As of January 1, 2020 this library no longer supports Python 2 on the latest released version. Library versions released prior to that date will continue to be available. For more information please visit Python 2 support on Google Cloud.

Source code for google.cloud.kms_v1.types.resources

# -*- coding: utf-8 -*-
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
import proto  # type: ignore

from google.protobuf import duration_pb2  # type: ignore
from google.protobuf import timestamp_pb2  # type: ignore
from google.protobuf import wrappers_pb2  # type: ignore


__protobuf__ = proto.module(
    package="google.cloud.kms.v1",
    manifest={
        "ProtectionLevel",
        "KeyRing",
        "CryptoKey",
        "CryptoKeyVersionTemplate",
        "KeyOperationAttestation",
        "CryptoKeyVersion",
        "PublicKey",
        "ImportJob",
        "ExternalProtectionLevelOptions",
    },
)


[docs]class ProtectionLevel(proto.Enum): r"""[ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] specifies how cryptographic operations are performed. For more information, see [Protection levels] (https://cloud.google.com/kms/docs/algorithms#protection_levels). """ PROTECTION_LEVEL_UNSPECIFIED = 0 SOFTWARE = 1 HSM = 2 EXTERNAL = 3
[docs]class KeyRing(proto.Message): r"""A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey]. Attributes: name (str): Output only. The resource name for the [KeyRing][google.cloud.kms.v1.KeyRing] in the format ``projects/*/locations/*/keyRings/*``. create_time (google.protobuf.timestamp_pb2.Timestamp): Output only. The time at which this [KeyRing][google.cloud.kms.v1.KeyRing] was created. """ name = proto.Field(proto.STRING, number=1,) create_time = proto.Field(proto.MESSAGE, number=2, message=timestamp_pb2.Timestamp,)
[docs]class CryptoKey(proto.Message): r"""A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic operations. A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations. Attributes: name (str): Output only. The resource name for this [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format ``projects/*/locations/*/keyRings/*/cryptoKeys/*``. primary (google.cloud.kms_v1.types.CryptoKeyVersion): Output only. A copy of the "primary" [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that will be used by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] when this [CryptoKey][google.cloud.kms.v1.CryptoKey] is given in [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.name]. The [CryptoKey][google.cloud.kms.v1.CryptoKey]'s primary version can be updated via [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] may have a primary. For other keys, this field will be omitted. purpose (google.cloud.kms_v1.types.CryptoKey.CryptoKeyPurpose): Immutable. The immutable purpose of this [CryptoKey][google.cloud.kms.v1.CryptoKey]. create_time (google.protobuf.timestamp_pb2.Timestamp): Output only. The time at which this [CryptoKey][google.cloud.kms.v1.CryptoKey] was created. next_rotation_time (google.protobuf.timestamp_pb2.Timestamp): At [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time], the Key Management Service will automatically: 1. Create a new version of this [CryptoKey][google.cloud.kms.v1.CryptoKey]. 2. Mark the new version as primary. Key rotations performed manually via [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] and [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion] do not affect [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time]. Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] support automatic rotation. For other keys, this field must be omitted. rotation_period (google.protobuf.duration_pb2.Duration): [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If [rotation_period][google.cloud.kms.v1.CryptoKey.rotation_period] is set, [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] must also be set. Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] support automatic rotation. For other keys, this field must be omitted. version_template (google.cloud.kms_v1.types.CryptoKeyVersionTemplate): A template describing settings for new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances. The properties of new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances created by either [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or auto-rotation are controlled by this template. labels (Sequence[google.cloud.kms_v1.types.CryptoKey.LabelsEntry]): Labels with user-defined metadata. For more information, see `Labeling Keys <https://cloud.google.com/kms/docs/labeling-keys>`__. import_only (bool): Immutable. Whether this key may contain imported versions only. destroy_scheduled_duration (google.protobuf.duration_pb2.Duration): Immutable. The period of time that versions of this key spend in the [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] state before transitioning to [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED]. If not specified at creation time, the default duration is 24 hours. """
[docs] class CryptoKeyPurpose(proto.Enum): r"""[CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] describes the cryptographic capabilities of a [CryptoKey][google.cloud.kms.v1.CryptoKey]. A given key can only be used for the operations allowed by its purpose. For more information, see `Key purposes <https://cloud.google.com/kms/docs/algorithms#key_purposes>`__. """ CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0 ENCRYPT_DECRYPT = 1 ASYMMETRIC_SIGN = 5 ASYMMETRIC_DECRYPT = 6 MAC = 9
name = proto.Field(proto.STRING, number=1,) primary = proto.Field(proto.MESSAGE, number=2, message="CryptoKeyVersion",) purpose = proto.Field(proto.ENUM, number=3, enum=CryptoKeyPurpose,) create_time = proto.Field(proto.MESSAGE, number=5, message=timestamp_pb2.Timestamp,) next_rotation_time = proto.Field( proto.MESSAGE, number=7, message=timestamp_pb2.Timestamp, ) rotation_period = proto.Field( proto.MESSAGE, number=8, oneof="rotation_schedule", message=duration_pb2.Duration, ) version_template = proto.Field( proto.MESSAGE, number=11, message="CryptoKeyVersionTemplate", ) labels = proto.MapField(proto.STRING, proto.STRING, number=10,) import_only = proto.Field(proto.BOOL, number=13,) destroy_scheduled_duration = proto.Field( proto.MESSAGE, number=14, message=duration_pb2.Duration, )
[docs]class CryptoKeyVersionTemplate(proto.Message): r"""A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTemplate] specifies the properties to use when creating a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], either manually with [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or automatically as a result of auto-rotation. Attributes: protection_level (google.cloud.kms_v1.types.ProtectionLevel): [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this template. Immutable. Defaults to [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE]. algorithm (google.cloud.kms_v1.types.CryptoKeyVersion.CryptoKeyVersionAlgorithm): Required. [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] to use when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. """ protection_level = proto.Field(proto.ENUM, number=1, enum="ProtectionLevel",) algorithm = proto.Field( proto.ENUM, number=3, enum="CryptoKeyVersion.CryptoKeyVersionAlgorithm", )
[docs]class KeyOperationAttestation(proto.Message): r"""Contains an HSM-generated attestation about a key operation. For more information, see [Verifying attestations] (https://cloud.google.com/kms/docs/attest-key). Attributes: format (google.cloud.kms_v1.types.KeyOperationAttestation.AttestationFormat): Output only. The format of the attestation data. content (bytes): Output only. The attestation data provided by the HSM when the key operation was performed. """
[docs] class AttestationFormat(proto.Enum): r"""Attestation formats provided by the HSM.""" ATTESTATION_FORMAT_UNSPECIFIED = 0 CAVIUM_V1_COMPRESSED = 3 CAVIUM_V2_COMPRESSED = 4
format = proto.Field(proto.ENUM, number=4, enum=AttestationFormat,) content = proto.Field(proto.BYTES, number=5,)
[docs]class CryptoKeyVersion(proto.Message): r"""A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the associated key material. An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS. Attributes: name (str): Output only. The resource name for this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the format ``projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*``. state (google.cloud.kms_v1.types.CryptoKeyVersion.CryptoKeyVersionState): The current state of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. protection_level (google.cloud.kms_v1.types.ProtectionLevel): Output only. The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] describing how crypto operations are performed with this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. algorithm (google.cloud.kms_v1.types.CryptoKeyVersion.CryptoKeyVersionAlgorithm): Output only. The [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] that this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] supports. attestation (google.cloud.kms_v1.types.KeyOperationAttestation): Output only. Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with [protection_level][google.cloud.kms.v1.CryptoKeyVersion.protection_level] [HSM][google.cloud.kms.v1.ProtectionLevel.HSM]. create_time (google.protobuf.timestamp_pb2.Timestamp): Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was created. generate_time (google.protobuf.timestamp_pb2.Timestamp): Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was generated. destroy_time (google.protobuf.timestamp_pb2.Timestamp): Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material is scheduled for destruction. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]. destroy_event_time (google.protobuf.timestamp_pb2.Timestamp): Output only. The time this CryptoKeyVersion's key material was destroyed. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED]. import_job (str): Output only. The name of the [ImportJob][google.cloud.kms.v1.ImportJob] used to import this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only present if the underlying key material was imported. import_time (google.protobuf.timestamp_pb2.Timestamp): Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was imported. import_failure_reason (str): Output only. The root cause of an import failure. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED]. external_protection_level_options (google.cloud.kms_v1.types.ExternalProtectionLevelOptions): ExternalProtectionLevelOptions stores a group of additional fields for configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that are specific to the [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level. """
[docs] class CryptoKeyVersionAlgorithm(proto.Enum): r"""The algorithm of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating what parameters must be used for each cryptographic operation. The [GOOGLE_SYMMETRIC_ENCRYPTION][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION] algorithm is usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. Algorithms beginning with "RSA_SIGN\_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. The fields in the name after "RSA_SIGN\_" correspond to the following parameters: padding algorithm, modulus bit length, and digest algorithm. For PSS, the salt length used is equal to the length of digest algorithm. For example, [RSA_SIGN_PSS_2048_SHA256][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256] will use PSS with a salt length of 256 bits or 32 bytes. Algorithms beginning with "RSA_DECRYPT\_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT]. The fields in the name after "RSA_DECRYPT\_" correspond to the following parameters: padding algorithm, modulus bit length, and digest algorithm. Algorithms beginning with "EC_SIGN\_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. The fields in the name after "EC_SIGN\_" correspond to the following parameters: elliptic curve, digest algorithm. Algorithms beginning with "HMAC\_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] [MAC][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.MAC]. The suffix following "HMAC\_" corresponds to the hash algorithm being used (eg. SHA256). For more information, see [Key purposes and algorithms] (https://cloud.google.com/kms/docs/algorithms). """ CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0 GOOGLE_SYMMETRIC_ENCRYPTION = 1 RSA_SIGN_PSS_2048_SHA256 = 2 RSA_SIGN_PSS_3072_SHA256 = 3 RSA_SIGN_PSS_4096_SHA256 = 4 RSA_SIGN_PSS_4096_SHA512 = 15 RSA_SIGN_PKCS1_2048_SHA256 = 5 RSA_SIGN_PKCS1_3072_SHA256 = 6 RSA_SIGN_PKCS1_4096_SHA256 = 7 RSA_SIGN_PKCS1_4096_SHA512 = 16 RSA_DECRYPT_OAEP_2048_SHA256 = 8 RSA_DECRYPT_OAEP_3072_SHA256 = 9 RSA_DECRYPT_OAEP_4096_SHA256 = 10 RSA_DECRYPT_OAEP_4096_SHA512 = 17 EC_SIGN_P256_SHA256 = 12 EC_SIGN_P384_SHA384 = 13 EC_SIGN_SECP256K1_SHA256 = 31 HMAC_SHA256 = 32 EXTERNAL_SYMMETRIC_ENCRYPTION = 18
[docs] class CryptoKeyVersionState(proto.Enum): r"""The state of a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating if it can be used. """ CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0 PENDING_GENERATION = 5 ENABLED = 1 DISABLED = 2 DESTROYED = 3 DESTROY_SCHEDULED = 4 PENDING_IMPORT = 6 IMPORT_FAILED = 7
[docs] class CryptoKeyVersionView(proto.Enum): r"""A view for [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]s. Controls the level of detail returned for [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] in [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions] and [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys]. """ CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0 FULL = 1
name = proto.Field(proto.STRING, number=1,) state = proto.Field(proto.ENUM, number=3, enum=CryptoKeyVersionState,) protection_level = proto.Field(proto.ENUM, number=7, enum="ProtectionLevel",) algorithm = proto.Field(proto.ENUM, number=10, enum=CryptoKeyVersionAlgorithm,) attestation = proto.Field( proto.MESSAGE, number=8, message="KeyOperationAttestation", ) create_time = proto.Field(proto.MESSAGE, number=4, message=timestamp_pb2.Timestamp,) generate_time = proto.Field( proto.MESSAGE, number=11, message=timestamp_pb2.Timestamp, ) destroy_time = proto.Field( proto.MESSAGE, number=5, message=timestamp_pb2.Timestamp, ) destroy_event_time = proto.Field( proto.MESSAGE, number=6, message=timestamp_pb2.Timestamp, ) import_job = proto.Field(proto.STRING, number=14,) import_time = proto.Field( proto.MESSAGE, number=15, message=timestamp_pb2.Timestamp, ) import_failure_reason = proto.Field(proto.STRING, number=16,) external_protection_level_options = proto.Field( proto.MESSAGE, number=17, message="ExternalProtectionLevelOptions", )
[docs]class PublicKey(proto.Message): r"""The public key for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. Attributes: pem (str): The public key, encoded in PEM format. For more information, see the `RFC 7468 <https://tools.ietf.org/html/rfc7468>`__ sections for `General Considerations <https://tools.ietf.org/html/rfc7468#section-2>`__ and [Textual Encoding of Subject Public Key Info] (https://tools.ietf.org/html/rfc7468#section-13). algorithm (google.cloud.kms_v1.types.CryptoKeyVersion.CryptoKeyVersionAlgorithm): The [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] associated with this key. pem_crc32c (google.protobuf.wrappers_pb2.Int64Value): Integrity verification field. A CRC32C checksum of the returned [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem]. An integrity check of [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] can be performed by computing the CRC32C checksum of [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] and comparing your results to this field. Discard the response in case of non-matching checksum values, and perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type. NOTE: This field is in Beta. name (str): The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key. Provided here for verification. NOTE: This field is in Beta. protection_level (google.cloud.kms_v1.types.ProtectionLevel): The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key. """ pem = proto.Field(proto.STRING, number=1,) algorithm = proto.Field( proto.ENUM, number=2, enum="CryptoKeyVersion.CryptoKeyVersionAlgorithm", ) pem_crc32c = proto.Field(proto.MESSAGE, number=3, message=wrappers_pb2.Int64Value,) name = proto.Field(proto.STRING, number=4,) protection_level = proto.Field(proto.ENUM, number=5, enum="ProtectionLevel",)
[docs]class ImportJob(proto.Message): r"""An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing key material, generated outside of Cloud KMS. When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will generate a "wrapping key", which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation is complete, the [state][google.cloud.kms.v1.ImportJob.state] will be set to [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the [public_key][google.cloud.kms.v1.ImportJob.public_key] can be fetched. The fetched public key can then be used to wrap your pre-existing key material. Once the key material is wrapped, it can be imported into a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be imported with a single [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key. An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the [ImportJob][google.cloud.kms.v1.ImportJob]'s public key. For more information, see `Importing a key <https://cloud.google.com/kms/docs/importing-a-key>`__. Attributes: name (str): Output only. The resource name for this [ImportJob][google.cloud.kms.v1.ImportJob] in the format ``projects/*/locations/*/keyRings/*/importJobs/*``. import_method (google.cloud.kms_v1.types.ImportJob.ImportMethod): Required. Immutable. The wrapping method to be used for incoming key material. protection_level (google.cloud.kms_v1.types.ProtectionLevel): Required. Immutable. The protection level of the [ImportJob][google.cloud.kms.v1.ImportJob]. This must match the [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] of the [version_template][google.cloud.kms.v1.CryptoKey.version_template] on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you attempt to import into. create_time (google.protobuf.timestamp_pb2.Timestamp): Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] was created. generate_time (google.protobuf.timestamp_pb2.Timestamp): Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]'s key material was generated. expire_time (google.protobuf.timestamp_pb2.Timestamp): Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] is scheduled for expiration and can no longer be used to import key material. expire_event_time (google.protobuf.timestamp_pb2.Timestamp): Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob] expired. Only present if [state][google.cloud.kms.v1.ImportJob.state] is [EXPIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED]. state (google.cloud.kms_v1.types.ImportJob.ImportJobState): Output only. The current state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used. public_key (google.cloud.kms_v1.types.ImportJob.WrappingPublicKey): Output only. The public key with which to wrap key material prior to import. Only returned if [state][google.cloud.kms.v1.ImportJob.state] is [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE]. attestation (google.cloud.kms_v1.types.KeyOperationAttestation): Output only. Statement that was generated and signed by the key creator (for example, an HSM) at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only present if the chosen [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] is one with a protection level of [HSM][google.cloud.kms.v1.ProtectionLevel.HSM]. """
[docs] class ImportMethod(proto.Enum): r"""[ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] describes the key wrapping method chosen for this [ImportJob][google.cloud.kms.v1.ImportJob]. """ IMPORT_METHOD_UNSPECIFIED = 0 RSA_OAEP_3072_SHA1_AES_256 = 1 RSA_OAEP_4096_SHA1_AES_256 = 2
[docs] class ImportJobState(proto.Enum): r"""The state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used. """ IMPORT_JOB_STATE_UNSPECIFIED = 0 PENDING_GENERATION = 1 ACTIVE = 2 EXPIRED = 3
[docs] class WrappingPublicKey(proto.Message): r"""The public key component of the wrapping key. For details of the type of key this public key corresponds to, see the [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod]. Attributes: pem (str): The public key, encoded in PEM format. For more information, see the `RFC 7468 <https://tools.ietf.org/html/rfc7468>`__ sections for `General Considerations <https://tools.ietf.org/html/rfc7468#section-2>`__ and [Textual Encoding of Subject Public Key Info] (https://tools.ietf.org/html/rfc7468#section-13). """ pem = proto.Field(proto.STRING, number=1,)
name = proto.Field(proto.STRING, number=1,) import_method = proto.Field(proto.ENUM, number=2, enum=ImportMethod,) protection_level = proto.Field(proto.ENUM, number=9, enum="ProtectionLevel",) create_time = proto.Field(proto.MESSAGE, number=3, message=timestamp_pb2.Timestamp,) generate_time = proto.Field( proto.MESSAGE, number=4, message=timestamp_pb2.Timestamp, ) expire_time = proto.Field(proto.MESSAGE, number=5, message=timestamp_pb2.Timestamp,) expire_event_time = proto.Field( proto.MESSAGE, number=10, message=timestamp_pb2.Timestamp, ) state = proto.Field(proto.ENUM, number=6, enum=ImportJobState,) public_key = proto.Field(proto.MESSAGE, number=7, message=WrappingPublicKey,) attestation = proto.Field( proto.MESSAGE, number=8, message="KeyOperationAttestation", )
[docs]class ExternalProtectionLevelOptions(proto.Message): r"""ExternalProtectionLevelOptions stores a group of additional fields for configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that are specific to the [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level. Attributes: external_key_uri (str): The URI for an external resource that this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents. """ external_key_uri = proto.Field(proto.STRING, number=1,)
__all__ = tuple(sorted(__protobuf__.manifest))