersion`	A CryptoKeyVersion represents an individual cryptographic key, and the associated key material. An ENABLED version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

set_iam_policy

set_iam_policy(request: Optional[google.iam.v1.iam_policy_pb2.SetIamPolicyRequest] = None, *, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Sets the IAM access control policy on the specified function.

Replaces any existing policy.

Parameters

Name	Description
`request`	`.iam_policy_pb2.SetIamPolicyRequest` The request object. Request message for `SetIamPolicy` method.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type Description

test_iam_permissions

test_iam_permissions(request: Optional[google.iam.v1.iam_policy_pb2.TestIamPermissionsRequest] = None, *, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Tests the specified IAM permissions against the IAM access control policy for a function.

If the function does not exist, this will return an empty set of permissions, not a NOT_FOUND error.

Parameters

Name	Description
`request`	`.iam_policy_pb2.TestIamPermissionsRequest` The request object. Request message for `TestIamPermissions` method.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`.iam_policy_pb2.TestIamPermissionsResponse`	Response message for `TestIamPermissions` method.

update_crypto_key

update_crypto_key(request: Optional[google.cloud.kms_v1.types.service.UpdateCryptoKeyRequest] = None, *, crypto_key: Optional[google.cloud.kms_v1.types.resources.CryptoKey] = None, update_mask: Optional[google.protobuf.field_mask_pb2.FieldMask] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Update a xref_CryptoKey.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.UpdateCryptoKeyRequest` The request object. Request message for KeyManagementService.UpdateCryptoKey.
`crypto_key`	`google.cloud.kms_v1.types.CryptoKey` Required. CryptoKey with updated values. This corresponds to the `crypto_key` field on the `request` instance; if `request` is provided, this should not be set.
`update_mask`	`google.protobuf.field_mask_pb2.FieldMask` Required. List of fields to be updated in this request. This corresponds to the `update_mask` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.CryptoKey`	A CryptoKey represents a logical key that can be used for cryptographic operations. A CryptoKey is made up of zero or more versions, which represent the actual key material used in cryptographic operations.

update_crypto_key_primary_version

update_crypto_key_primary_version(request: Optional[google.cloud.kms_v1.types.service.UpdateCryptoKeyPrimaryVersionRequest] = None, *, name: Optional[str] = None, crypto_key_version_id: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Update the version of a xref_CryptoKey that will be used in xref_Encrypt.

Returns an error if called on a key whose purpose is not xref_ENCRYPT_DECRYPT.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.UpdateCryptoKeyPrimaryVersionRequest` The request object. Request message for KeyManagementService.UpdateCryptoKeyPrimaryVersion.
`name`	`str` Required. The resource name of the CryptoKey to update. This corresponds to the `name` field on the `request` instance; if `request` is provided, this should not be set.
`crypto_key_version_id`	`str` Required. The id of the child CryptoKeyVersion to use as primary. This corresponds to the `crypto_key_version_id` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.CryptoKey`	A CryptoKey represents a logical key that can be used for cryptographic operations. A CryptoKey is made up of zero or more versions, which represent the actual key material used in cryptographic operations.

update_crypto_key_version

update_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.UpdateCryptoKeyVersionRequest] = None, *, crypto_key_version: Optional[google.cloud.kms_v1.types.resources.CryptoKeyVersion] = None, update_mask: Optional[google.protobuf.field_mask_pb2.FieldMask] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())

Update a xref_CryptoKeyVersion's metadata.

xref_state may be changed between xref_ENABLED and xref_DISABLED using this method. See xref_DestroyCryptoKeyVersion and xref_RestoreCryptoKeyVersion to move between other states.

Parameters

Name	Description
`request`	`google.cloud.kms_v1.types.UpdateCryptoKeyVersionRequest` The request object. Request message for KeyManagementService.UpdateCryptoKeyVersion.
`crypto_key_version`	`google.cloud.kms_v1.types.CryptoKeyVersion` Required. CryptoKeyVersion with updated values. This corresponds to the `crypto_key_version` field on the `request` instance; if `request` is provided, this should not be set.
`update_mask`	`google.protobuf.field_mask_pb2.FieldMask` Required. List of fields to be updated in this request. This corresponds to the `update_mask` field on the `request` instance; if `request` is provided, this should not be set.
`retry`	`google.api_core.retry.Retry` Designation of what errors, if any, should be retried.
`timeout`	`float` The timeout for this request.
`metadata`	`Sequence[Tuple[str, str]]` Strings which should be sent along with the request as metadata.

Returns

Type	Description
`google.cloud.kms_v1.types.CryptoKeyVersion`	A CryptoKeyVersion represents an individual cryptographic key, and the associated key material. An ENABLED version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.