As of January 1, 2020 this library no longer supports Python 2 on the latest released version. Library versions released prior to that date will continue to be available. For more information please visit Python 2 support on Google Cloud.

KeyManagementService

class google.cloud.kms_v1.services.key_management_service.KeyManagementServiceAsyncClient(*, credentials: google.auth.credentials.Credentials = None, transport: Union[str, google.cloud.kms_v1.services.key_management_service.transports.base.KeyManagementServiceTransport] = 'grpc_asyncio', client_options: <module 'google.api_core.client_options' from '/usr/lib/python3.10/site-packages/google/api_core/client_options.py'> = None, client_info: google.api_core.gapic_v1.client_info.ClientInfo = <google.api_core.gapic_v1.client_info.ClientInfo object>)[source]

Google Cloud Key Management Service

Manages cryptographic keys and operations using those keys. Implements a REST model with the following objects:

  • [KeyRing][google.cloud.kms.v1.KeyRing]

  • [CryptoKey][google.cloud.kms.v1.CryptoKey]

  • [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]

  • [ImportJob][google.cloud.kms.v1.ImportJob]

If you are using manual gRPC libraries, see Using gRPC with Cloud KMS.

Instantiates the key management service client.

Parameters
  • credentials (Optional[google.auth.credentials.Credentials]) – The authorization credentials to attach to requests. These credentials identify the application to the service; if none are specified, the client will attempt to ascertain the credentials from the environment.

  • transport (Union[str, KeyManagementServiceTransport]) – The transport to use. If set to None, a transport is chosen automatically.

  • client_options (ClientOptions) – Custom options for the client. It won’t take effect if a transport instance is provided. (1) The api_endpoint property can be used to override the default endpoint provided by the client. GOOGLE_API_USE_MTLS_ENDPOINT environment variable can also be used to override the endpoint: “always” (always use the default mTLS endpoint), “never” (always use the default regular endpoint) and “auto” (auto switch to the default mTLS endpoint if client certificate is present, this is the default value). However, the api_endpoint property takes precedence if provided. (2) If GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is “true”, then the client_cert_source property can be used to provide client certificate for mutual TLS transport. If not provided, the default SSL client certificate will be used if present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is “false” or not set, no client certificate will be used.

Raises

google.auth.exceptions.MutualTlsChannelError – If mutual TLS transport creation failed for any reason.

async asymmetric_decrypt(request: Optional[google.cloud.kms_v1.types.service.AsymmetricDecryptRequest] = None, *, name: Optional[str] = None, ciphertext: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.AsymmetricDecryptResponse[source]

Decrypts data that was encrypted with a public key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey] corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_DECRYPT.

Parameters
  • request (google.cloud.kms_v1.types.AsymmetricDecryptRequest) – The request object. Request message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].

  • name (str) –

    Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for decryption.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • ciphertext (bytes) –

    Required. The data encrypted with the named [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]’s public key using OAEP.

    This corresponds to the ciphertext field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].

Return type

google.cloud.kms_v1.types.AsymmetricDecryptResponse

async asymmetric_sign(request: Optional[google.cloud.kms_v1.types.service.AsymmetricSignRequest] = None, *, name: Optional[str] = None, digest: Optional[google.cloud.kms_v1.types.service.Digest] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.AsymmetricSignResponse[source]

Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_SIGN, producing a signature that can be verified with the public key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].

Parameters
  • request (google.cloud.kms_v1.types.AsymmetricSignRequest) – The request object. Request message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].

  • name (str) –

    Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for signing.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • digest (google.cloud.kms_v1.types.Digest) –

    Required. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version’s [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].

    This corresponds to the digest field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].

Return type

google.cloud.kms_v1.types.AsymmetricSignResponse

static common_billing_account_path(billing_account: str) str

Returns a fully-qualified billing_account string.

static common_folder_path(folder: str) str

Returns a fully-qualified folder string.

static common_location_path(project: str, location: str) str

Returns a fully-qualified location string.

static common_organization_path(organization: str) str

Returns a fully-qualified organization string.

static common_project_path(project: str) str

Returns a fully-qualified project string.

async create_crypto_key(request: Optional[google.cloud.kms_v1.types.service.CreateCryptoKeyRequest] = None, *, parent: Optional[str] = None, crypto_key_id: Optional[str] = None, crypto_key: Optional[google.cloud.kms_v1.types.resources.CryptoKey] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKey[source]

Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a [KeyRing][google.cloud.kms.v1.KeyRing].

[CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm] are required.

Parameters
  • request (google.cloud.kms_v1.types.CreateCryptoKeyRequest) – The request object. Request message for [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey].

  • parent (str) –

    Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey].

    This corresponds to the parent field on the request instance; if request is provided, this should not be set.

  • crypto_key_id (str) –

    Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

    This corresponds to the crypto_key_id field on the request instance; if request is provided, this should not be set.

  • crypto_key (google.cloud.kms_v1.types.CryptoKey) –

    Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field values.

    This corresponds to the crypto_key field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic

operations.

A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.

Return type

google.cloud.kms_v1.types.CryptoKey

async create_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.CreateCryptoKeyVersionRequest] = None, *, parent: Optional[str] = None, crypto_key_version: Optional[google.cloud.kms_v1.types.resources.CryptoKeyVersion] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion[source]

Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a [CryptoKey][google.cloud.kms.v1.CryptoKey].

The server will assign the next sequential id. If unset, [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].

Parameters
  • request (google.cloud.kms_v1.types.CreateCryptoKeyVersionRequest) – The request object. Request message for [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].

  • parent (str) –

    Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].

    This corresponds to the parent field on the request instance; if request is provided, this should not be set.

  • crypto_key_version (google.cloud.kms_v1.types.CryptoKeyVersion) –

    Required. A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with initial field values.

    This corresponds to the crypto_key_version field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the

associated key material.

An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.

For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

Return type

google.cloud.kms_v1.types.CryptoKeyVersion

async create_import_job(request: Optional[google.cloud.kms_v1.types.service.CreateImportJobRequest] = None, *, parent: Optional[str] = None, import_job_id: Optional[str] = None, import_job: Optional[google.cloud.kms_v1.types.resources.ImportJob] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.ImportJob[source]

Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a [KeyRing][google.cloud.kms.v1.KeyRing].

[ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method] is required.

Parameters
  • request (google.cloud.kms_v1.types.CreateImportJobRequest) – The request object. Request message for [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob].

  • parent (str) –

    Required. The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] associated with the [ImportJobs][google.cloud.kms.v1.ImportJob].

    This corresponds to the parent field on the request instance; if request is provided, this should not be set.

  • import_job_id (str) –

    Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

    This corresponds to the import_job_id field on the request instance; if request is provided, this should not be set.

  • import_job (google.cloud.kms_v1.types.ImportJob) –

    Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field values.

    This corresponds to the import_job field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and

[CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing key material, generated outside of Cloud KMS.

When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will generate a “wrapping key”, which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation is complete, the [state][google.cloud.kms.v1.ImportJob.state] will be set to [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the [public_key][google.cloud.kms.v1.ImportJob.public_key] can be fetched. The fetched public key can then be used to wrap your pre-existing key material.

Once the key material is wrapped, it can be imported into a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be imported with a single [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key.

An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the [ImportJob][google.cloud.kms.v1.ImportJob]’s public key.

For more information, see [Importing a key](https://cloud.google.com/kms/docs/importing-a-key).

Return type

google.cloud.kms_v1.types.ImportJob

async create_key_ring(request: Optional[google.cloud.kms_v1.types.service.CreateKeyRingRequest] = None, *, parent: Optional[str] = None, key_ring_id: Optional[str] = None, key_ring: Optional[google.cloud.kms_v1.types.resources.KeyRing] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.KeyRing[source]

Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and Location.

Parameters
  • request (google.cloud.kms_v1.types.CreateKeyRingRequest) – The request object. Request message for [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].

  • parent (str) –

    Required. The resource name of the location associated with the [KeyRings][google.cloud.kms.v1.KeyRing], in the format projects/*/locations/*.

    This corresponds to the parent field on the request instance; if request is provided, this should not be set.

  • key_ring_id (str) –

    Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}

    This corresponds to the key_ring_id field on the request instance; if request is provided, this should not be set.

  • key_ring (google.cloud.kms_v1.types.KeyRing) –

    Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field values.

    This corresponds to the key_ring field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey].

Return type

google.cloud.kms_v1.types.KeyRing

static crypto_key_path(project: str, location: str, key_ring: str, crypto_key: str) str

Returns a fully-qualified crypto_key string.

static crypto_key_version_path(project: str, location: str, key_ring: str, crypto_key: str, crypto_key_version: str) str

Returns a fully-qualified crypto_key_version string.

async decrypt(request: Optional[google.cloud.kms_v1.types.service.DecryptRequest] = None, *, name: Optional[str] = None, ciphertext: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.DecryptResponse[source]

Decrypts data that was protected by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].

Parameters
  • request (google.cloud.kms_v1.types.DecryptRequest) – The request object. Request message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].

  • name (str) –

    Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The server will choose the appropriate version.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • ciphertext (bytes) –

    Required. The encrypted data originally returned in [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].

    This corresponds to the ciphertext field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].

Return type

google.cloud.kms_v1.types.DecryptResponse

async destroy_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.DestroyCryptoKeyVersionRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion[source]

Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for destruction.

Upon calling this method, [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be set to a time 24 hours in the future, at which point the [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be changed to [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], and the key material will be irrevocably destroyed.

Before the [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] is reached, [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] may be called to reverse the process.

Parameters
  • request (google.cloud.kms_v1.types.DestroyCryptoKeyVersionRequest) – The request object. Request message for [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].

  • name (str) –

    Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the

associated key material.

An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.

For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

Return type

google.cloud.kms_v1.types.CryptoKeyVersion

async encrypt(request: Optional[google.cloud.kms_v1.types.service.EncryptRequest] = None, *, name: Optional[str] = None, plaintext: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.EncryptResponse[source]

Encrypts data, so that it can only be recovered by a call to [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].

Parameters
  • request (google.cloud.kms_v1.types.EncryptRequest) – The request object. Request message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].

  • name (str) –

    Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] or [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for encryption.

    If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server will use its [primary version][google.cloud.kms.v1.CryptoKey.primary].

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • plaintext (bytes) –

    Required. The data to encrypt. Must be no larger than 64KiB.

    The maximum size depends on the key version’s [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the plaintext must be no larger than 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.

    This corresponds to the plaintext field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].

Return type

google.cloud.kms_v1.types.EncryptResponse

classmethod from_service_account_file(filename: str, *args, **kwargs)[source]
Creates an instance of this client using the provided credentials

file.

Parameters
  • filename (str) – The path to the service account private key json file.

  • args – Additional arguments to pass to the constructor.

  • kwargs – Additional arguments to pass to the constructor.

Returns

The constructed client.

Return type

KeyManagementServiceAsyncClient

classmethod from_service_account_info(info: dict, *args, **kwargs)[source]
Creates an instance of this client using the provided credentials

info.

Parameters
  • info (dict) – The service account private key info.

  • args – Additional arguments to pass to the constructor.

  • kwargs – Additional arguments to pass to the constructor.

Returns

The constructed client.

Return type

KeyManagementServiceAsyncClient

classmethod from_service_account_json(filename: str, *args, **kwargs)
Creates an instance of this client using the provided credentials

file.

Parameters
  • filename (str) – The path to the service account private key json file.

  • args – Additional arguments to pass to the constructor.

  • kwargs – Additional arguments to pass to the constructor.

Returns

The constructed client.

Return type

KeyManagementServiceAsyncClient

async generate_random_bytes(request: Optional[google.cloud.kms_v1.types.service.GenerateRandomBytesRequest] = None, *, location: Optional[str] = None, length_bytes: Optional[int] = None, protection_level: Optional[google.cloud.kms_v1.types.resources.ProtectionLevel] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.GenerateRandomBytesResponse[source]

Generate random bytes using the Cloud KMS randomness source in the provided location.

Parameters
  • request (google.cloud.kms_v1.types.GenerateRandomBytesRequest) – The request object. Request message for [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes].

  • location (str) –

    The project-specific location in which to generate random bytes. For example, “projects/my- project/locations/us-central1”.

    This corresponds to the location field on the request instance; if request is provided, this should not be set.

  • length_bytes (int) –

    The length in bytes of the amount of randomness to retrieve. Minimum 8 bytes, maximum 1024 bytes.

    This corresponds to the length_bytes field on the request instance; if request is provided, this should not be set.

  • protection_level (google.cloud.kms_v1.types.ProtectionLevel) –

    The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when generating the random data. Defaults to [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE].

    This corresponds to the protection_level field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes].

Return type

google.cloud.kms_v1.types.GenerateRandomBytesResponse

async get_crypto_key(request: Optional[google.cloud.kms_v1.types.service.GetCryptoKeyRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKey[source]

Returns metadata for a given [CryptoKey][google.cloud.kms.v1.CryptoKey], as well as its [primary][google.cloud.kms.v1.CryptoKey.primary] [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].

Parameters
  • request (google.cloud.kms_v1.types.GetCryptoKeyRequest) – The request object. Request message for [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey].

  • name (str) –

    Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to get.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic

operations.

A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.

Return type

google.cloud.kms_v1.types.CryptoKey

async get_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.GetCryptoKeyVersionRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion[source]

Returns metadata for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].

Parameters
  • request (google.cloud.kms_v1.types.GetCryptoKeyVersionRequest) – The request object. Request message for [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].

  • name (str) –

    Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the

associated key material.

An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.

For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

Return type

google.cloud.kms_v1.types.CryptoKeyVersion

async get_iam_policy(request: Optional[google.iam.v1.iam_policy_pb2.GetIamPolicyRequest] = None, *, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.iam.v1.policy_pb2.Policy[source]

Gets the IAM access control policy for a function.

Returns an empty policy if the function exists and does not have a policy set.

Parameters
  • request (GetIamPolicyRequest) – The request object. Request message for GetIamPolicy method.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. A Policy is a collection of bindings. A binding binds one or more members to a single role. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions (defined by IAM or configured by users). A binding can optionally specify a condition, which is a logic expression that further constrains the role binding based on attributes about the request and/or target resource.

JSON Example:

{
  "bindings": [
    {
      "role": "roles/resourcemanager.organizationAdmin",
      "members": [
        "user:mike@example.com",
        "group:admins@example.com",
        "domain:google.com",
        "serviceAccount:my-project-id@appspot.gserviceaccount.com"
      ]
    },
    {
      "role": "roles/resourcemanager.organizationViewer",
      "members": ["user:eve@example.com"],
      "condition": {
        "title": "expirable access",
        "description": "Does not grant access after Sep 2020",
        "expression": "request.time <
        timestamp('2020-10-01T00:00:00.000Z')",
      }
    }
  ]
}

YAML Example:

bindings:
- members:
  - user:mike@example.com
  - group:admins@example.com
  - domain:google.com
  - serviceAccount:my-project-id@appspot.gserviceaccount.com
  role: roles/resourcemanager.organizationAdmin
- members:
  - user:eve@example.com
  role: roles/resourcemanager.organizationViewer
  condition:
    title: expirable access
    description: Does not grant access after Sep 2020
    expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

For a description of IAM and its features, see the IAM developer’s guide.

Return type

Policy

async get_import_job(request: Optional[google.cloud.kms_v1.types.service.GetImportJobRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.ImportJob[source]

Returns metadata for a given [ImportJob][google.cloud.kms.v1.ImportJob].

Parameters
  • request (google.cloud.kms_v1.types.GetImportJobRequest) – The request object. Request message for [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob].

  • name (str) –

    Required. The [name][google.cloud.kms.v1.ImportJob.name] of the [ImportJob][google.cloud.kms.v1.ImportJob] to get.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and

[CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing key material, generated outside of Cloud KMS.

When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will generate a “wrapping key”, which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation is complete, the [state][google.cloud.kms.v1.ImportJob.state] will be set to [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the [public_key][google.cloud.kms.v1.ImportJob.public_key] can be fetched. The fetched public key can then be used to wrap your pre-existing key material.

Once the key material is wrapped, it can be imported into a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be imported with a single [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key.

An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the [ImportJob][google.cloud.kms.v1.ImportJob]’s public key.

For more information, see [Importing a key](https://cloud.google.com/kms/docs/importing-a-key).

Return type

google.cloud.kms_v1.types.ImportJob

async get_key_ring(request: Optional[google.cloud.kms_v1.types.service.GetKeyRingRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.KeyRing[source]

Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing].

Parameters
  • request (google.cloud.kms_v1.types.GetKeyRingRequest) – The request object. Request message for [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].

  • name (str) –

    Required. The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] to get.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey].

Return type

google.cloud.kms_v1.types.KeyRing

async get_public_key(request: Optional[google.cloud.kms_v1.types.service.GetPublicKeyRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.PublicKey[source]

Returns the public key for the given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN] or [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].

Parameters
  • request (google.cloud.kms_v1.types.GetPublicKeyRequest) – The request object. Request message for [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].

  • name (str) –

    Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

The public key for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via

[GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].

Return type

google.cloud.kms_v1.types.PublicKey

get_transport_class() Type[google.cloud.kms_v1.services.key_management_service.transports.base.KeyManagementServiceTransport]

Returns an appropriate transport class.

Parameters

label – The name of the desired transport. If none is provided, then the first transport in the registry is used.

Returns

The transport class to use.

async import_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.ImportCryptoKeyVersionRequest] = None, *, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion[source]

Imports a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] into an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] using the wrapped key material provided in the request.

The version ID will be assigned the next sequential id within the [CryptoKey][google.cloud.kms.v1.CryptoKey].

Parameters
  • request (google.cloud.kms_v1.types.ImportCryptoKeyVersionRequest) – The request object. Request message for [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the

associated key material.

An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.

For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

Return type

google.cloud.kms_v1.types.CryptoKeyVersion

static import_job_path(project: str, location: str, key_ring: str, import_job: str) str

Returns a fully-qualified import_job string.

static key_ring_path(project: str, location: str, key_ring: str) str

Returns a fully-qualified key_ring string.

async list_crypto_key_versions(request: Optional[google.cloud.kms_v1.types.service.ListCryptoKeyVersionsRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeyVersionsAsyncPager[source]

Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].

Parameters
  • request (google.cloud.kms_v1.types.ListCryptoKeyVersionsRequest) – The request object. Request message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].

  • parent (str) –

    Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.

    This corresponds to the parent field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].

Iterating over this object will yield results and resolve additional pages automatically.

Return type

google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeyVersionsAsyncPager

async list_crypto_keys(request: Optional[google.cloud.kms_v1.types.service.ListCryptoKeysRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeysAsyncPager[source]

Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey].

Parameters
  • request (google.cloud.kms_v1.types.ListCryptoKeysRequest) – The request object. Request message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].

  • parent (str) –

    Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format projects/*/locations/*/keyRings/*.

    This corresponds to the parent field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].

Iterating over this object will yield results and resolve additional pages automatically.

Return type

google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeysAsyncPager

async list_import_jobs(request: Optional[google.cloud.kms_v1.types.service.ListImportJobsRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.services.key_management_service.pagers.ListImportJobsAsyncPager[source]

Lists [ImportJobs][google.cloud.kms.v1.ImportJob].

Parameters
  • request (google.cloud.kms_v1.types.ListImportJobsRequest) – The request object. Request message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].

  • parent (str) –

    Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format projects/*/locations/*/keyRings/*.

    This corresponds to the parent field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].

Iterating over this object will yield results and resolve additional pages automatically.

Return type

google.cloud.kms_v1.services.key_management_service.pagers.ListImportJobsAsyncPager

async list_key_rings(request: Optional[google.cloud.kms_v1.types.service.ListKeyRingsRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.services.key_management_service.pagers.ListKeyRingsAsyncPager[source]

Lists [KeyRings][google.cloud.kms.v1.KeyRing].

Parameters
  • request (google.cloud.kms_v1.types.ListKeyRingsRequest) – The request object. Request message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].

  • parent (str) –

    Required. The resource name of the location associated with the [KeyRings][google.cloud.kms.v1.KeyRing], in the format projects/*/locations/*.

    This corresponds to the parent field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].

Iterating over this object will yield results and resolve additional pages automatically.

Return type

google.cloud.kms_v1.services.key_management_service.pagers.ListKeyRingsAsyncPager

async mac_sign(request: Optional[google.cloud.kms_v1.types.service.MacSignRequest] = None, *, name: Optional[str] = None, data: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.MacSignResponse[source]

Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, producing a tag that can be verified by another source with the same key.

Parameters
  • request (google.cloud.kms_v1.types.MacSignRequest) – The request object. Request message for [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign].

  • name (str) –

    Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for signing.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • data (bytes) –

    Required. The data to sign. The MAC tag is computed over this data field based on the specific algorithm.

    This corresponds to the data field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign].

Return type

google.cloud.kms_v1.types.MacSignResponse

async mac_verify(request: Optional[google.cloud.kms_v1.types.service.MacVerifyRequest] = None, *, name: Optional[str] = None, data: Optional[bytes] = None, mac: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.MacVerifyResponse[source]

Verifies MAC tag using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, and returns a response that indicates whether or not the verification was successful.

Parameters
  • request (google.cloud.kms_v1.types.MacVerifyRequest) – The request object. Request message for [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify].

  • name (str) –

    Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for verification.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • data (bytes) –

    Required. The data used previously as a [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] to generate the MAC tag.

    This corresponds to the data field on the request instance; if request is provided, this should not be set.

  • mac (bytes) – Required. The signature to verify. This corresponds to the mac field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify].

Return type

google.cloud.kms_v1.types.MacVerifyResponse

static parse_common_billing_account_path(path: str) Dict[str, str]

Parse a billing_account path into its component segments.

static parse_common_folder_path(path: str) Dict[str, str]

Parse a folder path into its component segments.

static parse_common_location_path(path: str) Dict[str, str]

Parse a location path into its component segments.

static parse_common_organization_path(path: str) Dict[str, str]

Parse a organization path into its component segments.

static parse_common_project_path(path: str) Dict[str, str]

Parse a project path into its component segments.

static parse_crypto_key_path(path: str) Dict[str, str]

Parses a crypto_key path into its component segments.

static parse_crypto_key_version_path(path: str) Dict[str, str]

Parses a crypto_key_version path into its component segments.

static parse_import_job_path(path: str) Dict[str, str]

Parses a import_job path into its component segments.

static parse_key_ring_path(path: str) Dict[str, str]

Parses a key_ring path into its component segments.

static parse_public_key_path(path: str) Dict[str, str]

Parses a public_key path into its component segments.

static public_key_path(project: str, location: str, key_ring: str, crypto_key: str, crypto_key_version: str) str

Returns a fully-qualified public_key string.

async restore_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.RestoreCryptoKeyVersionRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion[source]

Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] state.

Upon restoration of the CryptoKeyVersion, [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED], and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be cleared.

Parameters
  • request (google.cloud.kms_v1.types.RestoreCryptoKeyVersionRequest) – The request object. Request message for [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].

  • name (str) –

    Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the

associated key material.

An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.

For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

Return type

google.cloud.kms_v1.types.CryptoKeyVersion

async set_iam_policy(request: Optional[google.iam.v1.iam_policy_pb2.SetIamPolicyRequest] = None, *, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.iam.v1.policy_pb2.Policy[source]

Sets the IAM access control policy on the specified function.

Replaces any existing policy.

Parameters
  • request (SetIamPolicyRequest) – The request object. Request message for SetIamPolicy method.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. A Policy is a collection of bindings. A binding binds one or more members to a single role. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions (defined by IAM or configured by users). A binding can optionally specify a condition, which is a logic expression that further constrains the role binding based on attributes about the request and/or target resource.

JSON Example:

{
  "bindings": [
    {
      "role": "roles/resourcemanager.organizationAdmin",
      "members": [
        "user:mike@example.com",
        "group:admins@example.com",
        "domain:google.com",
        "serviceAccount:my-project-id@appspot.gserviceaccount.com"
      ]
    },
    {
      "role": "roles/resourcemanager.organizationViewer",
      "members": ["user:eve@example.com"],
      "condition": {
        "title": "expirable access",
        "description": "Does not grant access after Sep 2020",
        "expression": "request.time <
        timestamp('2020-10-01T00:00:00.000Z')",
      }
    }
  ]
}

YAML Example:

bindings:
- members:
  - user:mike@example.com
  - group:admins@example.com
  - domain:google.com
  - serviceAccount:my-project-id@appspot.gserviceaccount.com
  role: roles/resourcemanager.organizationAdmin
- members:
  - user:eve@example.com
  role: roles/resourcemanager.organizationViewer
  condition:
    title: expirable access
    description: Does not grant access after Sep 2020
    expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

For a description of IAM and its features, see the IAM developer’s guide.

Return type

Policy

async test_iam_permissions(request: Optional[google.iam.v1.iam_policy_pb2.TestIamPermissionsRequest] = None, *, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.iam.v1.iam_policy_pb2.TestIamPermissionsResponse[source]
Tests the specified permissions against the IAM access control

policy for a function.

If the function does not exist, this will return an empty set of permissions, not a NOT_FOUND error.

Parameters
  • request (TestIamPermissionsRequest) – The request object. Request message for TestIamPermissions method.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for TestIamPermissions method.

Return type

PolicyTestIamPermissionsResponse

property transport: google.cloud.kms_v1.services.key_management_service.transports.base.KeyManagementServiceTransport

Returns the transport used by the client instance.

Returns

The transport used by the client instance.

Return type

KeyManagementServiceTransport

async update_crypto_key(request: Optional[google.cloud.kms_v1.types.service.UpdateCryptoKeyRequest] = None, *, crypto_key: Optional[google.cloud.kms_v1.types.resources.CryptoKey] = None, update_mask: Optional[google.protobuf.field_mask_pb2.FieldMask] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKey[source]

Update a [CryptoKey][google.cloud.kms.v1.CryptoKey].

Parameters
  • request (google.cloud.kms_v1.types.UpdateCryptoKeyRequest) – The request object. Request message for [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey].

  • crypto_key (google.cloud.kms_v1.types.CryptoKey) –

    Required. [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values.

    This corresponds to the crypto_key field on the request instance; if request is provided, this should not be set.

  • update_mask (google.protobuf.field_mask_pb2.FieldMask) –

    Required. List of fields to be updated in this request.

    This corresponds to the update_mask field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic

operations.

A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.

Return type

google.cloud.kms_v1.types.CryptoKey

async update_crypto_key_primary_version(request: Optional[google.cloud.kms_v1.types.service.UpdateCryptoKeyPrimaryVersionRequest] = None, *, name: Optional[str] = None, crypto_key_version_id: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKey[source]

Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].

Returns an error if called on a key whose purpose is not [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].

Parameters
  • request (google.cloud.kms_v1.types.UpdateCryptoKeyPrimaryVersionRequest) – The request object. Request message for [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].

  • name (str) –

    Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • crypto_key_version_id (str) –

    Required. The id of the child [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.

    This corresponds to the crypto_key_version_id field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic

operations.

A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.

Return type

google.cloud.kms_v1.types.CryptoKey

async update_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.UpdateCryptoKeyVersionRequest] = None, *, crypto_key_version: Optional[google.cloud.kms_v1.types.resources.CryptoKeyVersion] = None, update_mask: Optional[google.protobuf.field_mask_pb2.FieldMask] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion[source]

Update a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]’s metadata.

[state][google.cloud.kms.v1.CryptoKeyVersion.state] may be changed between [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] and [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] using this method. See [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion] and [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] to move between other states.

Parameters
  • request (google.cloud.kms_v1.types.UpdateCryptoKeyVersionRequest) – The request object. Request message for [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].

  • crypto_key_version (google.cloud.kms_v1.types.CryptoKeyVersion) –

    Required. [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with updated values.

    This corresponds to the crypto_key_version field on the request instance; if request is provided, this should not be set.

  • update_mask (google.protobuf.field_mask_pb2.FieldMask) –

    Required. List of fields to be updated in this request.

    This corresponds to the update_mask field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the

associated key material.

An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.

For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

Return type

google.cloud.kms_v1.types.CryptoKeyVersion

class google.cloud.kms_v1.services.key_management_service.KeyManagementServiceClient(*, credentials: Optional[google.auth.credentials.Credentials] = None, transport: Optional[Union[str, google.cloud.kms_v1.services.key_management_service.transports.base.KeyManagementServiceTransport]] = None, client_options: Optional[google.api_core.client_options.ClientOptions] = None, client_info: google.api_core.gapic_v1.client_info.ClientInfo = <google.api_core.gapic_v1.client_info.ClientInfo object>)[source]

Google Cloud Key Management Service

Manages cryptographic keys and operations using those keys. Implements a REST model with the following objects:

  • [KeyRing][google.cloud.kms.v1.KeyRing]

  • [CryptoKey][google.cloud.kms.v1.CryptoKey]

  • [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]

  • [ImportJob][google.cloud.kms.v1.ImportJob]

If you are using manual gRPC libraries, see Using gRPC with Cloud KMS.

Instantiates the key management service client.

Parameters
  • credentials (Optional[google.auth.credentials.Credentials]) – The authorization credentials to attach to requests. These credentials identify the application to the service; if none are specified, the client will attempt to ascertain the credentials from the environment.

  • transport (Union[str, KeyManagementServiceTransport]) – The transport to use. If set to None, a transport is chosen automatically.

  • client_options (google.api_core.client_options.ClientOptions) – Custom options for the client. It won’t take effect if a transport instance is provided. (1) The api_endpoint property can be used to override the default endpoint provided by the client. GOOGLE_API_USE_MTLS_ENDPOINT environment variable can also be used to override the endpoint: “always” (always use the default mTLS endpoint), “never” (always use the default regular endpoint) and “auto” (auto switch to the default mTLS endpoint if client certificate is present, this is the default value). However, the api_endpoint property takes precedence if provided. (2) If GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is “true”, then the client_cert_source property can be used to provide client certificate for mutual TLS transport. If not provided, the default SSL client certificate will be used if present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is “false” or not set, no client certificate will be used.

  • client_info (google.api_core.gapic_v1.client_info.ClientInfo) – The client info used to send a user-agent string along with API requests. If None, then default info will be used. Generally, you only need to set this if you’re developing your own client library.

Raises

google.auth.exceptions.MutualTLSChannelError – If mutual TLS transport creation failed for any reason.

asymmetric_decrypt(request: Optional[google.cloud.kms_v1.types.service.AsymmetricDecryptRequest] = None, *, name: Optional[str] = None, ciphertext: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.AsymmetricDecryptResponse[source]

Decrypts data that was encrypted with a public key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey] corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_DECRYPT.

Parameters
  • request (google.cloud.kms_v1.types.AsymmetricDecryptRequest) – The request object. Request message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].

  • name (str) –

    Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for decryption.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • ciphertext (bytes) –

    Required. The data encrypted with the named [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]’s public key using OAEP.

    This corresponds to the ciphertext field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].

Return type

google.cloud.kms_v1.types.AsymmetricDecryptResponse

asymmetric_sign(request: Optional[google.cloud.kms_v1.types.service.AsymmetricSignRequest] = None, *, name: Optional[str] = None, digest: Optional[google.cloud.kms_v1.types.service.Digest] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.AsymmetricSignResponse[source]

Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_SIGN, producing a signature that can be verified with the public key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].

Parameters
  • request (google.cloud.kms_v1.types.AsymmetricSignRequest) – The request object. Request message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].

  • name (str) –

    Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for signing.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • digest (google.cloud.kms_v1.types.Digest) –

    Required. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version’s [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].

    This corresponds to the digest field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].

Return type

google.cloud.kms_v1.types.AsymmetricSignResponse

static common_billing_account_path(billing_account: str) str[source]

Returns a fully-qualified billing_account string.

static common_folder_path(folder: str) str[source]

Returns a fully-qualified folder string.

static common_location_path(project: str, location: str) str[source]

Returns a fully-qualified location string.

static common_organization_path(organization: str) str[source]

Returns a fully-qualified organization string.

static common_project_path(project: str) str[source]

Returns a fully-qualified project string.

create_crypto_key(request: Optional[google.cloud.kms_v1.types.service.CreateCryptoKeyRequest] = None, *, parent: Optional[str] = None, crypto_key_id: Optional[str] = None, crypto_key: Optional[google.cloud.kms_v1.types.resources.CryptoKey] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKey[source]

Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a [KeyRing][google.cloud.kms.v1.KeyRing].

[CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm] are required.

Parameters
  • request (google.cloud.kms_v1.types.CreateCryptoKeyRequest) – The request object. Request message for [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey].

  • parent (str) –

    Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey].

    This corresponds to the parent field on the request instance; if request is provided, this should not be set.

  • crypto_key_id (str) –

    Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

    This corresponds to the crypto_key_id field on the request instance; if request is provided, this should not be set.

  • crypto_key (google.cloud.kms_v1.types.CryptoKey) –

    Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field values.

    This corresponds to the crypto_key field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic

operations.

A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.

Return type

google.cloud.kms_v1.types.CryptoKey

create_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.CreateCryptoKeyVersionRequest] = None, *, parent: Optional[str] = None, crypto_key_version: Optional[google.cloud.kms_v1.types.resources.CryptoKeyVersion] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion[source]

Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a [CryptoKey][google.cloud.kms.v1.CryptoKey].

The server will assign the next sequential id. If unset, [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].

Parameters
  • request (google.cloud.kms_v1.types.CreateCryptoKeyVersionRequest) – The request object. Request message for [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].

  • parent (str) –

    Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].

    This corresponds to the parent field on the request instance; if request is provided, this should not be set.

  • crypto_key_version (google.cloud.kms_v1.types.CryptoKeyVersion) –

    Required. A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with initial field values.

    This corresponds to the crypto_key_version field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the

associated key material.

An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.

For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

Return type

google.cloud.kms_v1.types.CryptoKeyVersion

create_import_job(request: Optional[google.cloud.kms_v1.types.service.CreateImportJobRequest] = None, *, parent: Optional[str] = None, import_job_id: Optional[str] = None, import_job: Optional[google.cloud.kms_v1.types.resources.ImportJob] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.ImportJob[source]

Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a [KeyRing][google.cloud.kms.v1.KeyRing].

[ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method] is required.

Parameters
  • request (google.cloud.kms_v1.types.CreateImportJobRequest) – The request object. Request message for [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob].

  • parent (str) –

    Required. The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] associated with the [ImportJobs][google.cloud.kms.v1.ImportJob].

    This corresponds to the parent field on the request instance; if request is provided, this should not be set.

  • import_job_id (str) –

    Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

    This corresponds to the import_job_id field on the request instance; if request is provided, this should not be set.

  • import_job (google.cloud.kms_v1.types.ImportJob) –

    Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field values.

    This corresponds to the import_job field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and

[CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing key material, generated outside of Cloud KMS.

When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will generate a “wrapping key”, which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation is complete, the [state][google.cloud.kms.v1.ImportJob.state] will be set to [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the [public_key][google.cloud.kms.v1.ImportJob.public_key] can be fetched. The fetched public key can then be used to wrap your pre-existing key material.

Once the key material is wrapped, it can be imported into a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be imported with a single [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key.

An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the [ImportJob][google.cloud.kms.v1.ImportJob]’s public key.

For more information, see [Importing a key](https://cloud.google.com/kms/docs/importing-a-key).

Return type

google.cloud.kms_v1.types.ImportJob

create_key_ring(request: Optional[google.cloud.kms_v1.types.service.CreateKeyRingRequest] = None, *, parent: Optional[str] = None, key_ring_id: Optional[str] = None, key_ring: Optional[google.cloud.kms_v1.types.resources.KeyRing] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.KeyRing[source]

Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and Location.

Parameters
  • request (google.cloud.kms_v1.types.CreateKeyRingRequest) – The request object. Request message for [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].

  • parent (str) –

    Required. The resource name of the location associated with the [KeyRings][google.cloud.kms.v1.KeyRing], in the format projects/*/locations/*.

    This corresponds to the parent field on the request instance; if request is provided, this should not be set.

  • key_ring_id (str) –

    Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}

    This corresponds to the key_ring_id field on the request instance; if request is provided, this should not be set.

  • key_ring (google.cloud.kms_v1.types.KeyRing) –

    Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field values.

    This corresponds to the key_ring field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey].

Return type

google.cloud.kms_v1.types.KeyRing

static crypto_key_path(project: str, location: str, key_ring: str, crypto_key: str) str[source]

Returns a fully-qualified crypto_key string.

static crypto_key_version_path(project: str, location: str, key_ring: str, crypto_key: str, crypto_key_version: str) str[source]

Returns a fully-qualified crypto_key_version string.

decrypt(request: Optional[google.cloud.kms_v1.types.service.DecryptRequest] = None, *, name: Optional[str] = None, ciphertext: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.DecryptResponse[source]

Decrypts data that was protected by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].

Parameters
  • request (google.cloud.kms_v1.types.DecryptRequest) – The request object. Request message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].

  • name (str) –

    Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The server will choose the appropriate version.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • ciphertext (bytes) –

    Required. The encrypted data originally returned in [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].

    This corresponds to the ciphertext field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].

Return type

google.cloud.kms_v1.types.DecryptResponse

destroy_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.DestroyCryptoKeyVersionRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion[source]

Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for destruction.

Upon calling this method, [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be set to a time 24 hours in the future, at which point the [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be changed to [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], and the key material will be irrevocably destroyed.

Before the [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] is reached, [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] may be called to reverse the process.

Parameters
  • request (google.cloud.kms_v1.types.DestroyCryptoKeyVersionRequest) – The request object. Request message for [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].

  • name (str) –

    Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the

associated key material.

An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.

For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

Return type

google.cloud.kms_v1.types.CryptoKeyVersion

encrypt(request: Optional[google.cloud.kms_v1.types.service.EncryptRequest] = None, *, name: Optional[str] = None, plaintext: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.EncryptResponse[source]

Encrypts data, so that it can only be recovered by a call to [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].

Parameters
  • request (google.cloud.kms_v1.types.EncryptRequest) – The request object. Request message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].

  • name (str) –

    Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] or [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for encryption.

    If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server will use its [primary version][google.cloud.kms.v1.CryptoKey.primary].

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • plaintext (bytes) –

    Required. The data to encrypt. Must be no larger than 64KiB.

    The maximum size depends on the key version’s [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the plaintext must be no larger than 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.

    This corresponds to the plaintext field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].

Return type

google.cloud.kms_v1.types.EncryptResponse

classmethod from_service_account_file(filename: str, *args, **kwargs)[source]
Creates an instance of this client using the provided credentials

file.

Parameters
  • filename (str) – The path to the service account private key json file.

  • args – Additional arguments to pass to the constructor.

  • kwargs – Additional arguments to pass to the constructor.

Returns

The constructed client.

Return type

KeyManagementServiceClient

classmethod from_service_account_info(info: dict, *args, **kwargs)[source]
Creates an instance of this client using the provided credentials

info.

Parameters
  • info (dict) – The service account private key info.

  • args – Additional arguments to pass to the constructor.

  • kwargs – Additional arguments to pass to the constructor.

Returns

The constructed client.

Return type

KeyManagementServiceClient

classmethod from_service_account_json(filename: str, *args, **kwargs)
Creates an instance of this client using the provided credentials

file.

Parameters
  • filename (str) – The path to the service account private key json file.

  • args – Additional arguments to pass to the constructor.

  • kwargs – Additional arguments to pass to the constructor.

Returns

The constructed client.

Return type

KeyManagementServiceClient

generate_random_bytes(request: Optional[google.cloud.kms_v1.types.service.GenerateRandomBytesRequest] = None, *, location: Optional[str] = None, length_bytes: Optional[int] = None, protection_level: Optional[google.cloud.kms_v1.types.resources.ProtectionLevel] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.GenerateRandomBytesResponse[source]

Generate random bytes using the Cloud KMS randomness source in the provided location.

Parameters
  • request (google.cloud.kms_v1.types.GenerateRandomBytesRequest) – The request object. Request message for [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes].

  • location (str) –

    The project-specific location in which to generate random bytes. For example, “projects/my- project/locations/us-central1”.

    This corresponds to the location field on the request instance; if request is provided, this should not be set.

  • length_bytes (int) –

    The length in bytes of the amount of randomness to retrieve. Minimum 8 bytes, maximum 1024 bytes.

    This corresponds to the length_bytes field on the request instance; if request is provided, this should not be set.

  • protection_level (google.cloud.kms_v1.types.ProtectionLevel) –

    The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when generating the random data. Defaults to [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE].

    This corresponds to the protection_level field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes].

Return type

google.cloud.kms_v1.types.GenerateRandomBytesResponse

get_crypto_key(request: Optional[google.cloud.kms_v1.types.service.GetCryptoKeyRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKey[source]

Returns metadata for a given [CryptoKey][google.cloud.kms.v1.CryptoKey], as well as its [primary][google.cloud.kms.v1.CryptoKey.primary] [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].

Parameters
  • request (google.cloud.kms_v1.types.GetCryptoKeyRequest) – The request object. Request message for [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey].

  • name (str) –

    Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to get.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic

operations.

A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.

Return type

google.cloud.kms_v1.types.CryptoKey

get_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.GetCryptoKeyVersionRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion[source]

Returns metadata for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].

Parameters
  • request (google.cloud.kms_v1.types.GetCryptoKeyVersionRequest) – The request object. Request message for [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].

  • name (str) –

    Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the

associated key material.

An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.

For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

Return type

google.cloud.kms_v1.types.CryptoKeyVersion

get_iam_policy(request: Optional[google.iam.v1.iam_policy_pb2.GetIamPolicyRequest] = None, *, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.iam.v1.policy_pb2.Policy[source]

Gets the IAM access control policy for a function.

Returns an empty policy if the function exists and does not have a policy set.

Parameters
  • request (GetIamPolicyRequest) – The request object. Request message for GetIamPolicy method.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. A Policy is a collection of bindings. A binding binds one or more members to a single role. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions (defined by IAM or configured by users). A binding can optionally specify a condition, which is a logic expression that further constrains the role binding based on attributes about the request and/or target resource.

JSON Example:

{
  "bindings": [
    {
      "role": "roles/resourcemanager.organizationAdmin",
      "members": [
        "user:mike@example.com",
        "group:admins@example.com",
        "domain:google.com",
        "serviceAccount:my-project-id@appspot.gserviceaccount.com"
      ]
    },
    {
      "role": "roles/resourcemanager.organizationViewer",
      "members": ["user:eve@example.com"],
      "condition": {
        "title": "expirable access",
        "description": "Does not grant access after Sep 2020",
        "expression": "request.time <
        timestamp('2020-10-01T00:00:00.000Z')",
      }
    }
  ]
}

YAML Example:

bindings:
- members:
  - user:mike@example.com
  - group:admins@example.com
  - domain:google.com
  - serviceAccount:my-project-id@appspot.gserviceaccount.com
  role: roles/resourcemanager.organizationAdmin
- members:
  - user:eve@example.com
  role: roles/resourcemanager.organizationViewer
  condition:
    title: expirable access
    description: Does not grant access after Sep 2020
    expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

For a description of IAM and its features, see the IAM developer’s guide.

Return type

Policy

get_import_job(request: Optional[google.cloud.kms_v1.types.service.GetImportJobRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.ImportJob[source]

Returns metadata for a given [ImportJob][google.cloud.kms.v1.ImportJob].

Parameters
  • request (google.cloud.kms_v1.types.GetImportJobRequest) – The request object. Request message for [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob].

  • name (str) –

    Required. The [name][google.cloud.kms.v1.ImportJob.name] of the [ImportJob][google.cloud.kms.v1.ImportJob] to get.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and

[CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing key material, generated outside of Cloud KMS.

When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will generate a “wrapping key”, which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation is complete, the [state][google.cloud.kms.v1.ImportJob.state] will be set to [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the [public_key][google.cloud.kms.v1.ImportJob.public_key] can be fetched. The fetched public key can then be used to wrap your pre-existing key material.

Once the key material is wrapped, it can be imported into a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be imported with a single [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key.

An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the [ImportJob][google.cloud.kms.v1.ImportJob]’s public key.

For more information, see [Importing a key](https://cloud.google.com/kms/docs/importing-a-key).

Return type

google.cloud.kms_v1.types.ImportJob

get_key_ring(request: Optional[google.cloud.kms_v1.types.service.GetKeyRingRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.KeyRing[source]

Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing].

Parameters
  • request (google.cloud.kms_v1.types.GetKeyRingRequest) – The request object. Request message for [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].

  • name (str) –

    Required. The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] to get.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey].

Return type

google.cloud.kms_v1.types.KeyRing

get_public_key(request: Optional[google.cloud.kms_v1.types.service.GetPublicKeyRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.PublicKey[source]

Returns the public key for the given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN] or [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].

Parameters
  • request (google.cloud.kms_v1.types.GetPublicKeyRequest) – The request object. Request message for [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].

  • name (str) –

    Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

The public key for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via

[GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].

Return type

google.cloud.kms_v1.types.PublicKey

import_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.ImportCryptoKeyVersionRequest] = None, *, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion[source]

Imports a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] into an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] using the wrapped key material provided in the request.

The version ID will be assigned the next sequential id within the [CryptoKey][google.cloud.kms.v1.CryptoKey].

Parameters
  • request (google.cloud.kms_v1.types.ImportCryptoKeyVersionRequest) – The request object. Request message for [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the

associated key material.

An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.

For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

Return type

google.cloud.kms_v1.types.CryptoKeyVersion

static import_job_path(project: str, location: str, key_ring: str, import_job: str) str[source]

Returns a fully-qualified import_job string.

static key_ring_path(project: str, location: str, key_ring: str) str[source]

Returns a fully-qualified key_ring string.

list_crypto_key_versions(request: Optional[google.cloud.kms_v1.types.service.ListCryptoKeyVersionsRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeyVersionsPager[source]

Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].

Parameters
  • request (google.cloud.kms_v1.types.ListCryptoKeyVersionsRequest) – The request object. Request message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].

  • parent (str) –

    Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.

    This corresponds to the parent field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].

Iterating over this object will yield results and resolve additional pages automatically.

Return type

google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeyVersionsPager

list_crypto_keys(request: Optional[google.cloud.kms_v1.types.service.ListCryptoKeysRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeysPager[source]

Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey].

Parameters
  • request (google.cloud.kms_v1.types.ListCryptoKeysRequest) – The request object. Request message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].

  • parent (str) –

    Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format projects/*/locations/*/keyRings/*.

    This corresponds to the parent field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].

Iterating over this object will yield results and resolve additional pages automatically.

Return type

google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeysPager

list_import_jobs(request: Optional[google.cloud.kms_v1.types.service.ListImportJobsRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.services.key_management_service.pagers.ListImportJobsPager[source]

Lists [ImportJobs][google.cloud.kms.v1.ImportJob].

Parameters
  • request (google.cloud.kms_v1.types.ListImportJobsRequest) – The request object. Request message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].

  • parent (str) –

    Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format projects/*/locations/*/keyRings/*.

    This corresponds to the parent field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].

Iterating over this object will yield results and resolve additional pages automatically.

Return type

google.cloud.kms_v1.services.key_management_service.pagers.ListImportJobsPager

list_key_rings(request: Optional[google.cloud.kms_v1.types.service.ListKeyRingsRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.services.key_management_service.pagers.ListKeyRingsPager[source]

Lists [KeyRings][google.cloud.kms.v1.KeyRing].

Parameters
  • request (google.cloud.kms_v1.types.ListKeyRingsRequest) – The request object. Request message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].

  • parent (str) –

    Required. The resource name of the location associated with the [KeyRings][google.cloud.kms.v1.KeyRing], in the format projects/*/locations/*.

    This corresponds to the parent field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].

Iterating over this object will yield results and resolve additional pages automatically.

Return type

google.cloud.kms_v1.services.key_management_service.pagers.ListKeyRingsPager

mac_sign(request: Optional[google.cloud.kms_v1.types.service.MacSignRequest] = None, *, name: Optional[str] = None, data: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.MacSignResponse[source]

Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, producing a tag that can be verified by another source with the same key.

Parameters
  • request (google.cloud.kms_v1.types.MacSignRequest) – The request object. Request message for [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign].

  • name (str) –

    Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for signing.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • data (bytes) –

    Required. The data to sign. The MAC tag is computed over this data field based on the specific algorithm.

    This corresponds to the data field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign].

Return type

google.cloud.kms_v1.types.MacSignResponse

mac_verify(request: Optional[google.cloud.kms_v1.types.service.MacVerifyRequest] = None, *, name: Optional[str] = None, data: Optional[bytes] = None, mac: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.MacVerifyResponse[source]

Verifies MAC tag using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, and returns a response that indicates whether or not the verification was successful.

Parameters
  • request (google.cloud.kms_v1.types.MacVerifyRequest) – The request object. Request message for [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify].

  • name (str) –

    Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for verification.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • data (bytes) –

    Required. The data used previously as a [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] to generate the MAC tag.

    This corresponds to the data field on the request instance; if request is provided, this should not be set.

  • mac (bytes) – Required. The signature to verify. This corresponds to the mac field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify].

Return type

google.cloud.kms_v1.types.MacVerifyResponse

static parse_common_billing_account_path(path: str) Dict[str, str][source]

Parse a billing_account path into its component segments.

static parse_common_folder_path(path: str) Dict[str, str][source]

Parse a folder path into its component segments.

static parse_common_location_path(path: str) Dict[str, str][source]

Parse a location path into its component segments.

static parse_common_organization_path(path: str) Dict[str, str][source]

Parse a organization path into its component segments.

static parse_common_project_path(path: str) Dict[str, str][source]

Parse a project path into its component segments.

static parse_crypto_key_path(path: str) Dict[str, str][source]

Parses a crypto_key path into its component segments.

static parse_crypto_key_version_path(path: str) Dict[str, str][source]

Parses a crypto_key_version path into its component segments.

static parse_import_job_path(path: str) Dict[str, str][source]

Parses a import_job path into its component segments.

static parse_key_ring_path(path: str) Dict[str, str][source]

Parses a key_ring path into its component segments.

static parse_public_key_path(path: str) Dict[str, str][source]

Parses a public_key path into its component segments.

static public_key_path(project: str, location: str, key_ring: str, crypto_key: str, crypto_key_version: str) str[source]

Returns a fully-qualified public_key string.

restore_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.RestoreCryptoKeyVersionRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion[source]

Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] state.

Upon restoration of the CryptoKeyVersion, [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED], and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be cleared.

Parameters
  • request (google.cloud.kms_v1.types.RestoreCryptoKeyVersionRequest) – The request object. Request message for [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].

  • name (str) –

    Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the

associated key material.

An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.

For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

Return type

google.cloud.kms_v1.types.CryptoKeyVersion

set_iam_policy(request: Optional[google.iam.v1.iam_policy_pb2.SetIamPolicyRequest] = None, *, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.iam.v1.policy_pb2.Policy[source]

Sets the IAM access control policy on the specified function.

Replaces any existing policy.

Parameters
  • request (SetIamPolicyRequest) – The request object. Request message for SetIamPolicy method.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. A Policy is a collection of bindings. A binding binds one or more members to a single role. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions (defined by IAM or configured by users). A binding can optionally specify a condition, which is a logic expression that further constrains the role binding based on attributes about the request and/or target resource.

JSON Example:

{
  "bindings": [
    {
      "role": "roles/resourcemanager.organizationAdmin",
      "members": [
        "user:mike@example.com",
        "group:admins@example.com",
        "domain:google.com",
        "serviceAccount:my-project-id@appspot.gserviceaccount.com"
      ]
    },
    {
      "role": "roles/resourcemanager.organizationViewer",
      "members": ["user:eve@example.com"],
      "condition": {
        "title": "expirable access",
        "description": "Does not grant access after Sep 2020",
        "expression": "request.time <
        timestamp('2020-10-01T00:00:00.000Z')",
      }
    }
  ]
}

YAML Example:

bindings:
- members:
  - user:mike@example.com
  - group:admins@example.com
  - domain:google.com
  - serviceAccount:my-project-id@appspot.gserviceaccount.com
  role: roles/resourcemanager.organizationAdmin
- members:
  - user:eve@example.com
  role: roles/resourcemanager.organizationViewer
  condition:
    title: expirable access
    description: Does not grant access after Sep 2020
    expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

For a description of IAM and its features, see the IAM developer’s guide.

Return type

Policy

test_iam_permissions(request: Optional[google.iam.v1.iam_policy_pb2.TestIamPermissionsRequest] = None, *, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.iam.v1.iam_policy_pb2.TestIamPermissionsResponse[source]
Tests the specified IAM permissions against the IAM access control

policy for a function.

If the function does not exist, this will return an empty set of permissions, not a NOT_FOUND error.

Parameters
  • request (TestIamPermissionsRequest) – The request object. Request message for TestIamPermissions method.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

Response message for TestIamPermissions method.

Return type

TestIamPermissionsResponse

property transport: google.cloud.kms_v1.services.key_management_service.transports.base.KeyManagementServiceTransport

Returns the transport used by the client instance.

Returns

The transport used by the client

instance.

Return type

KeyManagementServiceTransport

update_crypto_key(request: Optional[google.cloud.kms_v1.types.service.UpdateCryptoKeyRequest] = None, *, crypto_key: Optional[google.cloud.kms_v1.types.resources.CryptoKey] = None, update_mask: Optional[google.protobuf.field_mask_pb2.FieldMask] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKey[source]

Update a [CryptoKey][google.cloud.kms.v1.CryptoKey].

Parameters
  • request (google.cloud.kms_v1.types.UpdateCryptoKeyRequest) – The request object. Request message for [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey].

  • crypto_key (google.cloud.kms_v1.types.CryptoKey) –

    Required. [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values.

    This corresponds to the crypto_key field on the request instance; if request is provided, this should not be set.

  • update_mask (google.protobuf.field_mask_pb2.FieldMask) –

    Required. List of fields to be updated in this request.

    This corresponds to the update_mask field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic

operations.

A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.

Return type

google.cloud.kms_v1.types.CryptoKey

update_crypto_key_primary_version(request: Optional[google.cloud.kms_v1.types.service.UpdateCryptoKeyPrimaryVersionRequest] = None, *, name: Optional[str] = None, crypto_key_version_id: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKey[source]

Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].

Returns an error if called on a key whose purpose is not [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].

Parameters
  • request (google.cloud.kms_v1.types.UpdateCryptoKeyPrimaryVersionRequest) – The request object. Request message for [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].

  • name (str) –

    Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.

    This corresponds to the name field on the request instance; if request is provided, this should not be set.

  • crypto_key_version_id (str) –

    Required. The id of the child [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.

    This corresponds to the crypto_key_version_id field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic

operations.

A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.

Return type

google.cloud.kms_v1.types.CryptoKey

update_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.UpdateCryptoKeyVersionRequest] = None, *, crypto_key_version: Optional[google.cloud.kms_v1.types.resources.CryptoKeyVersion] = None, update_mask: Optional[google.protobuf.field_mask_pb2.FieldMask] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion[source]

Update a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]’s metadata.

[state][google.cloud.kms.v1.CryptoKeyVersion.state] may be changed between [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] and [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] using this method. See [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion] and [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] to move between other states.

Parameters
  • request (google.cloud.kms_v1.types.UpdateCryptoKeyVersionRequest) – The request object. Request message for [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].

  • crypto_key_version (google.cloud.kms_v1.types.CryptoKeyVersion) –

    Required. [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with updated values.

    This corresponds to the crypto_key_version field on the request instance; if request is provided, this should not be set.

  • update_mask (google.protobuf.field_mask_pb2.FieldMask) –

    Required. List of fields to be updated in this request.

    This corresponds to the update_mask field on the request instance; if request is provided, this should not be set.

  • retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.

  • timeout (float) – The timeout for this request.

  • metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.

Returns

A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the

associated key material.

An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.

For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

Return type

google.cloud.kms_v1.types.CryptoKeyVersion

class google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeyVersionsAsyncPager(method: Callable[[...], Awaitable[google.cloud.kms_v1.types.service.ListCryptoKeyVersionsResponse]], request: google.cloud.kms_v1.types.service.ListCryptoKeyVersionsRequest, response: google.cloud.kms_v1.types.service.ListCryptoKeyVersionsResponse, *, metadata: Sequence[Tuple[str, str]] = ())[source]

A pager for iterating through list_crypto_key_versions requests.

This class thinly wraps an initial google.cloud.kms_v1.types.ListCryptoKeyVersionsResponse object, and provides an __aiter__ method to iterate through its crypto_key_versions field.

If there are more pages, the __aiter__ method will make additional ListCryptoKeyVersions requests and continue to iterate through the crypto_key_versions field on the corresponding responses.

All the usual google.cloud.kms_v1.types.ListCryptoKeyVersionsResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.

Instantiates the pager.

Parameters
class google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeyVersionsPager(method: Callable[[...], google.cloud.kms_v1.types.service.ListCryptoKeyVersionsResponse], request: google.cloud.kms_v1.types.service.ListCryptoKeyVersionsRequest, response: google.cloud.kms_v1.types.service.ListCryptoKeyVersionsResponse, *, metadata: Sequence[Tuple[str, str]] = ())[source]

A pager for iterating through list_crypto_key_versions requests.

This class thinly wraps an initial google.cloud.kms_v1.types.ListCryptoKeyVersionsResponse object, and provides an __iter__ method to iterate through its crypto_key_versions field.

If there are more pages, the __iter__ method will make additional ListCryptoKeyVersions requests and continue to iterate through the crypto_key_versions field on the corresponding responses.

All the usual google.cloud.kms_v1.types.ListCryptoKeyVersionsResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.

Instantiate the pager.

Parameters
class google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeysAsyncPager(method: Callable[[...], Awaitable[google.cloud.kms_v1.types.service.ListCryptoKeysResponse]], request: google.cloud.kms_v1.types.service.ListCryptoKeysRequest, response: google.cloud.kms_v1.types.service.ListCryptoKeysResponse, *, metadata: Sequence[Tuple[str, str]] = ())[source]

A pager for iterating through list_crypto_keys requests.

This class thinly wraps an initial google.cloud.kms_v1.types.ListCryptoKeysResponse object, and provides an __aiter__ method to iterate through its crypto_keys field.

If there are more pages, the __aiter__ method will make additional ListCryptoKeys requests and continue to iterate through the crypto_keys field on the corresponding responses.

All the usual google.cloud.kms_v1.types.ListCryptoKeysResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.

Instantiates the pager.

Parameters
class google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeysPager(method: Callable[[...], google.cloud.kms_v1.types.service.ListCryptoKeysResponse], request: google.cloud.kms_v1.types.service.ListCryptoKeysRequest, response: google.cloud.kms_v1.types.service.ListCryptoKeysResponse, *, metadata: Sequence[Tuple[str, str]] = ())[source]

A pager for iterating through list_crypto_keys requests.

This class thinly wraps an initial google.cloud.kms_v1.types.ListCryptoKeysResponse object, and provides an __iter__ method to iterate through its crypto_keys field.

If there are more pages, the __iter__ method will make additional ListCryptoKeys requests and continue to iterate through the crypto_keys field on the corresponding responses.

All the usual google.cloud.kms_v1.types.ListCryptoKeysResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.

Instantiate the pager.

Parameters
class google.cloud.kms_v1.services.key_management_service.pagers.ListImportJobsAsyncPager(method: Callable[[...], Awaitable[google.cloud.kms_v1.types.service.ListImportJobsResponse]], request: google.cloud.kms_v1.types.service.ListImportJobsRequest, response: google.cloud.kms_v1.types.service.ListImportJobsResponse, *, metadata: Sequence[Tuple[str, str]] = ())[source]

A pager for iterating through list_import_jobs requests.

This class thinly wraps an initial google.cloud.kms_v1.types.ListImportJobsResponse object, and provides an __aiter__ method to iterate through its import_jobs field.

If there are more pages, the __aiter__ method will make additional ListImportJobs requests and continue to iterate through the import_jobs field on the corresponding responses.

All the usual google.cloud.kms_v1.types.ListImportJobsResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.

Instantiates the pager.

Parameters
class google.cloud.kms_v1.services.key_management_service.pagers.ListImportJobsPager(method: Callable[[...], google.cloud.kms_v1.types.service.ListImportJobsResponse], request: google.cloud.kms_v1.types.service.ListImportJobsRequest, response: google.cloud.kms_v1.types.service.ListImportJobsResponse, *, metadata: Sequence[Tuple[str, str]] = ())[source]

A pager for iterating through list_import_jobs requests.

This class thinly wraps an initial google.cloud.kms_v1.types.ListImportJobsResponse object, and provides an __iter__ method to iterate through its import_jobs field.

If there are more pages, the __iter__ method will make additional ListImportJobs requests and continue to iterate through the import_jobs field on the corresponding responses.

All the usual google.cloud.kms_v1.types.ListImportJobsResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.

Instantiate the pager.

Parameters
class google.cloud.kms_v1.services.key_management_service.pagers.ListKeyRingsAsyncPager(method: Callable[[...], Awaitable[google.cloud.kms_v1.types.service.ListKeyRingsResponse]], request: google.cloud.kms_v1.types.service.ListKeyRingsRequest, response: google.cloud.kms_v1.types.service.ListKeyRingsResponse, *, metadata: Sequence[Tuple[str, str]] = ())[source]

A pager for iterating through list_key_rings requests.

This class thinly wraps an initial google.cloud.kms_v1.types.ListKeyRingsResponse object, and provides an __aiter__ method to iterate through its key_rings field.

If there are more pages, the __aiter__ method will make additional ListKeyRings requests and continue to iterate through the key_rings field on the corresponding responses.

All the usual google.cloud.kms_v1.types.ListKeyRingsResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.

Instantiates the pager.

Parameters
class google.cloud.kms_v1.services.key_management_service.pagers.ListKeyRingsPager(method: Callable[[...], google.cloud.kms_v1.types.service.ListKeyRingsResponse], request: google.cloud.kms_v1.types.service.ListKeyRingsRequest, response: google.cloud.kms_v1.types.service.ListKeyRingsResponse, *, metadata: Sequence[Tuple[str, str]] = ())[source]

A pager for iterating through list_key_rings requests.

This class thinly wraps an initial google.cloud.kms_v1.types.ListKeyRingsResponse object, and provides an __iter__ method to iterate through its key_rings field.

If there are more pages, the __iter__ method will make additional ListKeyRings requests and continue to iterate through the key_rings field on the corresponding responses.

All the usual google.cloud.kms_v1.types.ListKeyRingsResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.

Instantiate the pager.

Parameters