As of January 1, 2020 this library no longer supports Python 2 on the latest released version.
Library versions released prior to that date will continue to be available. For more information please
visit Python 2 support on Google Cloud.
Source code for google.cloud.kms_v1.services.key_management_service.client
# -*- coding: utf-8 -*-
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
from collections import OrderedDict
from distutils import util
import os
import re
from typing import Callable, Dict, Optional, Sequence, Tuple, Type, Union
import pkg_resources
from google.api_core import client_options as client_options_lib # type: ignore
from google.api_core import exceptions as core_exceptions # type: ignore
from google.api_core import gapic_v1 # type: ignore
from google.api_core import retry as retries # type: ignore
from google.auth import credentials as ga_credentials # type: ignore
from google.auth.transport import mtls # type: ignore
from google.auth.transport.grpc import SslCredentials # type: ignore
from google.auth.exceptions import MutualTLSChannelError # type: ignore
from google.oauth2 import service_account # type: ignore
from google.cloud.kms_v1.services.key_management_service import pagers
from google.cloud.kms_v1.types import resources
from google.cloud.kms_v1.types import service
from google.iam.v1 import iam_policy_pb2 # type: ignore
from google.iam.v1 import policy_pb2 # type: ignore
from google.protobuf import duration_pb2 # type: ignore
from google.protobuf import field_mask_pb2 # type: ignore
from google.protobuf import timestamp_pb2 # type: ignore
from google.protobuf import wrappers_pb2 # type: ignore
from .transports.base import KeyManagementServiceTransport, DEFAULT_CLIENT_INFO
from .transports.grpc import KeyManagementServiceGrpcTransport
from .transports.grpc_asyncio import KeyManagementServiceGrpcAsyncIOTransport
class KeyManagementServiceClientMeta(type):
"""Metaclass for the KeyManagementService client.
This provides class-level methods for building and retrieving
support objects (e.g. transport) without polluting the client instance
objects.
"""
_transport_registry = (
OrderedDict()
) # type: Dict[str, Type[KeyManagementServiceTransport]]
_transport_registry["grpc"] = KeyManagementServiceGrpcTransport
_transport_registry["grpc_asyncio"] = KeyManagementServiceGrpcAsyncIOTransport
def get_transport_class(
cls, label: str = None,
) -> Type[KeyManagementServiceTransport]:
"""Returns an appropriate transport class.
Args:
label: The name of the desired transport. If none is
provided, then the first transport in the registry is used.
Returns:
The transport class to use.
"""
# If a specific transport is requested, return that one.
if label:
return cls._transport_registry[label]
# No transport is requested; return the default (that is, the first one
# in the dictionary).
return next(iter(cls._transport_registry.values()))
[docs]class KeyManagementServiceClient(metaclass=KeyManagementServiceClientMeta):
"""Google Cloud Key Management Service
Manages cryptographic keys and operations using those keys.
Implements a REST model with the following objects:
- [KeyRing][google.cloud.kms.v1.KeyRing]
- [CryptoKey][google.cloud.kms.v1.CryptoKey]
- [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
- [ImportJob][google.cloud.kms.v1.ImportJob]
If you are using manual gRPC libraries, see `Using gRPC with Cloud
KMS <https://cloud.google.com/kms/docs/grpc>`__.
"""
@staticmethod
def _get_default_mtls_endpoint(api_endpoint):
"""Converts api endpoint to mTLS endpoint.
Convert "*.sandbox.googleapis.com" and "*.googleapis.com" to
"*.mtls.sandbox.googleapis.com" and "*.mtls.googleapis.com" respectively.
Args:
api_endpoint (Optional[str]): the api endpoint to convert.
Returns:
str: converted mTLS api endpoint.
"""
if not api_endpoint:
return api_endpoint
mtls_endpoint_re = re.compile(
r"(?P<name>[^.]+)(?P<mtls>\.mtls)?(?P<sandbox>\.sandbox)?(?P<googledomain>\.googleapis\.com)?"
)
m = mtls_endpoint_re.match(api_endpoint)
name, mtls, sandbox, googledomain = m.groups()
if mtls or not googledomain:
return api_endpoint
if sandbox:
return api_endpoint.replace(
"sandbox.googleapis.com", "mtls.sandbox.googleapis.com"
)
return api_endpoint.replace(".googleapis.com", ".mtls.googleapis.com")
DEFAULT_ENDPOINT = "cloudkms.googleapis.com"
DEFAULT_MTLS_ENDPOINT = _get_default_mtls_endpoint.__func__( # type: ignore
DEFAULT_ENDPOINT
)
[docs] @classmethod
def from_service_account_info(cls, info: dict, *args, **kwargs):
"""Creates an instance of this client using the provided credentials
info.
Args:
info (dict): The service account private key info.
args: Additional arguments to pass to the constructor.
kwargs: Additional arguments to pass to the constructor.
Returns:
KeyManagementServiceClient: The constructed client.
"""
credentials = service_account.Credentials.from_service_account_info(info)
kwargs["credentials"] = credentials
return cls(*args, **kwargs)
[docs] @classmethod
def from_service_account_file(cls, filename: str, *args, **kwargs):
"""Creates an instance of this client using the provided credentials
file.
Args:
filename (str): The path to the service account private key json
file.
args: Additional arguments to pass to the constructor.
kwargs: Additional arguments to pass to the constructor.
Returns:
KeyManagementServiceClient: The constructed client.
"""
credentials = service_account.Credentials.from_service_account_file(filename)
kwargs["credentials"] = credentials
return cls(*args, **kwargs)
from_service_account_json = from_service_account_file
@property
def transport(self) -> KeyManagementServiceTransport:
"""Returns the transport used by the client instance.
Returns:
KeyManagementServiceTransport: The transport used by the client
instance.
"""
return self._transport
[docs] @staticmethod
def crypto_key_path(
project: str, location: str, key_ring: str, crypto_key: str,
) -> str:
"""Returns a fully-qualified crypto_key string."""
return "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}".format(
project=project,
location=location,
key_ring=key_ring,
crypto_key=crypto_key,
)
[docs] @staticmethod
def parse_crypto_key_path(path: str) -> Dict[str, str]:
"""Parses a crypto_key path into its component segments."""
m = re.match(
r"^projects/(?P<project>.+?)/locations/(?P<location>.+?)/keyRings/(?P<key_ring>.+?)/cryptoKeys/(?P<crypto_key>.+?)$",
path,
)
return m.groupdict() if m else {}
[docs] @staticmethod
def crypto_key_version_path(
project: str,
location: str,
key_ring: str,
crypto_key: str,
crypto_key_version: str,
) -> str:
"""Returns a fully-qualified crypto_key_version string."""
return "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}".format(
project=project,
location=location,
key_ring=key_ring,
crypto_key=crypto_key,
crypto_key_version=crypto_key_version,
)
[docs] @staticmethod
def parse_crypto_key_version_path(path: str) -> Dict[str, str]:
"""Parses a crypto_key_version path into its component segments."""
m = re.match(
r"^projects/(?P<project>.+?)/locations/(?P<location>.+?)/keyRings/(?P<key_ring>.+?)/cryptoKeys/(?P<crypto_key>.+?)/cryptoKeyVersions/(?P<crypto_key_version>.+?)$",
path,
)
return m.groupdict() if m else {}
[docs] @staticmethod
def import_job_path(
project: str, location: str, key_ring: str, import_job: str,
) -> str:
"""Returns a fully-qualified import_job string."""
return "projects/{project}/locations/{location}/keyRings/{key_ring}/importJobs/{import_job}".format(
project=project,
location=location,
key_ring=key_ring,
import_job=import_job,
)
[docs] @staticmethod
def parse_import_job_path(path: str) -> Dict[str, str]:
"""Parses a import_job path into its component segments."""
m = re.match(
r"^projects/(?P<project>.+?)/locations/(?P<location>.+?)/keyRings/(?P<key_ring>.+?)/importJobs/(?P<import_job>.+?)$",
path,
)
return m.groupdict() if m else {}
[docs] @staticmethod
def key_ring_path(project: str, location: str, key_ring: str,) -> str:
"""Returns a fully-qualified key_ring string."""
return "projects/{project}/locations/{location}/keyRings/{key_ring}".format(
project=project, location=location, key_ring=key_ring,
)
[docs] @staticmethod
def parse_key_ring_path(path: str) -> Dict[str, str]:
"""Parses a key_ring path into its component segments."""
m = re.match(
r"^projects/(?P<project>.+?)/locations/(?P<location>.+?)/keyRings/(?P<key_ring>.+?)$",
path,
)
return m.groupdict() if m else {}
[docs] @staticmethod
def public_key_path(
project: str,
location: str,
key_ring: str,
crypto_key: str,
crypto_key_version: str,
) -> str:
"""Returns a fully-qualified public_key string."""
return "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}/publicKey".format(
project=project,
location=location,
key_ring=key_ring,
crypto_key=crypto_key,
crypto_key_version=crypto_key_version,
)
[docs] @staticmethod
def parse_public_key_path(path: str) -> Dict[str, str]:
"""Parses a public_key path into its component segments."""
m = re.match(
r"^projects/(?P<project>.+?)/locations/(?P<location>.+?)/keyRings/(?P<key_ring>.+?)/cryptoKeys/(?P<crypto_key>.+?)/cryptoKeyVersions/(?P<crypto_key_version>.+?)/publicKey$",
path,
)
return m.groupdict() if m else {}
[docs] @staticmethod
def common_billing_account_path(billing_account: str,) -> str:
"""Returns a fully-qualified billing_account string."""
return "billingAccounts/{billing_account}".format(
billing_account=billing_account,
)
[docs] @staticmethod
def parse_common_billing_account_path(path: str) -> Dict[str, str]:
"""Parse a billing_account path into its component segments."""
m = re.match(r"^billingAccounts/(?P<billing_account>.+?)$", path)
return m.groupdict() if m else {}
[docs] @staticmethod
def common_folder_path(folder: str,) -> str:
"""Returns a fully-qualified folder string."""
return "folders/{folder}".format(folder=folder,)
[docs] @staticmethod
def parse_common_folder_path(path: str) -> Dict[str, str]:
"""Parse a folder path into its component segments."""
m = re.match(r"^folders/(?P<folder>.+?)$", path)
return m.groupdict() if m else {}
[docs] @staticmethod
def common_organization_path(organization: str,) -> str:
"""Returns a fully-qualified organization string."""
return "organizations/{organization}".format(organization=organization,)
[docs] @staticmethod
def parse_common_organization_path(path: str) -> Dict[str, str]:
"""Parse a organization path into its component segments."""
m = re.match(r"^organizations/(?P<organization>.+?)$", path)
return m.groupdict() if m else {}
[docs] @staticmethod
def common_project_path(project: str,) -> str:
"""Returns a fully-qualified project string."""
return "projects/{project}".format(project=project,)
[docs] @staticmethod
def parse_common_project_path(path: str) -> Dict[str, str]:
"""Parse a project path into its component segments."""
m = re.match(r"^projects/(?P<project>.+?)$", path)
return m.groupdict() if m else {}
[docs] @staticmethod
def common_location_path(project: str, location: str,) -> str:
"""Returns a fully-qualified location string."""
return "projects/{project}/locations/{location}".format(
project=project, location=location,
)
[docs] @staticmethod
def parse_common_location_path(path: str) -> Dict[str, str]:
"""Parse a location path into its component segments."""
m = re.match(r"^projects/(?P<project>.+?)/locations/(?P<location>.+?)$", path)
return m.groupdict() if m else {}
def __init__(
self,
*,
credentials: Optional[ga_credentials.Credentials] = None,
transport: Union[str, KeyManagementServiceTransport, None] = None,
client_options: Optional[client_options_lib.ClientOptions] = None,
client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO,
) -> None:
"""Instantiates the key management service client.
Args:
credentials (Optional[google.auth.credentials.Credentials]): The
authorization credentials to attach to requests. These
credentials identify the application to the service; if none
are specified, the client will attempt to ascertain the
credentials from the environment.
transport (Union[str, KeyManagementServiceTransport]): The
transport to use. If set to None, a transport is chosen
automatically.
client_options (google.api_core.client_options.ClientOptions): Custom options for the
client. It won't take effect if a ``transport`` instance is provided.
(1) The ``api_endpoint`` property can be used to override the
default endpoint provided by the client. GOOGLE_API_USE_MTLS_ENDPOINT
environment variable can also be used to override the endpoint:
"always" (always use the default mTLS endpoint), "never" (always
use the default regular endpoint) and "auto" (auto switch to the
default mTLS endpoint if client certificate is present, this is
the default value). However, the ``api_endpoint`` property takes
precedence if provided.
(2) If GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable
is "true", then the ``client_cert_source`` property can be used
to provide client certificate for mutual TLS transport. If
not provided, the default SSL client certificate will be used if
present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not
set, no client certificate will be used.
client_info (google.api_core.gapic_v1.client_info.ClientInfo):
The client info used to send a user-agent string along with
API requests. If ``None``, then default info will be used.
Generally, you only need to set this if you're developing
your own client library.
Raises:
google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport
creation failed for any reason.
"""
if isinstance(client_options, dict):
client_options = client_options_lib.from_dict(client_options)
if client_options is None:
client_options = client_options_lib.ClientOptions()
# Create SSL credentials for mutual TLS if needed.
use_client_cert = bool(
util.strtobool(os.getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE", "false"))
)
client_cert_source_func = None
is_mtls = False
if use_client_cert:
if client_options.client_cert_source:
is_mtls = True
client_cert_source_func = client_options.client_cert_source
else:
is_mtls = mtls.has_default_client_cert_source()
if is_mtls:
client_cert_source_func = mtls.default_client_cert_source()
else:
client_cert_source_func = None
# Figure out which api endpoint to use.
if client_options.api_endpoint is not None:
api_endpoint = client_options.api_endpoint
else:
use_mtls_env = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto")
if use_mtls_env == "never":
api_endpoint = self.DEFAULT_ENDPOINT
elif use_mtls_env == "always":
api_endpoint = self.DEFAULT_MTLS_ENDPOINT
elif use_mtls_env == "auto":
if is_mtls:
api_endpoint = self.DEFAULT_MTLS_ENDPOINT
else:
api_endpoint = self.DEFAULT_ENDPOINT
else:
raise MutualTLSChannelError(
"Unsupported GOOGLE_API_USE_MTLS_ENDPOINT value. Accepted "
"values: never, auto, always"
)
# Save or instantiate the transport.
# Ordinarily, we provide the transport, but allowing a custom transport
# instance provides an extensibility point for unusual situations.
if isinstance(transport, KeyManagementServiceTransport):
# transport is a KeyManagementServiceTransport instance.
if credentials or client_options.credentials_file:
raise ValueError(
"When providing a transport instance, "
"provide its credentials directly."
)
if client_options.scopes:
raise ValueError(
"When providing a transport instance, provide its scopes "
"directly."
)
self._transport = transport
else:
Transport = type(self).get_transport_class(transport)
self._transport = Transport(
credentials=credentials,
credentials_file=client_options.credentials_file,
host=api_endpoint,
scopes=client_options.scopes,
client_cert_source_for_mtls=client_cert_source_func,
quota_project_id=client_options.quota_project_id,
client_info=client_info,
always_use_jwt_access=(
Transport == type(self).get_transport_class("grpc")
or Transport == type(self).get_transport_class("grpc_asyncio")
),
)
[docs] def list_key_rings(
self,
request: service.ListKeyRingsRequest = None,
*,
parent: str = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> pagers.ListKeyRingsPager:
r"""Lists [KeyRings][google.cloud.kms.v1.KeyRing].
Args:
request (google.cloud.kms_v1.types.ListKeyRingsRequest):
The request object. Request message for
[KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
parent (str):
Required. The resource name of the location associated
with the [KeyRings][google.cloud.kms.v1.KeyRing], in the
format ``projects/*/locations/*``.
This corresponds to the ``parent`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.services.key_management_service.pagers.ListKeyRingsPager:
Response message for
[KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
Iterating over this object will yield results and
resolve additional pages automatically.
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([parent])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.ListKeyRingsRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.ListKeyRingsRequest):
request = service.ListKeyRingsRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if parent is not None:
request.parent = parent
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.list_key_rings]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# This method is paged; wrap the response in a pager, which provides
# an `__iter__` convenience method.
response = pagers.ListKeyRingsPager(
method=rpc, request=request, response=response, metadata=metadata,
)
# Done; return the response.
return response
[docs] def list_crypto_keys(
self,
request: service.ListCryptoKeysRequest = None,
*,
parent: str = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> pagers.ListCryptoKeysPager:
r"""Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey].
Args:
request (google.cloud.kms_v1.types.ListCryptoKeysRequest):
The request object. Request message for
[KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
parent (str):
Required. The resource name of the
[KeyRing][google.cloud.kms.v1.KeyRing] to list, in the
format ``projects/*/locations/*/keyRings/*``.
This corresponds to the ``parent`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeysPager:
Response message for
[KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
Iterating over this object will yield results and
resolve additional pages automatically.
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([parent])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.ListCryptoKeysRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.ListCryptoKeysRequest):
request = service.ListCryptoKeysRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if parent is not None:
request.parent = parent
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.list_crypto_keys]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# This method is paged; wrap the response in a pager, which provides
# an `__iter__` convenience method.
response = pagers.ListCryptoKeysPager(
method=rpc, request=request, response=response, metadata=metadata,
)
# Done; return the response.
return response
[docs] def list_crypto_key_versions(
self,
request: service.ListCryptoKeyVersionsRequest = None,
*,
parent: str = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> pagers.ListCryptoKeyVersionsPager:
r"""Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
Args:
request (google.cloud.kms_v1.types.ListCryptoKeyVersionsRequest):
The request object. Request message for
[KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
parent (str):
Required. The resource name of the
[CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in
the format
``projects/*/locations/*/keyRings/*/cryptoKeys/*``.
This corresponds to the ``parent`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeyVersionsPager:
Response message for
[KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
Iterating over this object will yield results and
resolve additional pages automatically.
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([parent])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.ListCryptoKeyVersionsRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.ListCryptoKeyVersionsRequest):
request = service.ListCryptoKeyVersionsRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if parent is not None:
request.parent = parent
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.list_crypto_key_versions]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# This method is paged; wrap the response in a pager, which provides
# an `__iter__` convenience method.
response = pagers.ListCryptoKeyVersionsPager(
method=rpc, request=request, response=response, metadata=metadata,
)
# Done; return the response.
return response
[docs] def list_import_jobs(
self,
request: service.ListImportJobsRequest = None,
*,
parent: str = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> pagers.ListImportJobsPager:
r"""Lists [ImportJobs][google.cloud.kms.v1.ImportJob].
Args:
request (google.cloud.kms_v1.types.ListImportJobsRequest):
The request object. Request message for
[KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
parent (str):
Required. The resource name of the
[KeyRing][google.cloud.kms.v1.KeyRing] to list, in the
format ``projects/*/locations/*/keyRings/*``.
This corresponds to the ``parent`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.services.key_management_service.pagers.ListImportJobsPager:
Response message for
[KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
Iterating over this object will yield results and
resolve additional pages automatically.
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([parent])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.ListImportJobsRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.ListImportJobsRequest):
request = service.ListImportJobsRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if parent is not None:
request.parent = parent
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.list_import_jobs]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# This method is paged; wrap the response in a pager, which provides
# an `__iter__` convenience method.
response = pagers.ListImportJobsPager(
method=rpc, request=request, response=response, metadata=metadata,
)
# Done; return the response.
return response
[docs] def get_key_ring(
self,
request: service.GetKeyRingRequest = None,
*,
name: str = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> resources.KeyRing:
r"""Returns metadata for a given
[KeyRing][google.cloud.kms.v1.KeyRing].
Args:
request (google.cloud.kms_v1.types.GetKeyRingRequest):
The request object. Request message for
[KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].
name (str):
Required. The [name][google.cloud.kms.v1.KeyRing.name]
of the [KeyRing][google.cloud.kms.v1.KeyRing] to get.
This corresponds to the ``name`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.KeyRing:
A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel
logical grouping of
[CryptoKeys][google.cloud.kms.v1.CryptoKey].
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([name])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.GetKeyRingRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.GetKeyRingRequest):
request = service.GetKeyRingRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if name is not None:
request.name = name
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.get_key_ring]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def get_crypto_key(
self,
request: service.GetCryptoKeyRequest = None,
*,
name: str = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> resources.CryptoKey:
r"""Returns metadata for a given
[CryptoKey][google.cloud.kms.v1.CryptoKey], as well as its
[primary][google.cloud.kms.v1.CryptoKey.primary]
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
Args:
request (google.cloud.kms_v1.types.GetCryptoKeyRequest):
The request object. Request message for
[KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey].
name (str):
Required. The [name][google.cloud.kms.v1.CryptoKey.name]
of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to
get.
This corresponds to the ``name`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.CryptoKey:
A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic
operations.
A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made
up of zero or more
[versions][google.cloud.kms.v1.CryptoKeyVersion],
which represent the actual key material used in
cryptographic operations.
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([name])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.GetCryptoKeyRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.GetCryptoKeyRequest):
request = service.GetCryptoKeyRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if name is not None:
request.name = name
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.get_crypto_key]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def get_crypto_key_version(
self,
request: service.GetCryptoKeyVersionRequest = None,
*,
name: str = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> resources.CryptoKeyVersion:
r"""Returns metadata for a given
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
Args:
request (google.cloud.kms_v1.types.GetCryptoKeyVersionRequest):
The request object. Request message for
[KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].
name (str):
Required. The
[name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
to get.
This corresponds to the ``name`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.CryptoKeyVersion:
A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
associated key material.
An
[ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
version can be used for cryptographic operations.
For security reasons, the raw cryptographic key
material represented by a
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
can never be viewed or exported. It can only be used
to encrypt, decrypt, or sign data when an authorized
user or application invokes Cloud KMS.
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([name])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.GetCryptoKeyVersionRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.GetCryptoKeyVersionRequest):
request = service.GetCryptoKeyVersionRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if name is not None:
request.name = name
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.get_crypto_key_version]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def get_public_key(
self,
request: service.GetPublicKeyRequest = None,
*,
name: str = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> resources.PublicKey:
r"""Returns the public key for the given
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The
[CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must
be
[ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]
or
[ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
Args:
request (google.cloud.kms_v1.types.GetPublicKeyRequest):
The request object. Request message for
[KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
name (str):
Required. The
[name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
public key to get.
This corresponds to the ``name`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.PublicKey:
The public key for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via
[GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([name])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.GetPublicKeyRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.GetPublicKeyRequest):
request = service.GetPublicKeyRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if name is not None:
request.name = name
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.get_public_key]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def get_import_job(
self,
request: service.GetImportJobRequest = None,
*,
name: str = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> resources.ImportJob:
r"""Returns metadata for a given
[ImportJob][google.cloud.kms.v1.ImportJob].
Args:
request (google.cloud.kms_v1.types.GetImportJobRequest):
The request object. Request message for
[KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob].
name (str):
Required. The [name][google.cloud.kms.v1.ImportJob.name]
of the [ImportJob][google.cloud.kms.v1.ImportJob] to
get.
This corresponds to the ``name`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.ImportJob:
An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and
[CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
using pre-existing key material, generated outside of
Cloud KMS.
When an [ImportJob][google.cloud.kms.v1.ImportJob] is
created, Cloud KMS will generate a "wrapping key",
which is a public/private key pair. You use the
wrapping key to encrypt (also known as wrap) the
pre-existing key material to protect it during the
import process. The nature of the wrapping key
depends on the choice of
[import_method][google.cloud.kms.v1.ImportJob.import_method].
When the wrapping key generation is complete, the
[state][google.cloud.kms.v1.ImportJob.state] will be
set to
[ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE]
and the
[public_key][google.cloud.kms.v1.ImportJob.public_key]
can be fetched. The fetched public key can then be
used to wrap your pre-existing key material.
Once the key material is wrapped, it can be imported
into a new
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
in an existing
[CryptoKey][google.cloud.kms.v1.CryptoKey] by calling
[ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
Multiple
[CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
can be imported with a single
[ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS
uses the private key portion of the wrapping key to
unwrap the key material. Only Cloud KMS has access to
the private key.
An [ImportJob][google.cloud.kms.v1.ImportJob] expires
3 days after it is created. Once expired, Cloud KMS
will no longer be able to import or unwrap any key
material that was wrapped with the
[ImportJob][google.cloud.kms.v1.ImportJob]'s public
key.
For more information, see [Importing a
key](\ https://cloud.google.com/kms/docs/importing-a-key).
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([name])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.GetImportJobRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.GetImportJobRequest):
request = service.GetImportJobRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if name is not None:
request.name = name
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.get_import_job]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def create_key_ring(
self,
request: service.CreateKeyRingRequest = None,
*,
parent: str = None,
key_ring_id: str = None,
key_ring: resources.KeyRing = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> resources.KeyRing:
r"""Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given
Project and Location.
Args:
request (google.cloud.kms_v1.types.CreateKeyRingRequest):
The request object. Request message for
[KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].
parent (str):
Required. The resource name of the location associated
with the [KeyRings][google.cloud.kms.v1.KeyRing], in the
format ``projects/*/locations/*``.
This corresponds to the ``parent`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
key_ring_id (str):
Required. It must be unique within a location and match
the regular expression ``[a-zA-Z0-9_-]{1,63}``
This corresponds to the ``key_ring_id`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
key_ring (google.cloud.kms_v1.types.KeyRing):
Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with
initial field values.
This corresponds to the ``key_ring`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.KeyRing:
A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel
logical grouping of
[CryptoKeys][google.cloud.kms.v1.CryptoKey].
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([parent, key_ring_id, key_ring])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.CreateKeyRingRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.CreateKeyRingRequest):
request = service.CreateKeyRingRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if parent is not None:
request.parent = parent
if key_ring_id is not None:
request.key_ring_id = key_ring_id
if key_ring is not None:
request.key_ring = key_ring
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.create_key_ring]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def create_crypto_key(
self,
request: service.CreateCryptoKeyRequest = None,
*,
parent: str = None,
crypto_key_id: str = None,
crypto_key: resources.CryptoKey = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> resources.CryptoKey:
r"""Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a
[KeyRing][google.cloud.kms.v1.KeyRing].
[CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and
[CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm]
are required.
Args:
request (google.cloud.kms_v1.types.CreateCryptoKeyRequest):
The request object. Request message for
[KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey].
parent (str):
Required. The [name][google.cloud.kms.v1.KeyRing.name]
of the KeyRing associated with the
[CryptoKeys][google.cloud.kms.v1.CryptoKey].
This corresponds to the ``parent`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
crypto_key_id (str):
Required. It must be unique within a KeyRing and match
the regular expression ``[a-zA-Z0-9_-]{1,63}``
This corresponds to the ``crypto_key_id`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
crypto_key (google.cloud.kms_v1.types.CryptoKey):
Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey]
with initial field values.
This corresponds to the ``crypto_key`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.CryptoKey:
A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic
operations.
A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made
up of zero or more
[versions][google.cloud.kms.v1.CryptoKeyVersion],
which represent the actual key material used in
cryptographic operations.
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([parent, crypto_key_id, crypto_key])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.CreateCryptoKeyRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.CreateCryptoKeyRequest):
request = service.CreateCryptoKeyRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if parent is not None:
request.parent = parent
if crypto_key_id is not None:
request.crypto_key_id = crypto_key_id
if crypto_key is not None:
request.crypto_key = crypto_key
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.create_crypto_key]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def create_crypto_key_version(
self,
request: service.CreateCryptoKeyVersionRequest = None,
*,
parent: str = None,
crypto_key_version: resources.CryptoKeyVersion = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> resources.CryptoKeyVersion:
r"""Create a new
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a
[CryptoKey][google.cloud.kms.v1.CryptoKey].
The server will assign the next sequential id. If unset,
[state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set
to
[ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].
Args:
request (google.cloud.kms_v1.types.CreateCryptoKeyVersionRequest):
The request object. Request message for
[KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].
parent (str):
Required. The [name][google.cloud.kms.v1.CryptoKey.name]
of the [CryptoKey][google.cloud.kms.v1.CryptoKey]
associated with the
[CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
This corresponds to the ``parent`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
crypto_key_version (google.cloud.kms_v1.types.CryptoKeyVersion):
Required. A
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
with initial field values.
This corresponds to the ``crypto_key_version`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.CryptoKeyVersion:
A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
associated key material.
An
[ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
version can be used for cryptographic operations.
For security reasons, the raw cryptographic key
material represented by a
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
can never be viewed or exported. It can only be used
to encrypt, decrypt, or sign data when an authorized
user or application invokes Cloud KMS.
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([parent, crypto_key_version])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.CreateCryptoKeyVersionRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.CreateCryptoKeyVersionRequest):
request = service.CreateCryptoKeyVersionRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if parent is not None:
request.parent = parent
if crypto_key_version is not None:
request.crypto_key_version = crypto_key_version
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[
self._transport.create_crypto_key_version
]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def import_crypto_key_version(
self,
request: service.ImportCryptoKeyVersionRequest = None,
*,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> resources.CryptoKeyVersion:
r"""Imports a new
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] into an
existing [CryptoKey][google.cloud.kms.v1.CryptoKey] using the
wrapped key material provided in the request.
The version ID will be assigned the next sequential id within
the [CryptoKey][google.cloud.kms.v1.CryptoKey].
Args:
request (google.cloud.kms_v1.types.ImportCryptoKeyVersionRequest):
The request object. Request message for
[KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.CryptoKeyVersion:
A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
associated key material.
An
[ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
version can be used for cryptographic operations.
For security reasons, the raw cryptographic key
material represented by a
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
can never be viewed or exported. It can only be used
to encrypt, decrypt, or sign data when an authorized
user or application invokes Cloud KMS.
"""
# Create or coerce a protobuf request object.
# Minor optimization to avoid making a copy if the user passes
# in a service.ImportCryptoKeyVersionRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.ImportCryptoKeyVersionRequest):
request = service.ImportCryptoKeyVersionRequest(request)
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[
self._transport.import_crypto_key_version
]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def create_import_job(
self,
request: service.CreateImportJobRequest = None,
*,
parent: str = None,
import_job_id: str = None,
import_job: resources.ImportJob = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> resources.ImportJob:
r"""Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a
[KeyRing][google.cloud.kms.v1.KeyRing].
[ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method]
is required.
Args:
request (google.cloud.kms_v1.types.CreateImportJobRequest):
The request object. Request message for
[KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob].
parent (str):
Required. The [name][google.cloud.kms.v1.KeyRing.name]
of the [KeyRing][google.cloud.kms.v1.KeyRing] associated
with the [ImportJobs][google.cloud.kms.v1.ImportJob].
This corresponds to the ``parent`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
import_job_id (str):
Required. It must be unique within a KeyRing and match
the regular expression ``[a-zA-Z0-9_-]{1,63}``
This corresponds to the ``import_job_id`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
import_job (google.cloud.kms_v1.types.ImportJob):
Required. An [ImportJob][google.cloud.kms.v1.ImportJob]
with initial field values.
This corresponds to the ``import_job`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.ImportJob:
An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and
[CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
using pre-existing key material, generated outside of
Cloud KMS.
When an [ImportJob][google.cloud.kms.v1.ImportJob] is
created, Cloud KMS will generate a "wrapping key",
which is a public/private key pair. You use the
wrapping key to encrypt (also known as wrap) the
pre-existing key material to protect it during the
import process. The nature of the wrapping key
depends on the choice of
[import_method][google.cloud.kms.v1.ImportJob.import_method].
When the wrapping key generation is complete, the
[state][google.cloud.kms.v1.ImportJob.state] will be
set to
[ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE]
and the
[public_key][google.cloud.kms.v1.ImportJob.public_key]
can be fetched. The fetched public key can then be
used to wrap your pre-existing key material.
Once the key material is wrapped, it can be imported
into a new
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
in an existing
[CryptoKey][google.cloud.kms.v1.CryptoKey] by calling
[ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
Multiple
[CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
can be imported with a single
[ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS
uses the private key portion of the wrapping key to
unwrap the key material. Only Cloud KMS has access to
the private key.
An [ImportJob][google.cloud.kms.v1.ImportJob] expires
3 days after it is created. Once expired, Cloud KMS
will no longer be able to import or unwrap any key
material that was wrapped with the
[ImportJob][google.cloud.kms.v1.ImportJob]'s public
key.
For more information, see [Importing a
key](\ https://cloud.google.com/kms/docs/importing-a-key).
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([parent, import_job_id, import_job])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.CreateImportJobRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.CreateImportJobRequest):
request = service.CreateImportJobRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if parent is not None:
request.parent = parent
if import_job_id is not None:
request.import_job_id = import_job_id
if import_job is not None:
request.import_job = import_job
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.create_import_job]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def update_crypto_key(
self,
request: service.UpdateCryptoKeyRequest = None,
*,
crypto_key: resources.CryptoKey = None,
update_mask: field_mask_pb2.FieldMask = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> resources.CryptoKey:
r"""Update a [CryptoKey][google.cloud.kms.v1.CryptoKey].
Args:
request (google.cloud.kms_v1.types.UpdateCryptoKeyRequest):
The request object. Request message for
[KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey].
crypto_key (google.cloud.kms_v1.types.CryptoKey):
Required. [CryptoKey][google.cloud.kms.v1.CryptoKey]
with updated values.
This corresponds to the ``crypto_key`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
update_mask (google.protobuf.field_mask_pb2.FieldMask):
Required. List of fields to be
updated in this request.
This corresponds to the ``update_mask`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.CryptoKey:
A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic
operations.
A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made
up of zero or more
[versions][google.cloud.kms.v1.CryptoKeyVersion],
which represent the actual key material used in
cryptographic operations.
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([crypto_key, update_mask])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.UpdateCryptoKeyRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.UpdateCryptoKeyRequest):
request = service.UpdateCryptoKeyRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if crypto_key is not None:
request.crypto_key = crypto_key
if update_mask is not None:
request.update_mask = update_mask
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.update_crypto_key]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata(
(("crypto_key.name", request.crypto_key.name),)
),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def update_crypto_key_version(
self,
request: service.UpdateCryptoKeyVersionRequest = None,
*,
crypto_key_version: resources.CryptoKeyVersion = None,
update_mask: field_mask_pb2.FieldMask = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> resources.CryptoKeyVersion:
r"""Update a
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s
metadata.
[state][google.cloud.kms.v1.CryptoKeyVersion.state] may be
changed between
[ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
and
[DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED]
using this method. See
[DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]
and
[RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
to move between other states.
Args:
request (google.cloud.kms_v1.types.UpdateCryptoKeyVersionRequest):
The request object. Request message for
[KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].
crypto_key_version (google.cloud.kms_v1.types.CryptoKeyVersion):
Required.
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
with updated values.
This corresponds to the ``crypto_key_version`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
update_mask (google.protobuf.field_mask_pb2.FieldMask):
Required. List of fields to be
updated in this request.
This corresponds to the ``update_mask`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.CryptoKeyVersion:
A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
associated key material.
An
[ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
version can be used for cryptographic operations.
For security reasons, the raw cryptographic key
material represented by a
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
can never be viewed or exported. It can only be used
to encrypt, decrypt, or sign data when an authorized
user or application invokes Cloud KMS.
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([crypto_key_version, update_mask])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.UpdateCryptoKeyVersionRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.UpdateCryptoKeyVersionRequest):
request = service.UpdateCryptoKeyVersionRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if crypto_key_version is not None:
request.crypto_key_version = crypto_key_version
if update_mask is not None:
request.update_mask = update_mask
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[
self._transport.update_crypto_key_version
]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata(
(("crypto_key_version.name", request.crypto_key_version.name),)
),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def update_crypto_key_primary_version(
self,
request: service.UpdateCryptoKeyPrimaryVersionRequest = None,
*,
name: str = None,
crypto_key_version_id: str = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> resources.CryptoKey:
r"""Update the version of a
[CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in
[Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
Returns an error if called on a key whose purpose is not
[ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
Args:
request (google.cloud.kms_v1.types.UpdateCryptoKeyPrimaryVersionRequest):
The request object. Request message for
[KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
name (str):
Required. The resource name of the
[CryptoKey][google.cloud.kms.v1.CryptoKey] to update.
This corresponds to the ``name`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
crypto_key_version_id (str):
Required. The id of the child
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
to use as primary.
This corresponds to the ``crypto_key_version_id`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.CryptoKey:
A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic
operations.
A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made
up of zero or more
[versions][google.cloud.kms.v1.CryptoKeyVersion],
which represent the actual key material used in
cryptographic operations.
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([name, crypto_key_version_id])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.UpdateCryptoKeyPrimaryVersionRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.UpdateCryptoKeyPrimaryVersionRequest):
request = service.UpdateCryptoKeyPrimaryVersionRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if name is not None:
request.name = name
if crypto_key_version_id is not None:
request.crypto_key_version_id = crypto_key_version_id
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[
self._transport.update_crypto_key_primary_version
]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def destroy_crypto_key_version(
self,
request: service.DestroyCryptoKeyVersionRequest = None,
*,
name: str = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> resources.CryptoKeyVersion:
r"""Schedule a
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for
destruction.
Upon calling this method,
[CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state]
will be set to
[DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
and
[destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time]
will be set to a time 24 hours in the future, at which point the
[state][google.cloud.kms.v1.CryptoKeyVersion.state] will be
changed to
[DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED],
and the key material will be irrevocably destroyed.
Before the
[destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time]
is reached,
[RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
may be called to reverse the process.
Args:
request (google.cloud.kms_v1.types.DestroyCryptoKeyVersionRequest):
The request object. Request message for
[KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].
name (str):
Required. The resource name of the
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
to destroy.
This corresponds to the ``name`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.CryptoKeyVersion:
A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
associated key material.
An
[ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
version can be used for cryptographic operations.
For security reasons, the raw cryptographic key
material represented by a
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
can never be viewed or exported. It can only be used
to encrypt, decrypt, or sign data when an authorized
user or application invokes Cloud KMS.
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([name])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.DestroyCryptoKeyVersionRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.DestroyCryptoKeyVersionRequest):
request = service.DestroyCryptoKeyVersionRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if name is not None:
request.name = name
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[
self._transport.destroy_crypto_key_version
]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def restore_crypto_key_version(
self,
request: service.RestoreCryptoKeyVersionRequest = None,
*,
name: str = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> resources.CryptoKeyVersion:
r"""Restore a
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the
[DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
state.
Upon restoration of the CryptoKeyVersion,
[state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set
to
[DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED],
and
[destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time]
will be cleared.
Args:
request (google.cloud.kms_v1.types.RestoreCryptoKeyVersionRequest):
The request object. Request message for
[KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].
name (str):
Required. The resource name of the
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
to restore.
This corresponds to the ``name`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.CryptoKeyVersion:
A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
associated key material.
An
[ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
version can be used for cryptographic operations.
For security reasons, the raw cryptographic key
material represented by a
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
can never be viewed or exported. It can only be used
to encrypt, decrypt, or sign data when an authorized
user or application invokes Cloud KMS.
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([name])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.RestoreCryptoKeyVersionRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.RestoreCryptoKeyVersionRequest):
request = service.RestoreCryptoKeyVersionRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if name is not None:
request.name = name
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[
self._transport.restore_crypto_key_version
]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def encrypt(
self,
request: service.EncryptRequest = None,
*,
name: str = None,
plaintext: bytes = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> service.EncryptResponse:
r"""Encrypts data, so that it can only be recovered by a call to
[Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. The
[CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must
be
[ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
Args:
request (google.cloud.kms_v1.types.EncryptRequest):
The request object. Request message for
[KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
name (str):
Required. The resource name of the
[CryptoKey][google.cloud.kms.v1.CryptoKey] or
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
to use for encryption.
If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is
specified, the server will use its [primary
version][google.cloud.kms.v1.CryptoKey.primary].
This corresponds to the ``name`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
plaintext (bytes):
Required. The data to encrypt. Must be no larger than
64KiB.
The maximum size depends on the key version's
[protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
For
[SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE]
keys, the plaintext must be no larger than 64KiB. For
[HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the
combined length of the plaintext and
additional_authenticated_data fields must be no larger
than 8KiB.
This corresponds to the ``plaintext`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.EncryptResponse:
Response message for
[KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([name, plaintext])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.EncryptRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.EncryptRequest):
request = service.EncryptRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if name is not None:
request.name = name
if plaintext is not None:
request.plaintext = plaintext
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.encrypt]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def decrypt(
self,
request: service.DecryptRequest = None,
*,
name: str = None,
ciphertext: bytes = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> service.DecryptResponse:
r"""Decrypts data that was protected by
[Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The
[CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must
be
[ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
Args:
request (google.cloud.kms_v1.types.DecryptRequest):
The request object. Request message for
[KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
name (str):
Required. The resource name of the
[CryptoKey][google.cloud.kms.v1.CryptoKey] to use for
decryption. The server will choose the appropriate
version.
This corresponds to the ``name`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
ciphertext (bytes):
Required. The encrypted data originally returned in
[EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
This corresponds to the ``ciphertext`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.DecryptResponse:
Response message for
[KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([name, ciphertext])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.DecryptRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.DecryptRequest):
request = service.DecryptRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if name is not None:
request.name = name
if ciphertext is not None:
request.ciphertext = ciphertext
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.decrypt]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def asymmetric_sign(
self,
request: service.AsymmetricSignRequest = None,
*,
name: str = None,
digest: service.Digest = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> service.AsymmetricSignResponse:
r"""Signs data using a
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
[CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
ASYMMETRIC_SIGN, producing a signature that can be verified with
the public key retrieved from
[GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
Args:
request (google.cloud.kms_v1.types.AsymmetricSignRequest):
The request object. Request message for
[KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
name (str):
Required. The resource name of the
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
to use for signing.
This corresponds to the ``name`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
digest (google.cloud.kms_v1.types.Digest):
Required. The digest of the data to sign. The digest
must be produced with the same digest algorithm as
specified by the key version's
[algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
This corresponds to the ``digest`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.AsymmetricSignResponse:
Response message for
[KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([name, digest])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.AsymmetricSignRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.AsymmetricSignRequest):
request = service.AsymmetricSignRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if name is not None:
request.name = name
if digest is not None:
request.digest = digest
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.asymmetric_sign]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def asymmetric_decrypt(
self,
request: service.AsymmetricDecryptRequest = None,
*,
name: str = None,
ciphertext: bytes = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> service.AsymmetricDecryptResponse:
r"""Decrypts data that was encrypted with a public key retrieved
from
[GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]
corresponding to a
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
[CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
ASYMMETRIC_DECRYPT.
Args:
request (google.cloud.kms_v1.types.AsymmetricDecryptRequest):
The request object. Request message for
[KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
name (str):
Required. The resource name of the
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
to use for decryption.
This corresponds to the ``name`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
ciphertext (bytes):
Required. The data encrypted with the named
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s
public key using OAEP.
This corresponds to the ``ciphertext`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.AsymmetricDecryptResponse:
Response message for
[KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([name, ciphertext])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.AsymmetricDecryptRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.AsymmetricDecryptRequest):
request = service.AsymmetricDecryptRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if name is not None:
request.name = name
if ciphertext is not None:
request.ciphertext = ciphertext
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.asymmetric_decrypt]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def mac_sign(
self,
request: service.MacSignRequest = None,
*,
name: str = None,
data: bytes = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> service.MacSignResponse:
r"""Signs data using a
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
[CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC,
producing a tag that can be verified by another source with the
same key.
Args:
request (google.cloud.kms_v1.types.MacSignRequest):
The request object. Request message for
[KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign].
name (str):
Required. The resource name of the
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
to use for signing.
This corresponds to the ``name`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
data (bytes):
Required. The data to sign. The MAC
tag is computed over this data field
based on the specific algorithm.
This corresponds to the ``data`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.MacSignResponse:
Response message for
[KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign].
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([name, data])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.MacSignRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.MacSignRequest):
request = service.MacSignRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if name is not None:
request.name = name
if data is not None:
request.data = data
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.mac_sign]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def mac_verify(
self,
request: service.MacVerifyRequest = None,
*,
name: str = None,
data: bytes = None,
mac: bytes = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> service.MacVerifyResponse:
r"""Verifies MAC tag using a
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
[CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC,
and returns a response that indicates whether or not the
verification was successful.
Args:
request (google.cloud.kms_v1.types.MacVerifyRequest):
The request object. Request message for
[KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify].
name (str):
Required. The resource name of the
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
to use for verification.
This corresponds to the ``name`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
data (bytes):
Required. The data used previously as a
[MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]
to generate the MAC tag.
This corresponds to the ``data`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
mac (bytes):
Required. The signature to verify.
This corresponds to the ``mac`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.MacVerifyResponse:
Response message for
[KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify].
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([name, data, mac])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.MacVerifyRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.MacVerifyRequest):
request = service.MacVerifyRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if name is not None:
request.name = name
if data is not None:
request.data = data
if mac is not None:
request.mac = mac
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.mac_verify]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def generate_random_bytes(
self,
request: service.GenerateRandomBytesRequest = None,
*,
location: str = None,
length_bytes: int = None,
protection_level: resources.ProtectionLevel = None,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> service.GenerateRandomBytesResponse:
r"""Generate random bytes using the Cloud KMS randomness
source in the provided location.
Args:
request (google.cloud.kms_v1.types.GenerateRandomBytesRequest):
The request object. Request message for
[KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes].
location (str):
The project-specific location in
which to generate random bytes. For
example, "projects/my-
project/locations/us-central1".
This corresponds to the ``location`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
length_bytes (int):
The length in bytes of the amount of
randomness to retrieve. Minimum 8
bytes, maximum 1024 bytes.
This corresponds to the ``length_bytes`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
protection_level (google.cloud.kms_v1.types.ProtectionLevel):
The
[ProtectionLevel][google.cloud.kms.v1.ProtectionLevel]
to use when generating the random data. Defaults to
[SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE].
This corresponds to the ``protection_level`` field
on the ``request`` instance; if ``request`` is provided, this
should not be set.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
google.cloud.kms_v1.types.GenerateRandomBytesResponse:
Response message for
[KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes].
"""
# Create or coerce a protobuf request object.
# Sanity check: If we got a request object, we should *not* have
# gotten any keyword arguments that map to the request.
has_flattened_params = any([location, length_bytes, protection_level])
if request is not None and has_flattened_params:
raise ValueError(
"If the `request` argument is set, then none of "
"the individual field arguments should be set."
)
# Minor optimization to avoid making a copy if the user passes
# in a service.GenerateRandomBytesRequest.
# There's no risk of modifying the input as we've already verified
# there are no flattened fields.
if not isinstance(request, service.GenerateRandomBytesRequest):
request = service.GenerateRandomBytesRequest(request)
# If we have keyword arguments corresponding to fields on the
# request, apply these.
if location is not None:
request.location = location
if length_bytes is not None:
request.length_bytes = length_bytes
if protection_level is not None:
request.protection_level = protection_level
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = self._transport._wrapped_methods[self._transport.generate_random_bytes]
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("location", request.location),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def set_iam_policy(
self,
request: iam_policy_pb2.SetIamPolicyRequest = None,
*,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> policy_pb2.Policy:
r"""Sets the IAM access control policy on the specified function.
Replaces any existing policy.
Args:
request (:class:`~.iam_policy_pb2.SetIamPolicyRequest`):
The request object. Request message for `SetIamPolicy`
method.
retry (google.api_core.retry.Retry): Designation of what errors, if any,
should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
~.policy_pb2.Policy:
Defines an Identity and Access Management (IAM) policy.
It is used to specify access control policies for Cloud
Platform resources.
A ``Policy`` is a collection of ``bindings``. A
``binding`` binds one or more ``members`` to a single
``role``. Members can be user accounts, service
accounts, Google groups, and domains (such as G Suite).
A ``role`` is a named list of permissions (defined by
IAM or configured by users). A ``binding`` can
optionally specify a ``condition``, which is a logic
expression that further constrains the role binding
based on attributes about the request and/or target
resource.
**JSON Example**::
{
"bindings": [
{
"role": "roles/resourcemanager.organizationAdmin",
"members": [
"user:mike@example.com",
"group:admins@example.com",
"domain:google.com",
"serviceAccount:my-project-id@appspot.gserviceaccount.com"
]
},
{
"role": "roles/resourcemanager.organizationViewer",
"members": ["user:eve@example.com"],
"condition": {
"title": "expirable access",
"description": "Does not grant access after Sep 2020",
"expression": "request.time <
timestamp('2020-10-01T00:00:00.000Z')",
}
}
]
}
**YAML Example**::
bindings:
- members:
- user:mike@example.com
- group:admins@example.com
- domain:google.com
- serviceAccount:my-project-id@appspot.gserviceaccount.com
role: roles/resourcemanager.organizationAdmin
- members:
- user:eve@example.com
role: roles/resourcemanager.organizationViewer
condition:
title: expirable access
description: Does not grant access after Sep 2020
expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
For a description of IAM and its features, see the `IAM
developer's
guide <https://cloud.google.com/iam/docs>`__.
"""
# Create or coerce a protobuf request object.
# The request isn't a proto-plus wrapped type,
# so it must be constructed via keyword expansion.
if isinstance(request, dict):
request = iam_policy_pb2.SetIamPolicyRequest(**request)
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = gapic_v1.method.wrap_method(
self._transport.set_iam_policy,
default_timeout=None,
client_info=DEFAULT_CLIENT_INFO,
)
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("resource", request.resource),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def get_iam_policy(
self,
request: iam_policy_pb2.GetIamPolicyRequest = None,
*,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> policy_pb2.Policy:
r"""Gets the IAM access control policy for a function.
Returns an empty policy if the function exists and does not have a
policy set.
Args:
request (:class:`~.iam_policy_pb2.GetIamPolicyRequest`):
The request object. Request message for `GetIamPolicy`
method.
retry (google.api_core.retry.Retry): Designation of what errors, if
any, should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
~.policy_pb2.Policy:
Defines an Identity and Access Management (IAM) policy.
It is used to specify access control policies for Cloud
Platform resources.
A ``Policy`` is a collection of ``bindings``. A
``binding`` binds one or more ``members`` to a single
``role``. Members can be user accounts, service
accounts, Google groups, and domains (such as G Suite).
A ``role`` is a named list of permissions (defined by
IAM or configured by users). A ``binding`` can
optionally specify a ``condition``, which is a logic
expression that further constrains the role binding
based on attributes about the request and/or target
resource.
**JSON Example**::
{
"bindings": [
{
"role": "roles/resourcemanager.organizationAdmin",
"members": [
"user:mike@example.com",
"group:admins@example.com",
"domain:google.com",
"serviceAccount:my-project-id@appspot.gserviceaccount.com"
]
},
{
"role": "roles/resourcemanager.organizationViewer",
"members": ["user:eve@example.com"],
"condition": {
"title": "expirable access",
"description": "Does not grant access after Sep 2020",
"expression": "request.time <
timestamp('2020-10-01T00:00:00.000Z')",
}
}
]
}
**YAML Example**::
bindings:
- members:
- user:mike@example.com
- group:admins@example.com
- domain:google.com
- serviceAccount:my-project-id@appspot.gserviceaccount.com
role: roles/resourcemanager.organizationAdmin
- members:
- user:eve@example.com
role: roles/resourcemanager.organizationViewer
condition:
title: expirable access
description: Does not grant access after Sep 2020
expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
For a description of IAM and its features, see the `IAM
developer's
guide <https://cloud.google.com/iam/docs>`__.
"""
# Create or coerce a protobuf request object.
# The request isn't a proto-plus wrapped type,
# so it must be constructed via keyword expansion.
if isinstance(request, dict):
request = iam_policy_pb2.GetIamPolicyRequest(**request)
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = gapic_v1.method.wrap_method(
self._transport.get_iam_policy,
default_timeout=None,
client_info=DEFAULT_CLIENT_INFO,
)
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("resource", request.resource),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
[docs] def test_iam_permissions(
self,
request: iam_policy_pb2.TestIamPermissionsRequest = None,
*,
retry: retries.Retry = gapic_v1.method.DEFAULT,
timeout: float = None,
metadata: Sequence[Tuple[str, str]] = (),
) -> iam_policy_pb2.TestIamPermissionsResponse:
r"""Tests the specified IAM permissions against the IAM access control
policy for a function.
If the function does not exist, this will return an empty set
of permissions, not a NOT_FOUND error.
Args:
request (:class:`~.iam_policy_pb2.TestIamPermissionsRequest`):
The request object. Request message for
`TestIamPermissions` method.
retry (google.api_core.retry.Retry): Designation of what errors,
if any, should be retried.
timeout (float): The timeout for this request.
metadata (Sequence[Tuple[str, str]]): Strings which should be
sent along with the request as metadata.
Returns:
~.iam_policy_pb2.TestIamPermissionsResponse:
Response message for ``TestIamPermissions`` method.
"""
# Create or coerce a protobuf request object.
# The request isn't a proto-plus wrapped type,
# so it must be constructed via keyword expansion.
if isinstance(request, dict):
request = iam_policy_pb2.TestIamPermissionsRequest(**request)
# Wrap the RPC method; this adds retry and timeout information,
# and friendly error handling.
rpc = gapic_v1.method.wrap_method(
self._transport.test_iam_permissions,
default_timeout=None,
client_info=DEFAULT_CLIENT_INFO,
)
# Certain fields should be provided within the metadata header;
# add these here.
metadata = tuple(metadata) + (
gapic_v1.routing_header.to_grpc_metadata((("resource", request.resource),)),
)
# Send the request.
response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,)
# Done; return the response.
return response
try:
DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo(
gapic_version=pkg_resources.get_distribution("google-cloud-kms",).version,
)
except pkg_resources.DistributionNotFound:
DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo()
__all__ = ("KeyManagementServiceClient",)