KeyManagementServiceClient(*, credentials: Optional[google.auth.credentials.Credentials] = None, transport: Optional[Union[str, google.cloud.kms_v1.services.key_management_service.transports.base.KeyManagementServiceTransport]] = None, client_options: Optional[google.api_core.client_options.ClientOptions] = None, client_info: google.api_core.gapic_v1.client_info.ClientInfo = <google.api_core.gapic_v1.client_info.ClientInfo object>)
Google Cloud Key Management Service
Manages cryptographic keys and operations using those keys. Implements a REST model with the following objects:
- KeyRing
- CryptoKey
- CryptoKeyVersion
- ImportJob
If you are using manual gRPC libraries, see Using gRPC with Cloud
KMS <https://cloud.google.com/kms/docs/grpc>
__.
Properties
transport
Returns the transport used by the client instance.
Type | Description |
KeyManagementServiceTransport | The transport used by the client instance. |
Methods
KeyManagementServiceClient
KeyManagementServiceClient(*, credentials: Optional[google.auth.credentials.Credentials] = None, transport: Optional[Union[str, google.cloud.kms_v1.services.key_management_service.transports.base.KeyManagementServiceTransport]] = None, client_options: Optional[google.api_core.client_options.ClientOptions] = None, client_info: google.api_core.gapic_v1.client_info.ClientInfo = <google.api_core.gapic_v1.client_info.ClientInfo object>)
Instantiates the key management service client.
Name | Description |
credentials |
Optional[google.auth.credentials.Credentials]
The authorization credentials to attach to requests. These credentials identify the application to the service; if none are specified, the client will attempt to ascertain the credentials from the environment. |
transport |
Union[str, KeyManagementServiceTransport]
The transport to use. If set to None, a transport is chosen automatically. |
client_options |
google.api_core.client_options.ClientOptions
Custom options for the client. It won't take effect if a |
client_info |
google.api_core.gapic_v1.client_info.ClientInfo
The client info used to send a user-agent string along with API requests. If |
Type | Description |
google.auth.exceptions.MutualTLSChannelError | If mutual TLS transport creation failed for any reason. |
asymmetric_decrypt
asymmetric_decrypt(request: Optional[google.cloud.kms_v1.types.service.AsymmetricDecryptRequest] = None, *, name: Optional[str] = None, ciphertext: Optional[bytes] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Decrypts data that was encrypted with a public key retrieved from xref_GetPublicKey corresponding to a xref_CryptoKeyVersion with xref_CryptoKey.purpose ASYMMETRIC_DECRYPT.
Name | Description |
request |
google.cloud.kms_v1.types.AsymmetricDecryptRequest
The request object. Request message for KeyManagementService.AsymmetricDecrypt. |
name |
str
Required. The resource name of the CryptoKeyVersion to use for decryption. This corresponds to the |
ciphertext |
bytes
Required. The data encrypted with the named CryptoKeyVersion's public key using OAEP. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.AsymmetricDecryptResponse | Response message for KeyManagementService.AsymmetricDecrypt. |
asymmetric_sign
asymmetric_sign(request: Optional[google.cloud.kms_v1.types.service.AsymmetricSignRequest] = None, *, name: Optional[str] = None, digest: Optional[google.cloud.kms_v1.types.service.Digest] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Signs data using a xref_CryptoKeyVersion with xref_CryptoKey.purpose ASYMMETRIC_SIGN, producing a signature that can be verified with the public key retrieved from xref_GetPublicKey.
Name | Description |
request |
google.cloud.kms_v1.types.AsymmetricSignRequest
The request object. Request message for KeyManagementService.AsymmetricSign. |
name |
str
Required. The resource name of the CryptoKeyVersion to use for signing. This corresponds to the |
digest |
google.cloud.kms_v1.types.Digest
Required. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version's algorithm. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.AsymmetricSignResponse | Response message for KeyManagementService.AsymmetricSign. |
common_billing_account_path
common_billing_account_path(billing_account: str)
Returns a fully-qualified billing_account string.
common_folder_path
common_folder_path(folder: str)
Returns a fully-qualified folder string.
common_location_path
common_location_path(project: str, location: str)
Returns a fully-qualified location string.
common_organization_path
common_organization_path(organization: str)
Returns a fully-qualified organization string.
common_project_path
common_project_path(project: str)
Returns a fully-qualified project string.
create_crypto_key
create_crypto_key(request: Optional[google.cloud.kms_v1.types.service.CreateCryptoKeyRequest] = None, *, parent: Optional[str] = None, crypto_key_id: Optional[str] = None, crypto_key: Optional[google.cloud.kms_v1.types.resources.CryptoKey] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Create a new xref_CryptoKey within a xref_KeyRing.
xref_CryptoKey.purpose and xref_CryptoKey.version_template.algorithm are required.
Name | Description |
request |
google.cloud.kms_v1.types.CreateCryptoKeyRequest
The request object. Request message for KeyManagementService.CreateCryptoKey. |
parent |
str
Required. The name of the KeyRing associated with the CryptoKeys. This corresponds to the |
crypto_key_id |
str
Required. It must be unique within a KeyRing and match the regular expression |
crypto_key |
google.cloud.kms_v1.types.CryptoKey
Required. A CryptoKey with initial field values. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.CryptoKey | A CryptoKey represents a logical key that can be used for cryptographic operations. A CryptoKey is made up of zero or more versions, which represent the actual key material used in cryptographic operations. |
create_crypto_key_version
create_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.CreateCryptoKeyVersionRequest] = None, *, parent: Optional[str] = None, crypto_key_version: Optional[google.cloud.kms_v1.types.resources.CryptoKeyVersion] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Create a new xref_CryptoKeyVersion in a xref_CryptoKey.
The server will assign the next sequential id. If unset, xref_state will be set to xref_ENABLED.
Name | Description |
request |
google.cloud.kms_v1.types.CreateCryptoKeyVersionRequest
The request object. Request message for KeyManagementService.CreateCryptoKeyVersion. |
parent |
str
Required. The name of the CryptoKey associated with the CryptoKeyVersions. This corresponds to the |
crypto_key_version |
google.cloud.kms_v1.types.CryptoKeyVersion
Required. A CryptoKeyVersion with initial field values. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.CryptoKeyVersion | A CryptoKeyVersion represents an individual cryptographic key, and the associated key material. An ENABLED version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS. |
create_import_job
create_import_job(request: Optional[google.cloud.kms_v1.types.service.CreateImportJobRequest] = None, *, parent: Optional[str] = None, import_job_id: Optional[str] = None, import_job: Optional[google.cloud.kms_v1.types.resources.ImportJob] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Create a new xref_ImportJob within a xref_KeyRing.
xref_ImportJob.import_method is required.
Name | Description |
request |
google.cloud.kms_v1.types.CreateImportJobRequest
The request object. Request message for KeyManagementService.CreateImportJob. |
parent |
str
Required. The name of the KeyRing associated with the ImportJobs. This corresponds to the |
import_job_id |
str
Required. It must be unique within a KeyRing and match the regular expression |
import_job |
google.cloud.kms_v1.types.ImportJob
Required. An ImportJob with initial field values. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.ImportJob | An ImportJob can be used to create CryptoKeys and CryptoKeyVersions using pre-existing key material, generated outside of Cloud KMS. When an ImportJob is created, Cloud KMS will generate a "wrapping key", which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of import_method. When the wrapping key generation is complete, the state will be set to ACTIVE and the public_key can be fetched. The fetched public key can then be used to wrap your pre-existing key material. Once the key material is wrapped, it can be imported into a new CryptoKeyVersion in an existing CryptoKey by calling ImportCryptoKeyVersion. Multiple CryptoKeyVersions can be imported with a single ImportJob. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key. An ImportJob expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the ImportJob's public key. For more information, see [Importing a key](\ https://cloud.google.com/kms/docs/importing-a-key). |
create_key_ring
create_key_ring(request: Optional[google.cloud.kms_v1.types.service.CreateKeyRingRequest] = None, *, parent: Optional[str] = None, key_ring_id: Optional[str] = None, key_ring: Optional[google.cloud.kms_v1.types.resources.KeyRing] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Create a new xref_KeyRing in a given Project and Location.
Name | Description |
request |
google.cloud.kms_v1.types.CreateKeyRingRequest
The request object. Request message for KeyManagementService.CreateKeyRing. |
parent |
str
Required. The resource name of the location associated with the KeyRings, in the format |
key_ring_id |
str
Required. It must be unique within a location and match the regular expression |
key_ring |
google.cloud.kms_v1.types.KeyRing
Required. A KeyRing with initial field values. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.KeyRing | A KeyRing is a toplevel logical grouping of CryptoKeys. |
crypto_key_path
crypto_key_path(project: str, location: str, key_ring: str, crypto_key: str)
Returns a fully-qualified crypto_key string.
crypto_key_version_path
crypto_key_version_path(
project: str, location: str, key_ring: str, crypto_key: str, crypto_key_version: str
)
Returns a fully-qualified crypto_key_version string.
decrypt
decrypt(request: Optional[google.cloud.kms_v1.types.service.DecryptRequest] = None, *, name: Optional[str] = None, ciphertext: Optional[bytes] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Decrypts data that was protected by xref_Encrypt. The xref_CryptoKey.purpose must be xref_ENCRYPT_DECRYPT.
Name | Description |
request |
google.cloud.kms_v1.types.DecryptRequest
The request object. Request message for KeyManagementService.Decrypt. |
name |
str
Required. The resource name of the CryptoKey to use for decryption. The server will choose the appropriate version. This corresponds to the |
ciphertext |
bytes
Required. The encrypted data originally returned in EncryptResponse.ciphertext. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.DecryptResponse | Response message for KeyManagementService.Decrypt. |
destroy_crypto_key_version
destroy_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.DestroyCryptoKeyVersionRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Schedule a xref_CryptoKeyVersion for destruction.
Upon calling this method, xref_CryptoKeyVersion.state will be set to xref_DESTROY_SCHEDULED and xref_destroy_time will be set to a time 24 hours in the future, at which point the xref_state will be changed to xref_DESTROYED, and the key material will be irrevocably destroyed.
Before the xref_destroy_time is reached, xref_RestoreCryptoKeyVersion may be called to reverse the process.
Name | Description |
request |
google.cloud.kms_v1.types.DestroyCryptoKeyVersionRequest
The request object. Request message for KeyManagementService.DestroyCryptoKeyVersion. |
name |
str
Required. The resource name of the CryptoKeyVersion to destroy. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.CryptoKeyVersion | A CryptoKeyVersion represents an individual cryptographic key, and the associated key material. An ENABLED version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS. |
encrypt
encrypt(request: Optional[google.cloud.kms_v1.types.service.EncryptRequest] = None, *, name: Optional[str] = None, plaintext: Optional[bytes] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Encrypts data, so that it can only be recovered by a call to xref_Decrypt. The xref_CryptoKey.purpose must be xref_ENCRYPT_DECRYPT.
Name | Description |
request |
google.cloud.kms_v1.types.EncryptRequest
The request object. Request message for KeyManagementService.Encrypt. |
name |
str
Required. The resource name of the CryptoKey or CryptoKeyVersion to use for encryption. If a CryptoKey is specified, the server will use its [primary version][google.cloud.kms.v1.CryptoKey.primary]. This corresponds to the |
plaintext |
bytes
Required. The data to encrypt. Must be no larger than 64KiB. The maximum size depends on the key version's protection_level. For SOFTWARE keys, the plaintext must be no larger than 64KiB. For HSM keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.EncryptResponse | Response message for KeyManagementService.Encrypt. |
from_service_account_file
from_service_account_file(filename: str, *args, **kwargs)
Creates an instance of this client using the provided credentials file.
Name | Description |
filename |
str
The path to the service account private key json file. |
Type | Description |
KeyManagementServiceClient | The constructed client. |
from_service_account_info
from_service_account_info(info: dict, *args, **kwargs)
Creates an instance of this client using the provided credentials info.
Name | Description |
info |
dict
The service account private key info. |
Type | Description |
KeyManagementServiceClient | The constructed client. |
from_service_account_json
from_service_account_json(filename: str, *args, **kwargs)
Creates an instance of this client using the provided credentials file.
Name | Description |
filename |
str
The path to the service account private key json file. |
Type | Description |
KeyManagementServiceClient | The constructed client. |
generate_random_bytes
generate_random_bytes(request: Optional[google.cloud.kms_v1.types.service.GenerateRandomBytesRequest] = None, *, location: Optional[str] = None, length_bytes: Optional[int] = None, protection_level: Optional[google.cloud.kms_v1.types.resources.ProtectionLevel] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Generate random bytes using the Cloud KMS randomness source in the provided location.
Name | Description |
request |
google.cloud.kms_v1.types.GenerateRandomBytesRequest
The request object. Request message for KeyManagementService.GenerateRandomBytes. |
location |
str
The project-specific location in which to generate random bytes. For example, "projects/my- project/locations/us-central1". This corresponds to the |
length_bytes |
int
The length in bytes of the amount of randomness to retrieve. Minimum 8 bytes, maximum 1024 bytes. This corresponds to the |
protection_level |
google.cloud.kms_v1.types.ProtectionLevel
The ProtectionLevel to use when generating the random data. Defaults to SOFTWARE. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.GenerateRandomBytesResponse | Response message for KeyManagementService.GenerateRandomBytes. |
get_crypto_key
get_crypto_key(request: Optional[google.cloud.kms_v1.types.service.GetCryptoKeyRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Returns metadata for a given xref_CryptoKey, as well as its xref_primary xref_CryptoKeyVersion.
Name | Description |
request |
google.cloud.kms_v1.types.GetCryptoKeyRequest
The request object. Request message for KeyManagementService.GetCryptoKey. |
name |
str
Required. The name of the CryptoKey to get. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.CryptoKey | A CryptoKey represents a logical key that can be used for cryptographic operations. A CryptoKey is made up of zero or more versions, which represent the actual key material used in cryptographic operations. |
get_crypto_key_version
get_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.GetCryptoKeyVersionRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Returns metadata for a given xref_CryptoKeyVersion.
Name | Description |
request |
google.cloud.kms_v1.types.GetCryptoKeyVersionRequest
The request object. Request message for KeyManagementService.GetCryptoKeyVersion. |
name |
str
Required. The name of the CryptoKeyVersion to get. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.CryptoKeyVersion | A CryptoKeyVersion represents an individual cryptographic key, and the associated key material. An ENABLED version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS. |
get_iam_policy
get_iam_policy(request: Optional[google.iam.v1.iam_policy_pb2.GetIamPolicyRequest] = None, *, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Gets the IAM access control policy for a function.
Returns an empty policy if the function exists and does not have a policy set.
Name | Description |
request |
The request object. Request message for |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
| Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. A Policy is a collection of bindings . A binding binds one or more members to a single role . Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions (defined by IAM or configured by users). A binding can optionally specify a condition , which is a logic expression that further constrains the role binding based on attributes about the request and/or target resource. **JSON Example**:: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": ["user:eve@example.com"], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01t00:00:00.000z')",="" }="" }="" ]="" }="" **yaml="" example**::="" bindings:="" -="" members:="" -="" user:mike@example.com="" -="" group:admins@example.com="" -="" domain:google.com="" -="" serviceaccount:my-project-id@appspot.gserviceaccount.com="" role:="" roles/resourcemanager.organizationadmin="" -="" members:="" -="" user:eve@example.com="" role:="" roles/resourcemanager.organizationviewer="" condition:="" title:="" expirable="" access="" description:="" does="" not="" grant="" access="" after="" sep="" 2020="" expression:="" request.time="">< timestamp('2020-10-01t00:00:00.000z')="" for="" a="" description="" of="" iam="" and="" its="" features,="" see="" the="">IAM developer's guide __. |
get_import_job
get_import_job(request: Optional[google.cloud.kms_v1.types.service.GetImportJobRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Returns metadata for a given xref_ImportJob.
Name | Description |
request |
google.cloud.kms_v1.types.GetImportJobRequest
The request object. Request message for KeyManagementService.GetImportJob. |
name |
str
Required. The name of the ImportJob to get. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.ImportJob | An ImportJob can be used to create CryptoKeys and CryptoKeyVersions using pre-existing key material, generated outside of Cloud KMS. When an ImportJob is created, Cloud KMS will generate a "wrapping key", which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of import_method. When the wrapping key generation is complete, the state will be set to ACTIVE and the public_key can be fetched. The fetched public key can then be used to wrap your pre-existing key material. Once the key material is wrapped, it can be imported into a new CryptoKeyVersion in an existing CryptoKey by calling ImportCryptoKeyVersion. Multiple CryptoKeyVersions can be imported with a single ImportJob. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key. An ImportJob expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the ImportJob's public key. For more information, see [Importing a key](\ https://cloud.google.com/kms/docs/importing-a-key). |
get_key_ring
get_key_ring(request: Optional[google.cloud.kms_v1.types.service.GetKeyRingRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Returns metadata for a given xref_KeyRing.
Name | Description |
request |
google.cloud.kms_v1.types.GetKeyRingRequest
The request object. Request message for KeyManagementService.GetKeyRing. |
name |
str
Required. The name of the KeyRing to get. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.KeyRing | A KeyRing is a toplevel logical grouping of CryptoKeys. |
get_public_key
get_public_key(request: Optional[google.cloud.kms_v1.types.service.GetPublicKeyRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Returns the public key for the given xref_CryptoKeyVersion. The xref_CryptoKey.purpose must be xref_ASYMMETRIC_SIGN or xref_ASYMMETRIC_DECRYPT.
Name | Description |
request |
google.cloud.kms_v1.types.GetPublicKeyRequest
The request object. Request message for KeyManagementService.GetPublicKey. |
name |
str
Required. The name of the CryptoKeyVersion public key to get. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.PublicKey | The public key for a given CryptoKeyVersion. Obtained via GetPublicKey. |
import_crypto_key_version
import_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.ImportCryptoKeyVersionRequest] = None, *, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Imports a new xref_CryptoKeyVersion into an existing xref_CryptoKey using the wrapped key material provided in the request.
The version ID will be assigned the next sequential id within the xref_CryptoKey.
Name | Description |
request |
google.cloud.kms_v1.types.ImportCryptoKeyVersionRequest
The request object. Request message for KeyManagementService.ImportCryptoKeyVersion. |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.CryptoKeyVersion | A CryptoKeyVersion represents an individual cryptographic key, and the associated key material. An ENABLED version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS. |
import_job_path
import_job_path(project: str, location: str, key_ring: str, import_job: str)
Returns a fully-qualified import_job string.
key_ring_path
key_ring_path(project: str, location: str, key_ring: str)
Returns a fully-qualified key_ring string.
list_crypto_key_versions
list_crypto_key_versions(request: Optional[google.cloud.kms_v1.types.service.ListCryptoKeyVersionsRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Lists xref_CryptoKeyVersions.
Name | Description |
request |
google.cloud.kms_v1.types.ListCryptoKeyVersionsRequest
The request object. Request message for KeyManagementService.ListCryptoKeyVersions. |
parent |
str
Required. The resource name of the CryptoKey to list, in the format |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeyVersionsPager | Response message for KeyManagementService.ListCryptoKeyVersions. Iterating over this object will yield results and resolve additional pages automatically. |
list_crypto_keys
list_crypto_keys(request: Optional[google.cloud.kms_v1.types.service.ListCryptoKeysRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Lists xref_CryptoKeys.
Name | Description |
request |
google.cloud.kms_v1.types.ListCryptoKeysRequest
The request object. Request message for KeyManagementService.ListCryptoKeys. |
parent |
str
Required. The resource name of the KeyRing to list, in the format |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeysPager | Response message for KeyManagementService.ListCryptoKeys. Iterating over this object will yield results and resolve additional pages automatically. |
list_import_jobs
list_import_jobs(request: Optional[google.cloud.kms_v1.types.service.ListImportJobsRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Lists xref_ImportJobs.
Name | Description |
request |
google.cloud.kms_v1.types.ListImportJobsRequest
The request object. Request message for KeyManagementService.ListImportJobs. |
parent |
str
Required. The resource name of the KeyRing to list, in the format |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.services.key_management_service.pagers.ListImportJobsPager | Response message for KeyManagementService.ListImportJobs. Iterating over this object will yield results and resolve additional pages automatically. |
list_key_rings
list_key_rings(request: Optional[google.cloud.kms_v1.types.service.ListKeyRingsRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Lists xref_KeyRings.
Name | Description |
request |
google.cloud.kms_v1.types.ListKeyRingsRequest
The request object. Request message for KeyManagementService.ListKeyRings. |
parent |
str
Required. The resource name of the location associated with the KeyRings, in the format |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.services.key_management_service.pagers.ListKeyRingsPager | Response message for KeyManagementService.ListKeyRings. Iterating over this object will yield results and resolve additional pages automatically. |
mac_sign
mac_sign(request: Optional[google.cloud.kms_v1.types.service.MacSignRequest] = None, *, name: Optional[str] = None, data: Optional[bytes] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Signs data using a xref_CryptoKeyVersion with xref_CryptoKey.purpose MAC, producing a tag that can be verified by another source with the same key.
Name | Description |
request |
google.cloud.kms_v1.types.MacSignRequest
The request object. Request message for KeyManagementService.MacSign. |
name |
str
Required. The resource name of the CryptoKeyVersion to use for signing. This corresponds to the |
data |
bytes
Required. The data to sign. The MAC tag is computed over this data field based on the specific algorithm. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.MacSignResponse | Response message for KeyManagementService.MacSign. |
mac_verify
mac_verify(request: Optional[google.cloud.kms_v1.types.service.MacVerifyRequest] = None, *, name: Optional[str] = None, data: Optional[bytes] = None, mac: Optional[bytes] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Verifies MAC tag using a xref_CryptoKeyVersion with xref_CryptoKey.purpose MAC, and returns a response that indicates whether or not the verification was successful.
Name | Description |
request |
google.cloud.kms_v1.types.MacVerifyRequest
The request object. Request message for KeyManagementService.MacVerify. |
name |
str
Required. The resource name of the CryptoKeyVersion to use for verification. This corresponds to the |
data |
bytes
Required. The data used previously as a MacSignRequest.data to generate the MAC tag. This corresponds to the |
mac |
bytes
Required. The signature to verify. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.MacVerifyResponse | Response message for KeyManagementService.MacVerify. |
parse_common_billing_account_path
parse_common_billing_account_path(path: str)
Parse a billing_account path into its component segments.
parse_common_folder_path
parse_common_folder_path(path: str)
Parse a folder path into its component segments.
parse_common_location_path
parse_common_location_path(path: str)
Parse a location path into its component segments.
parse_common_organization_path
parse_common_organization_path(path: str)
Parse a organization path into its component segments.
parse_common_project_path
parse_common_project_path(path: str)
Parse a project path into its component segments.
parse_crypto_key_path
parse_crypto_key_path(path: str)
Parses a crypto_key path into its component segments.
parse_crypto_key_version_path
parse_crypto_key_version_path(path: str)
Parses a crypto_key_version path into its component segments.
parse_import_job_path
parse_import_job_path(path: str)
Parses a import_job path into its component segments.
parse_key_ring_path
parse_key_ring_path(path: str)
Parses a key_ring path into its component segments.
parse_public_key_path
parse_public_key_path(path: str)
Parses a public_key path into its component segments.
public_key_path
public_key_path(
project: str, location: str, key_ring: str, crypto_key: str, crypto_key_version: str
)
Returns a fully-qualified public_key string.
restore_crypto_key_version
restore_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.RestoreCryptoKeyVersionRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Restore a xref_CryptoKeyVersion in the xref_DESTROY_SCHEDULED state.
Upon restoration of the CryptoKeyVersion, xref_state will be set to xref_DISABLED, and xref_destroy_time will be cleared.
Name | Description |
request |
google.cloud.kms_v1.types.RestoreCryptoKeyVersionRequest
The request object. Request message for KeyManagementService.RestoreCryptoKeyVersion. |
name |
str
Required. The resource name of the CryptoKeyVersion to restore. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.CryptoKeyVersion | A CryptoKeyVersion represents an individual cryptographic key, and the associated key material. An ENABLED version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS. |
set_iam_policy
set_iam_policy(request: Optional[google.iam.v1.iam_policy_pb2.SetIamPolicyRequest] = None, *, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Sets the IAM access control policy on the specified function.
Replaces any existing policy.
Name | Description |
request |
The request object. Request message for |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
| Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. A Policy is a collection of bindings . A binding binds one or more members to a single role . Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions (defined by IAM or configured by users). A binding can optionally specify a condition , which is a logic expression that further constrains the role binding based on attributes about the request and/or target resource. **JSON Example**:: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": ["user:eve@example.com"], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01t00:00:00.000z')",="" }="" }="" ]="" }="" **yaml="" example**::="" bindings:="" -="" members:="" -="" user:mike@example.com="" -="" group:admins@example.com="" -="" domain:google.com="" -="" serviceaccount:my-project-id@appspot.gserviceaccount.com="" role:="" roles/resourcemanager.organizationadmin="" -="" members:="" -="" user:eve@example.com="" role:="" roles/resourcemanager.organizationviewer="" condition:="" title:="" expirable="" access="" description:="" does="" not="" grant="" access="" after="" sep="" 2020="" expression:="" request.time="">< timestamp('2020-10-01t00:00:00.000z')="" for="" a="" description="" of="" iam="" and="" its="" features,="" see="" the="">IAM developer's guide __. |
test_iam_permissions
test_iam_permissions(request: Optional[google.iam.v1.iam_policy_pb2.TestIamPermissionsRequest] = None, *, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Tests the specified IAM permissions against the IAM access control policy for a function.
If the function does not exist, this will return an empty set of permissions, not a NOT_FOUND error.
Name | Description |
request |
The request object. Request message for |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
| Response message for TestIamPermissions method. |
update_crypto_key
update_crypto_key(request: Optional[google.cloud.kms_v1.types.service.UpdateCryptoKeyRequest] = None, *, crypto_key: Optional[google.cloud.kms_v1.types.resources.CryptoKey] = None, update_mask: Optional[google.protobuf.field_mask_pb2.FieldMask] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Update a xref_CryptoKey.
Name | Description |
request |
google.cloud.kms_v1.types.UpdateCryptoKeyRequest
The request object. Request message for KeyManagementService.UpdateCryptoKey. |
crypto_key |
google.cloud.kms_v1.types.CryptoKey
Required. CryptoKey with updated values. This corresponds to the |
update_mask |
google.protobuf.field_mask_pb2.FieldMask
Required. List of fields to be updated in this request. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.CryptoKey | A CryptoKey represents a logical key that can be used for cryptographic operations. A CryptoKey is made up of zero or more versions, which represent the actual key material used in cryptographic operations. |
update_crypto_key_primary_version
update_crypto_key_primary_version(request: Optional[google.cloud.kms_v1.types.service.UpdateCryptoKeyPrimaryVersionRequest] = None, *, name: Optional[str] = None, crypto_key_version_id: Optional[str] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Update the version of a xref_CryptoKey that will be used in xref_Encrypt.
Returns an error if called on a key whose purpose is not xref_ENCRYPT_DECRYPT.
Name | Description |
request |
google.cloud.kms_v1.types.UpdateCryptoKeyPrimaryVersionRequest
The request object. Request message for KeyManagementService.UpdateCryptoKeyPrimaryVersion. |
name |
str
Required. The resource name of the CryptoKey to update. This corresponds to the |
crypto_key_version_id |
str
Required. The id of the child CryptoKeyVersion to use as primary. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.CryptoKey | A CryptoKey represents a logical key that can be used for cryptographic operations. A CryptoKey is made up of zero or more versions, which represent the actual key material used in cryptographic operations. |
update_crypto_key_version
update_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.UpdateCryptoKeyVersionRequest] = None, *, crypto_key_version: Optional[google.cloud.kms_v1.types.resources.CryptoKeyVersion] = None, update_mask: Optional[google.protobuf.field_mask_pb2.FieldMask] = None, retry: google.api_core.retry.Retry = <_MethodDefault._DEFAULT_VALUE: <object object>>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ())
Update a xref_CryptoKeyVersion's metadata.
xref_state may be changed between xref_ENABLED and xref_DISABLED using this method. See xref_DestroyCryptoKeyVersion and xref_RestoreCryptoKeyVersion to move between other states.
Name | Description |
request |
google.cloud.kms_v1.types.UpdateCryptoKeyVersionRequest
The request object. Request message for KeyManagementService.UpdateCryptoKeyVersion. |
crypto_key_version |
google.cloud.kms_v1.types.CryptoKeyVersion
Required. CryptoKeyVersion with updated values. This corresponds to the |
update_mask |
google.protobuf.field_mask_pb2.FieldMask
Required. List of fields to be updated in this request. This corresponds to the |
retry |
google.api_core.retry.Retry
Designation of what errors, if any, should be retried. |
timeout |
float
The timeout for this request. |
metadata |
Sequence[Tuple[str, str]]
Strings which should be sent along with the request as metadata. |
Type | Description |
google.cloud.kms_v1.types.CryptoKeyVersion | A CryptoKeyVersion represents an individual cryptographic key, and the associated key material. An ENABLED version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS. |