KeyManagementService¶
- class google.cloud.kms_v1.services.key_management_service.KeyManagementServiceAsyncClient(*, credentials: google.auth.credentials.Credentials = None, transport: Union[str, google.cloud.kms_v1.services.key_management_service.transports.base.KeyManagementServiceTransport] = 'grpc_asyncio', client_options: <module 'google.api_core.client_options' from '/usr/lib/python3.10/site-packages/google/api_core/client_options.py'> = None, client_info: google.api_core.gapic_v1.client_info.ClientInfo = <google.api_core.gapic_v1.client_info.ClientInfo object>)[source]¶
Google Cloud Key Management Service
Manages cryptographic keys and operations using those keys. Implements a REST model with the following objects:
[KeyRing][google.cloud.kms.v1.KeyRing]
[CryptoKey][google.cloud.kms.v1.CryptoKey]
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
[ImportJob][google.cloud.kms.v1.ImportJob]
If you are using manual gRPC libraries, see Using gRPC with Cloud KMS.
Instantiates the key management service client.
- Parameters
credentials (Optional[google.auth.credentials.Credentials]) – The authorization credentials to attach to requests. These credentials identify the application to the service; if none are specified, the client will attempt to ascertain the credentials from the environment.
transport (Union[str, KeyManagementServiceTransport]) – The transport to use. If set to None, a transport is chosen automatically.
client_options (ClientOptions) – Custom options for the client. It won’t take effect if a
transport
instance is provided. (1) Theapi_endpoint
property can be used to override the default endpoint provided by the client. GOOGLE_API_USE_MTLS_ENDPOINT environment variable can also be used to override the endpoint: “always” (always use the default mTLS endpoint), “never” (always use the default regular endpoint) and “auto” (auto switch to the default mTLS endpoint if client certificate is present, this is the default value). However, theapi_endpoint
property takes precedence if provided. (2) If GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is “true”, then theclient_cert_source
property can be used to provide client certificate for mutual TLS transport. If not provided, the default SSL client certificate will be used if present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is “false” or not set, no client certificate will be used.
- Raises
google.auth.exceptions.MutualTlsChannelError – If mutual TLS transport creation failed for any reason.
- async asymmetric_decrypt(request: Optional[google.cloud.kms_v1.types.service.AsymmetricDecryptRequest] = None, *, name: Optional[str] = None, ciphertext: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.AsymmetricDecryptResponse [source]¶
Decrypts data that was encrypted with a public key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey] corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_DECRYPT.
- Parameters
request (
google.cloud.kms_v1.types.AsymmetricDecryptRequest
) – The request object. Request message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].name (
str
) –Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for decryption.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.ciphertext (
bytes
) –Required. The data encrypted with the named [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]’s public key using OAEP.
This corresponds to the
ciphertext
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
- Return type
- async asymmetric_sign(request: Optional[google.cloud.kms_v1.types.service.AsymmetricSignRequest] = None, *, name: Optional[str] = None, digest: Optional[google.cloud.kms_v1.types.service.Digest] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.AsymmetricSignResponse [source]¶
Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_SIGN, producing a signature that can be verified with the public key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
- Parameters
request (
google.cloud.kms_v1.types.AsymmetricSignRequest
) – The request object. Request message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].name (
str
) –Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for signing.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.digest (
google.cloud.kms_v1.types.Digest
) –Required. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version’s [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
This corresponds to the
digest
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
- Return type
- static common_billing_account_path(billing_account: str) str ¶
Returns a fully-qualified billing_account string.
- static common_folder_path(folder: str) str ¶
Returns a fully-qualified folder string.
- static common_location_path(project: str, location: str) str ¶
Returns a fully-qualified location string.
- static common_organization_path(organization: str) str ¶
Returns a fully-qualified organization string.
- static common_project_path(project: str) str ¶
Returns a fully-qualified project string.
- async create_crypto_key(request: Optional[google.cloud.kms_v1.types.service.CreateCryptoKeyRequest] = None, *, parent: Optional[str] = None, crypto_key_id: Optional[str] = None, crypto_key: Optional[google.cloud.kms_v1.types.resources.CryptoKey] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKey [source]¶
Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a [KeyRing][google.cloud.kms.v1.KeyRing].
[CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm] are required.
- Parameters
request (
google.cloud.kms_v1.types.CreateCryptoKeyRequest
) – The request object. Request message for [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey].parent (
str
) –Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey].
This corresponds to the
parent
field on therequest
instance; ifrequest
is provided, this should not be set.crypto_key_id (
str
) –Required. It must be unique within a KeyRing and match the regular expression
[a-zA-Z0-9_-]{1,63}
This corresponds to the
crypto_key_id
field on therequest
instance; ifrequest
is provided, this should not be set.crypto_key (
google.cloud.kms_v1.types.CryptoKey
) –Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field values.
This corresponds to the
crypto_key
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic
operations.
A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.
- Return type
- async create_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.CreateCryptoKeyVersionRequest] = None, *, parent: Optional[str] = None, crypto_key_version: Optional[google.cloud.kms_v1.types.resources.CryptoKeyVersion] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion [source]¶
Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a [CryptoKey][google.cloud.kms.v1.CryptoKey].
The server will assign the next sequential id. If unset, [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].
- Parameters
request (
google.cloud.kms_v1.types.CreateCryptoKeyVersionRequest
) – The request object. Request message for [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].parent (
str
) –Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
This corresponds to the
parent
field on therequest
instance; ifrequest
is provided, this should not be set.crypto_key_version (
google.cloud.kms_v1.types.CryptoKeyVersion
) –Required. A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with initial field values.
This corresponds to the
crypto_key_version
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
associated key material.
An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.
For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.
- Return type
- async create_import_job(request: Optional[google.cloud.kms_v1.types.service.CreateImportJobRequest] = None, *, parent: Optional[str] = None, import_job_id: Optional[str] = None, import_job: Optional[google.cloud.kms_v1.types.resources.ImportJob] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.ImportJob [source]¶
Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a [KeyRing][google.cloud.kms.v1.KeyRing].
[ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method] is required.
- Parameters
request (
google.cloud.kms_v1.types.CreateImportJobRequest
) – The request object. Request message for [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob].parent (
str
) –Required. The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] associated with the [ImportJobs][google.cloud.kms.v1.ImportJob].
This corresponds to the
parent
field on therequest
instance; ifrequest
is provided, this should not be set.import_job_id (
str
) –Required. It must be unique within a KeyRing and match the regular expression
[a-zA-Z0-9_-]{1,63}
This corresponds to the
import_job_id
field on therequest
instance; ifrequest
is provided, this should not be set.import_job (
google.cloud.kms_v1.types.ImportJob
) –Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field values.
This corresponds to the
import_job
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and
[CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing key material, generated outside of Cloud KMS.
When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will generate a “wrapping key”, which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation is complete, the [state][google.cloud.kms.v1.ImportJob.state] will be set to [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the [public_key][google.cloud.kms.v1.ImportJob.public_key] can be fetched. The fetched public key can then be used to wrap your pre-existing key material.
Once the key material is wrapped, it can be imported into a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be imported with a single [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key.
An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the [ImportJob][google.cloud.kms.v1.ImportJob]’s public key.
For more information, see [Importing a key](https://cloud.google.com/kms/docs/importing-a-key).
- Return type
- async create_key_ring(request: Optional[google.cloud.kms_v1.types.service.CreateKeyRingRequest] = None, *, parent: Optional[str] = None, key_ring_id: Optional[str] = None, key_ring: Optional[google.cloud.kms_v1.types.resources.KeyRing] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.KeyRing [source]¶
Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and Location.
- Parameters
request (
google.cloud.kms_v1.types.CreateKeyRingRequest
) – The request object. Request message for [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].parent (
str
) –Required. The resource name of the location associated with the [KeyRings][google.cloud.kms.v1.KeyRing], in the format
projects/*/locations/*
.This corresponds to the
parent
field on therequest
instance; ifrequest
is provided, this should not be set.key_ring_id (
str
) –Required. It must be unique within a location and match the regular expression
[a-zA-Z0-9_-]{1,63}
This corresponds to the
key_ring_id
field on therequest
instance; ifrequest
is provided, this should not be set.key_ring (
google.cloud.kms_v1.types.KeyRing
) –Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field values.
This corresponds to the
key_ring
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
- Return type
- static crypto_key_path(project: str, location: str, key_ring: str, crypto_key: str) str ¶
Returns a fully-qualified crypto_key string.
- static crypto_key_version_path(project: str, location: str, key_ring: str, crypto_key: str, crypto_key_version: str) str ¶
Returns a fully-qualified crypto_key_version string.
- async decrypt(request: Optional[google.cloud.kms_v1.types.service.DecryptRequest] = None, *, name: Optional[str] = None, ciphertext: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.DecryptResponse [source]¶
Decrypts data that was protected by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
- Parameters
request (
google.cloud.kms_v1.types.DecryptRequest
) – The request object. Request message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].name (
str
) –Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The server will choose the appropriate version.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.ciphertext (
bytes
) –Required. The encrypted data originally returned in [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
This corresponds to the
ciphertext
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
- Return type
- async destroy_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.DestroyCryptoKeyVersionRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion [source]¶
Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for destruction.
Upon calling this method, [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be set to a time 24 hours in the future, at which point the [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be changed to [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], and the key material will be irrevocably destroyed.
Before the [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] is reached, [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] may be called to reverse the process.
- Parameters
request (
google.cloud.kms_v1.types.DestroyCryptoKeyVersionRequest
) – The request object. Request message for [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].name (
str
) –Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
associated key material.
An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.
For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.
- Return type
- async encrypt(request: Optional[google.cloud.kms_v1.types.service.EncryptRequest] = None, *, name: Optional[str] = None, plaintext: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.EncryptResponse [source]¶
Encrypts data, so that it can only be recovered by a call to [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
- Parameters
request (
google.cloud.kms_v1.types.EncryptRequest
) – The request object. Request message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].name (
str
) –Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] or [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for encryption.
If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server will use its [primary version][google.cloud.kms.v1.CryptoKey.primary].
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.plaintext (
bytes
) –Required. The data to encrypt. Must be no larger than 64KiB.
The maximum size depends on the key version’s [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the plaintext must be no larger than 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.
This corresponds to the
plaintext
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
- Return type
- classmethod from_service_account_file(filename: str, *args, **kwargs)[source]¶
- Creates an instance of this client using the provided credentials
file.
- Parameters
filename (str) – The path to the service account private key json file.
args – Additional arguments to pass to the constructor.
kwargs – Additional arguments to pass to the constructor.
- Returns
The constructed client.
- Return type
- classmethod from_service_account_info(info: dict, *args, **kwargs)[source]¶
- Creates an instance of this client using the provided credentials
info.
- Parameters
info (dict) – The service account private key info.
args – Additional arguments to pass to the constructor.
kwargs – Additional arguments to pass to the constructor.
- Returns
The constructed client.
- Return type
- classmethod from_service_account_json(filename: str, *args, **kwargs)¶
- Creates an instance of this client using the provided credentials
file.
- Parameters
filename (str) – The path to the service account private key json file.
args – Additional arguments to pass to the constructor.
kwargs – Additional arguments to pass to the constructor.
- Returns
The constructed client.
- Return type
- async generate_random_bytes(request: Optional[google.cloud.kms_v1.types.service.GenerateRandomBytesRequest] = None, *, location: Optional[str] = None, length_bytes: Optional[int] = None, protection_level: Optional[google.cloud.kms_v1.types.resources.ProtectionLevel] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.GenerateRandomBytesResponse [source]¶
Generate random bytes using the Cloud KMS randomness source in the provided location.
- Parameters
request (
google.cloud.kms_v1.types.GenerateRandomBytesRequest
) – The request object. Request message for [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes].location (
str
) –The project-specific location in which to generate random bytes. For example, “projects/my- project/locations/us-central1”.
This corresponds to the
location
field on therequest
instance; ifrequest
is provided, this should not be set.length_bytes (
int
) –The length in bytes of the amount of randomness to retrieve. Minimum 8 bytes, maximum 1024 bytes.
This corresponds to the
length_bytes
field on therequest
instance; ifrequest
is provided, this should not be set.protection_level (
google.cloud.kms_v1.types.ProtectionLevel
) –The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when generating the random data. Defaults to [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE].
This corresponds to the
protection_level
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes].
- Return type
- async get_crypto_key(request: Optional[google.cloud.kms_v1.types.service.GetCryptoKeyRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKey [source]¶
Returns metadata for a given [CryptoKey][google.cloud.kms.v1.CryptoKey], as well as its [primary][google.cloud.kms.v1.CryptoKey.primary] [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
- Parameters
request (
google.cloud.kms_v1.types.GetCryptoKeyRequest
) – The request object. Request message for [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey].name (
str
) –Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to get.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic
operations.
A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.
- Return type
- async get_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.GetCryptoKeyVersionRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion [source]¶
Returns metadata for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
- Parameters
request (
google.cloud.kms_v1.types.GetCryptoKeyVersionRequest
) – The request object. Request message for [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].name (
str
) –Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
associated key material.
An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.
For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.
- Return type
- async get_iam_policy(request: Optional[google.iam.v1.iam_policy_pb2.GetIamPolicyRequest] = None, *, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.iam.v1.policy_pb2.Policy [source]¶
Gets the IAM access control policy for a function.
Returns an empty policy if the function exists and does not have a policy set.
- Parameters
request (
GetIamPolicyRequest
) – The request object. Request message for GetIamPolicy method.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. A
Policy
is a collection ofbindings
. Abinding
binds one or moremembers
to a singlerole
. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). Arole
is a named list of permissions (defined by IAM or configured by users). Abinding
can optionally specify acondition
, which is a logic expression that further constrains the role binding based on attributes about the request and/or target resource.JSON Example:
{ "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": ["user:eve@example.com"], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ] }
YAML Example:
bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
For a description of IAM and its features, see the IAM developer’s guide.
- Return type
Policy
- async get_import_job(request: Optional[google.cloud.kms_v1.types.service.GetImportJobRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.ImportJob [source]¶
Returns metadata for a given [ImportJob][google.cloud.kms.v1.ImportJob].
- Parameters
request (
google.cloud.kms_v1.types.GetImportJobRequest
) – The request object. Request message for [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob].name (
str
) –Required. The [name][google.cloud.kms.v1.ImportJob.name] of the [ImportJob][google.cloud.kms.v1.ImportJob] to get.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and
[CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing key material, generated outside of Cloud KMS.
When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will generate a “wrapping key”, which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation is complete, the [state][google.cloud.kms.v1.ImportJob.state] will be set to [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the [public_key][google.cloud.kms.v1.ImportJob.public_key] can be fetched. The fetched public key can then be used to wrap your pre-existing key material.
Once the key material is wrapped, it can be imported into a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be imported with a single [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key.
An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the [ImportJob][google.cloud.kms.v1.ImportJob]’s public key.
For more information, see [Importing a key](https://cloud.google.com/kms/docs/importing-a-key).
- Return type
- async get_key_ring(request: Optional[google.cloud.kms_v1.types.service.GetKeyRingRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.KeyRing [source]¶
Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing].
- Parameters
request (
google.cloud.kms_v1.types.GetKeyRingRequest
) – The request object. Request message for [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].name (
str
) –Required. The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] to get.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
- Return type
- async get_public_key(request: Optional[google.cloud.kms_v1.types.service.GetPublicKeyRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.PublicKey [source]¶
Returns the public key for the given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN] or [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
- Parameters
request (
google.cloud.kms_v1.types.GetPublicKeyRequest
) – The request object. Request message for [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].name (
str
) –Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- The public key for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via
[GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
- Return type
- get_transport_class() Type[google.cloud.kms_v1.services.key_management_service.transports.base.KeyManagementServiceTransport] ¶
Returns an appropriate transport class.
- Parameters
label – The name of the desired transport. If none is provided, then the first transport in the registry is used.
- Returns
The transport class to use.
- async import_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.ImportCryptoKeyVersionRequest] = None, *, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion [source]¶
Imports a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] into an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] using the wrapped key material provided in the request.
The version ID will be assigned the next sequential id within the [CryptoKey][google.cloud.kms.v1.CryptoKey].
- Parameters
request (
google.cloud.kms_v1.types.ImportCryptoKeyVersionRequest
) – The request object. Request message for [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
associated key material.
An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.
For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.
- Return type
- static import_job_path(project: str, location: str, key_ring: str, import_job: str) str ¶
Returns a fully-qualified import_job string.
- static key_ring_path(project: str, location: str, key_ring: str) str ¶
Returns a fully-qualified key_ring string.
- async list_crypto_key_versions(request: Optional[google.cloud.kms_v1.types.service.ListCryptoKeyVersionsRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeyVersionsAsyncPager [source]¶
Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
- Parameters
request (
google.cloud.kms_v1.types.ListCryptoKeyVersionsRequest
) – The request object. Request message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].parent (
str
) –Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*
.This corresponds to the
parent
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
Iterating over this object will yield results and resolve additional pages automatically.
- Return type
google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeyVersionsAsyncPager
- async list_crypto_keys(request: Optional[google.cloud.kms_v1.types.service.ListCryptoKeysRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeysAsyncPager [source]¶
Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey].
- Parameters
request (
google.cloud.kms_v1.types.ListCryptoKeysRequest
) – The request object. Request message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].parent (
str
) –Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format
projects/*/locations/*/keyRings/*
.This corresponds to the
parent
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
Iterating over this object will yield results and resolve additional pages automatically.
- Return type
google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeysAsyncPager
- async list_import_jobs(request: Optional[google.cloud.kms_v1.types.service.ListImportJobsRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.services.key_management_service.pagers.ListImportJobsAsyncPager [source]¶
Lists [ImportJobs][google.cloud.kms.v1.ImportJob].
- Parameters
request (
google.cloud.kms_v1.types.ListImportJobsRequest
) – The request object. Request message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].parent (
str
) –Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format
projects/*/locations/*/keyRings/*
.This corresponds to the
parent
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
Iterating over this object will yield results and resolve additional pages automatically.
- Return type
google.cloud.kms_v1.services.key_management_service.pagers.ListImportJobsAsyncPager
- async list_key_rings(request: Optional[google.cloud.kms_v1.types.service.ListKeyRingsRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.services.key_management_service.pagers.ListKeyRingsAsyncPager [source]¶
Lists [KeyRings][google.cloud.kms.v1.KeyRing].
- Parameters
request (
google.cloud.kms_v1.types.ListKeyRingsRequest
) – The request object. Request message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].parent (
str
) –Required. The resource name of the location associated with the [KeyRings][google.cloud.kms.v1.KeyRing], in the format
projects/*/locations/*
.This corresponds to the
parent
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
Iterating over this object will yield results and resolve additional pages automatically.
- Return type
google.cloud.kms_v1.services.key_management_service.pagers.ListKeyRingsAsyncPager
- async mac_sign(request: Optional[google.cloud.kms_v1.types.service.MacSignRequest] = None, *, name: Optional[str] = None, data: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.MacSignResponse [source]¶
Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, producing a tag that can be verified by another source with the same key.
- Parameters
request (
google.cloud.kms_v1.types.MacSignRequest
) – The request object. Request message for [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign].name (
str
) –Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for signing.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.data (
bytes
) –Required. The data to sign. The MAC tag is computed over this data field based on the specific algorithm.
This corresponds to the
data
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign].
- Return type
- async mac_verify(request: Optional[google.cloud.kms_v1.types.service.MacVerifyRequest] = None, *, name: Optional[str] = None, data: Optional[bytes] = None, mac: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.MacVerifyResponse [source]¶
Verifies MAC tag using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, and returns a response that indicates whether or not the verification was successful.
- Parameters
request (
google.cloud.kms_v1.types.MacVerifyRequest
) – The request object. Request message for [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify].name (
str
) –Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for verification.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.data (
bytes
) –Required. The data used previously as a [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] to generate the MAC tag.
This corresponds to the
data
field on therequest
instance; ifrequest
is provided, this should not be set.mac (
bytes
) – Required. The signature to verify. This corresponds to themac
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify].
- Return type
- static parse_common_billing_account_path(path: str) Dict[str, str] ¶
Parse a billing_account path into its component segments.
- static parse_common_folder_path(path: str) Dict[str, str] ¶
Parse a folder path into its component segments.
- static parse_common_location_path(path: str) Dict[str, str] ¶
Parse a location path into its component segments.
- static parse_common_organization_path(path: str) Dict[str, str] ¶
Parse a organization path into its component segments.
- static parse_common_project_path(path: str) Dict[str, str] ¶
Parse a project path into its component segments.
- static parse_crypto_key_path(path: str) Dict[str, str] ¶
Parses a crypto_key path into its component segments.
- static parse_crypto_key_version_path(path: str) Dict[str, str] ¶
Parses a crypto_key_version path into its component segments.
- static parse_import_job_path(path: str) Dict[str, str] ¶
Parses a import_job path into its component segments.
- static parse_key_ring_path(path: str) Dict[str, str] ¶
Parses a key_ring path into its component segments.
- static parse_public_key_path(path: str) Dict[str, str] ¶
Parses a public_key path into its component segments.
- static public_key_path(project: str, location: str, key_ring: str, crypto_key: str, crypto_key_version: str) str ¶
Returns a fully-qualified public_key string.
- async restore_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.RestoreCryptoKeyVersionRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion [source]¶
Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] state.
Upon restoration of the CryptoKeyVersion, [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED], and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be cleared.
- Parameters
request (
google.cloud.kms_v1.types.RestoreCryptoKeyVersionRequest
) – The request object. Request message for [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].name (
str
) –Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
associated key material.
An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.
For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.
- Return type
- async set_iam_policy(request: Optional[google.iam.v1.iam_policy_pb2.SetIamPolicyRequest] = None, *, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.iam.v1.policy_pb2.Policy [source]¶
Sets the IAM access control policy on the specified function.
Replaces any existing policy.
- Parameters
request (
SetIamPolicyRequest
) – The request object. Request message for SetIamPolicy method.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. A
Policy
is a collection ofbindings
. Abinding
binds one or moremembers
to a singlerole
. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). Arole
is a named list of permissions (defined by IAM or configured by users). Abinding
can optionally specify acondition
, which is a logic expression that further constrains the role binding based on attributes about the request and/or target resource.JSON Example:
{ "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": ["user:eve@example.com"], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ] }
YAML Example:
bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
For a description of IAM and its features, see the IAM developer’s guide.
- Return type
Policy
- async test_iam_permissions(request: Optional[google.iam.v1.iam_policy_pb2.TestIamPermissionsRequest] = None, *, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.iam.v1.iam_policy_pb2.TestIamPermissionsResponse [source]¶
- Tests the specified permissions against the IAM access control
policy for a function.
If the function does not exist, this will return an empty set of permissions, not a NOT_FOUND error.
- Parameters
request (
TestIamPermissionsRequest
) – The request object. Request message for TestIamPermissions method.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for
TestIamPermissions
method.- Return type
PolicyTestIamPermissionsResponse
- property transport: google.cloud.kms_v1.services.key_management_service.transports.base.KeyManagementServiceTransport¶
Returns the transport used by the client instance.
- Returns
The transport used by the client instance.
- Return type
KeyManagementServiceTransport
- async update_crypto_key(request: Optional[google.cloud.kms_v1.types.service.UpdateCryptoKeyRequest] = None, *, crypto_key: Optional[google.cloud.kms_v1.types.resources.CryptoKey] = None, update_mask: Optional[google.protobuf.field_mask_pb2.FieldMask] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKey [source]¶
Update a [CryptoKey][google.cloud.kms.v1.CryptoKey].
- Parameters
request (
google.cloud.kms_v1.types.UpdateCryptoKeyRequest
) – The request object. Request message for [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey].crypto_key (
google.cloud.kms_v1.types.CryptoKey
) –Required. [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values.
This corresponds to the
crypto_key
field on therequest
instance; ifrequest
is provided, this should not be set.update_mask (
google.protobuf.field_mask_pb2.FieldMask
) –Required. List of fields to be updated in this request.
This corresponds to the
update_mask
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic
operations.
A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.
- Return type
- async update_crypto_key_primary_version(request: Optional[google.cloud.kms_v1.types.service.UpdateCryptoKeyPrimaryVersionRequest] = None, *, name: Optional[str] = None, crypto_key_version_id: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKey [source]¶
Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
Returns an error if called on a key whose purpose is not [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
- Parameters
request (
google.cloud.kms_v1.types.UpdateCryptoKeyPrimaryVersionRequest
) – The request object. Request message for [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].name (
str
) –Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.crypto_key_version_id (
str
) –Required. The id of the child [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.
This corresponds to the
crypto_key_version_id
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic
operations.
A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.
- Return type
- async update_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.UpdateCryptoKeyVersionRequest] = None, *, crypto_key_version: Optional[google.cloud.kms_v1.types.resources.CryptoKeyVersion] = None, update_mask: Optional[google.protobuf.field_mask_pb2.FieldMask] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion [source]¶
Update a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]’s metadata.
[state][google.cloud.kms.v1.CryptoKeyVersion.state] may be changed between [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] and [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] using this method. See [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion] and [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] to move between other states.
- Parameters
request (
google.cloud.kms_v1.types.UpdateCryptoKeyVersionRequest
) – The request object. Request message for [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].crypto_key_version (
google.cloud.kms_v1.types.CryptoKeyVersion
) –Required. [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with updated values.
This corresponds to the
crypto_key_version
field on therequest
instance; ifrequest
is provided, this should not be set.update_mask (
google.protobuf.field_mask_pb2.FieldMask
) –Required. List of fields to be updated in this request.
This corresponds to the
update_mask
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
associated key material.
An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.
For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.
- Return type
- class google.cloud.kms_v1.services.key_management_service.KeyManagementServiceClient(*, credentials: Optional[google.auth.credentials.Credentials] = None, transport: Optional[Union[str, google.cloud.kms_v1.services.key_management_service.transports.base.KeyManagementServiceTransport]] = None, client_options: Optional[google.api_core.client_options.ClientOptions] = None, client_info: google.api_core.gapic_v1.client_info.ClientInfo = <google.api_core.gapic_v1.client_info.ClientInfo object>)[source]¶
Google Cloud Key Management Service
Manages cryptographic keys and operations using those keys. Implements a REST model with the following objects:
[KeyRing][google.cloud.kms.v1.KeyRing]
[CryptoKey][google.cloud.kms.v1.CryptoKey]
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
[ImportJob][google.cloud.kms.v1.ImportJob]
If you are using manual gRPC libraries, see Using gRPC with Cloud KMS.
Instantiates the key management service client.
- Parameters
credentials (Optional[google.auth.credentials.Credentials]) – The authorization credentials to attach to requests. These credentials identify the application to the service; if none are specified, the client will attempt to ascertain the credentials from the environment.
transport (Union[str, KeyManagementServiceTransport]) – The transport to use. If set to None, a transport is chosen automatically.
client_options (google.api_core.client_options.ClientOptions) – Custom options for the client. It won’t take effect if a
transport
instance is provided. (1) Theapi_endpoint
property can be used to override the default endpoint provided by the client. GOOGLE_API_USE_MTLS_ENDPOINT environment variable can also be used to override the endpoint: “always” (always use the default mTLS endpoint), “never” (always use the default regular endpoint) and “auto” (auto switch to the default mTLS endpoint if client certificate is present, this is the default value). However, theapi_endpoint
property takes precedence if provided. (2) If GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is “true”, then theclient_cert_source
property can be used to provide client certificate for mutual TLS transport. If not provided, the default SSL client certificate will be used if present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is “false” or not set, no client certificate will be used.client_info (google.api_core.gapic_v1.client_info.ClientInfo) – The client info used to send a user-agent string along with API requests. If
None
, then default info will be used. Generally, you only need to set this if you’re developing your own client library.
- Raises
google.auth.exceptions.MutualTLSChannelError – If mutual TLS transport creation failed for any reason.
- asymmetric_decrypt(request: Optional[google.cloud.kms_v1.types.service.AsymmetricDecryptRequest] = None, *, name: Optional[str] = None, ciphertext: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.AsymmetricDecryptResponse [source]¶
Decrypts data that was encrypted with a public key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey] corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_DECRYPT.
- Parameters
request (google.cloud.kms_v1.types.AsymmetricDecryptRequest) – The request object. Request message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
name (str) –
Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for decryption.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.ciphertext (bytes) –
Required. The data encrypted with the named [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]’s public key using OAEP.
This corresponds to the
ciphertext
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
- Return type
- asymmetric_sign(request: Optional[google.cloud.kms_v1.types.service.AsymmetricSignRequest] = None, *, name: Optional[str] = None, digest: Optional[google.cloud.kms_v1.types.service.Digest] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.AsymmetricSignResponse [source]¶
Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_SIGN, producing a signature that can be verified with the public key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
- Parameters
request (google.cloud.kms_v1.types.AsymmetricSignRequest) – The request object. Request message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
name (str) –
Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for signing.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.digest (google.cloud.kms_v1.types.Digest) –
Required. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version’s [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
This corresponds to the
digest
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
- Return type
- static common_billing_account_path(billing_account: str) str [source]¶
Returns a fully-qualified billing_account string.
- static common_location_path(project: str, location: str) str [source]¶
Returns a fully-qualified location string.
- static common_organization_path(organization: str) str [source]¶
Returns a fully-qualified organization string.
- create_crypto_key(request: Optional[google.cloud.kms_v1.types.service.CreateCryptoKeyRequest] = None, *, parent: Optional[str] = None, crypto_key_id: Optional[str] = None, crypto_key: Optional[google.cloud.kms_v1.types.resources.CryptoKey] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKey [source]¶
Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a [KeyRing][google.cloud.kms.v1.KeyRing].
[CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm] are required.
- Parameters
request (google.cloud.kms_v1.types.CreateCryptoKeyRequest) – The request object. Request message for [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey].
parent (str) –
Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey].
This corresponds to the
parent
field on therequest
instance; ifrequest
is provided, this should not be set.crypto_key_id (str) –
Required. It must be unique within a KeyRing and match the regular expression
[a-zA-Z0-9_-]{1,63}
This corresponds to the
crypto_key_id
field on therequest
instance; ifrequest
is provided, this should not be set.crypto_key (google.cloud.kms_v1.types.CryptoKey) –
Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field values.
This corresponds to the
crypto_key
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic
operations.
A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.
- Return type
- create_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.CreateCryptoKeyVersionRequest] = None, *, parent: Optional[str] = None, crypto_key_version: Optional[google.cloud.kms_v1.types.resources.CryptoKeyVersion] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion [source]¶
Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a [CryptoKey][google.cloud.kms.v1.CryptoKey].
The server will assign the next sequential id. If unset, [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].
- Parameters
request (google.cloud.kms_v1.types.CreateCryptoKeyVersionRequest) – The request object. Request message for [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].
parent (str) –
Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
This corresponds to the
parent
field on therequest
instance; ifrequest
is provided, this should not be set.crypto_key_version (google.cloud.kms_v1.types.CryptoKeyVersion) –
Required. A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with initial field values.
This corresponds to the
crypto_key_version
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
associated key material.
An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.
For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.
- Return type
- create_import_job(request: Optional[google.cloud.kms_v1.types.service.CreateImportJobRequest] = None, *, parent: Optional[str] = None, import_job_id: Optional[str] = None, import_job: Optional[google.cloud.kms_v1.types.resources.ImportJob] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.ImportJob [source]¶
Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a [KeyRing][google.cloud.kms.v1.KeyRing].
[ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method] is required.
- Parameters
request (google.cloud.kms_v1.types.CreateImportJobRequest) – The request object. Request message for [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob].
parent (str) –
Required. The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] associated with the [ImportJobs][google.cloud.kms.v1.ImportJob].
This corresponds to the
parent
field on therequest
instance; ifrequest
is provided, this should not be set.import_job_id (str) –
Required. It must be unique within a KeyRing and match the regular expression
[a-zA-Z0-9_-]{1,63}
This corresponds to the
import_job_id
field on therequest
instance; ifrequest
is provided, this should not be set.import_job (google.cloud.kms_v1.types.ImportJob) –
Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field values.
This corresponds to the
import_job
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and
[CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing key material, generated outside of Cloud KMS.
When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will generate a “wrapping key”, which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation is complete, the [state][google.cloud.kms.v1.ImportJob.state] will be set to [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the [public_key][google.cloud.kms.v1.ImportJob.public_key] can be fetched. The fetched public key can then be used to wrap your pre-existing key material.
Once the key material is wrapped, it can be imported into a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be imported with a single [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key.
An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the [ImportJob][google.cloud.kms.v1.ImportJob]’s public key.
For more information, see [Importing a key](https://cloud.google.com/kms/docs/importing-a-key).
- Return type
- create_key_ring(request: Optional[google.cloud.kms_v1.types.service.CreateKeyRingRequest] = None, *, parent: Optional[str] = None, key_ring_id: Optional[str] = None, key_ring: Optional[google.cloud.kms_v1.types.resources.KeyRing] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.KeyRing [source]¶
Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and Location.
- Parameters
request (google.cloud.kms_v1.types.CreateKeyRingRequest) – The request object. Request message for [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].
parent (str) –
Required. The resource name of the location associated with the [KeyRings][google.cloud.kms.v1.KeyRing], in the format
projects/*/locations/*
.This corresponds to the
parent
field on therequest
instance; ifrequest
is provided, this should not be set.key_ring_id (str) –
Required. It must be unique within a location and match the regular expression
[a-zA-Z0-9_-]{1,63}
This corresponds to the
key_ring_id
field on therequest
instance; ifrequest
is provided, this should not be set.key_ring (google.cloud.kms_v1.types.KeyRing) –
Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field values.
This corresponds to the
key_ring
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
- Return type
- static crypto_key_path(project: str, location: str, key_ring: str, crypto_key: str) str [source]¶
Returns a fully-qualified crypto_key string.
- static crypto_key_version_path(project: str, location: str, key_ring: str, crypto_key: str, crypto_key_version: str) str [source]¶
Returns a fully-qualified crypto_key_version string.
- decrypt(request: Optional[google.cloud.kms_v1.types.service.DecryptRequest] = None, *, name: Optional[str] = None, ciphertext: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.DecryptResponse [source]¶
Decrypts data that was protected by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
- Parameters
request (google.cloud.kms_v1.types.DecryptRequest) – The request object. Request message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
name (str) –
Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The server will choose the appropriate version.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.ciphertext (bytes) –
Required. The encrypted data originally returned in [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
This corresponds to the
ciphertext
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
- Return type
- destroy_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.DestroyCryptoKeyVersionRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion [source]¶
Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for destruction.
Upon calling this method, [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be set to a time 24 hours in the future, at which point the [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be changed to [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], and the key material will be irrevocably destroyed.
Before the [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] is reached, [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] may be called to reverse the process.
- Parameters
request (google.cloud.kms_v1.types.DestroyCryptoKeyVersionRequest) – The request object. Request message for [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].
name (str) –
Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
associated key material.
An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.
For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.
- Return type
- encrypt(request: Optional[google.cloud.kms_v1.types.service.EncryptRequest] = None, *, name: Optional[str] = None, plaintext: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.EncryptResponse [source]¶
Encrypts data, so that it can only be recovered by a call to [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
- Parameters
request (google.cloud.kms_v1.types.EncryptRequest) – The request object. Request message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
name (str) –
Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] or [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for encryption.
If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server will use its [primary version][google.cloud.kms.v1.CryptoKey.primary].
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.plaintext (bytes) –
Required. The data to encrypt. Must be no larger than 64KiB.
The maximum size depends on the key version’s [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the plaintext must be no larger than 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.
This corresponds to the
plaintext
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
- Return type
- classmethod from_service_account_file(filename: str, *args, **kwargs)[source]¶
- Creates an instance of this client using the provided credentials
file.
- Parameters
filename (str) – The path to the service account private key json file.
args – Additional arguments to pass to the constructor.
kwargs – Additional arguments to pass to the constructor.
- Returns
The constructed client.
- Return type
- classmethod from_service_account_info(info: dict, *args, **kwargs)[source]¶
- Creates an instance of this client using the provided credentials
info.
- Parameters
info (dict) – The service account private key info.
args – Additional arguments to pass to the constructor.
kwargs – Additional arguments to pass to the constructor.
- Returns
The constructed client.
- Return type
- classmethod from_service_account_json(filename: str, *args, **kwargs)¶
- Creates an instance of this client using the provided credentials
file.
- Parameters
filename (str) – The path to the service account private key json file.
args – Additional arguments to pass to the constructor.
kwargs – Additional arguments to pass to the constructor.
- Returns
The constructed client.
- Return type
- generate_random_bytes(request: Optional[google.cloud.kms_v1.types.service.GenerateRandomBytesRequest] = None, *, location: Optional[str] = None, length_bytes: Optional[int] = None, protection_level: Optional[google.cloud.kms_v1.types.resources.ProtectionLevel] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.GenerateRandomBytesResponse [source]¶
Generate random bytes using the Cloud KMS randomness source in the provided location.
- Parameters
request (google.cloud.kms_v1.types.GenerateRandomBytesRequest) – The request object. Request message for [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes].
location (str) –
The project-specific location in which to generate random bytes. For example, “projects/my- project/locations/us-central1”.
This corresponds to the
location
field on therequest
instance; ifrequest
is provided, this should not be set.length_bytes (int) –
The length in bytes of the amount of randomness to retrieve. Minimum 8 bytes, maximum 1024 bytes.
This corresponds to the
length_bytes
field on therequest
instance; ifrequest
is provided, this should not be set.protection_level (google.cloud.kms_v1.types.ProtectionLevel) –
The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when generating the random data. Defaults to [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE].
This corresponds to the
protection_level
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes].
- Return type
- get_crypto_key(request: Optional[google.cloud.kms_v1.types.service.GetCryptoKeyRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKey [source]¶
Returns metadata for a given [CryptoKey][google.cloud.kms.v1.CryptoKey], as well as its [primary][google.cloud.kms.v1.CryptoKey.primary] [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
- Parameters
request (google.cloud.kms_v1.types.GetCryptoKeyRequest) – The request object. Request message for [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey].
name (str) –
Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to get.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic
operations.
A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.
- Return type
- get_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.GetCryptoKeyVersionRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion [source]¶
Returns metadata for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
- Parameters
request (google.cloud.kms_v1.types.GetCryptoKeyVersionRequest) – The request object. Request message for [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].
name (str) –
Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
associated key material.
An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.
For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.
- Return type
- get_iam_policy(request: Optional[google.iam.v1.iam_policy_pb2.GetIamPolicyRequest] = None, *, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.iam.v1.policy_pb2.Policy [source]¶
Gets the IAM access control policy for a function.
Returns an empty policy if the function exists and does not have a policy set.
- Parameters
request (
GetIamPolicyRequest
) – The request object. Request message for GetIamPolicy method.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. A
Policy
is a collection ofbindings
. Abinding
binds one or moremembers
to a singlerole
. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). Arole
is a named list of permissions (defined by IAM or configured by users). Abinding
can optionally specify acondition
, which is a logic expression that further constrains the role binding based on attributes about the request and/or target resource.JSON Example:
{ "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": ["user:eve@example.com"], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ] }
YAML Example:
bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
For a description of IAM and its features, see the IAM developer’s guide.
- Return type
Policy
- get_import_job(request: Optional[google.cloud.kms_v1.types.service.GetImportJobRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.ImportJob [source]¶
Returns metadata for a given [ImportJob][google.cloud.kms.v1.ImportJob].
- Parameters
request (google.cloud.kms_v1.types.GetImportJobRequest) – The request object. Request message for [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob].
name (str) –
Required. The [name][google.cloud.kms.v1.ImportJob.name] of the [ImportJob][google.cloud.kms.v1.ImportJob] to get.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and
[CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing key material, generated outside of Cloud KMS.
When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will generate a “wrapping key”, which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation is complete, the [state][google.cloud.kms.v1.ImportJob.state] will be set to [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the [public_key][google.cloud.kms.v1.ImportJob.public_key] can be fetched. The fetched public key can then be used to wrap your pre-existing key material.
Once the key material is wrapped, it can be imported into a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be imported with a single [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key.
An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the [ImportJob][google.cloud.kms.v1.ImportJob]’s public key.
For more information, see [Importing a key](https://cloud.google.com/kms/docs/importing-a-key).
- Return type
- get_key_ring(request: Optional[google.cloud.kms_v1.types.service.GetKeyRingRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.KeyRing [source]¶
Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing].
- Parameters
request (google.cloud.kms_v1.types.GetKeyRingRequest) – The request object. Request message for [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].
name (str) –
Required. The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] to get.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
- Return type
- get_public_key(request: Optional[google.cloud.kms_v1.types.service.GetPublicKeyRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.PublicKey [source]¶
Returns the public key for the given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN] or [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
- Parameters
request (google.cloud.kms_v1.types.GetPublicKeyRequest) – The request object. Request message for [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
name (str) –
Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- The public key for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via
[GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
- Return type
- import_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.ImportCryptoKeyVersionRequest] = None, *, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion [source]¶
Imports a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] into an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] using the wrapped key material provided in the request.
The version ID will be assigned the next sequential id within the [CryptoKey][google.cloud.kms.v1.CryptoKey].
- Parameters
request (google.cloud.kms_v1.types.ImportCryptoKeyVersionRequest) – The request object. Request message for [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
associated key material.
An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.
For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.
- Return type
- static import_job_path(project: str, location: str, key_ring: str, import_job: str) str [source]¶
Returns a fully-qualified import_job string.
- static key_ring_path(project: str, location: str, key_ring: str) str [source]¶
Returns a fully-qualified key_ring string.
- list_crypto_key_versions(request: Optional[google.cloud.kms_v1.types.service.ListCryptoKeyVersionsRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeyVersionsPager [source]¶
Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
- Parameters
request (google.cloud.kms_v1.types.ListCryptoKeyVersionsRequest) – The request object. Request message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
parent (str) –
Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*
.This corresponds to the
parent
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
Iterating over this object will yield results and resolve additional pages automatically.
- Return type
google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeyVersionsPager
- list_crypto_keys(request: Optional[google.cloud.kms_v1.types.service.ListCryptoKeysRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeysPager [source]¶
Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey].
- Parameters
request (google.cloud.kms_v1.types.ListCryptoKeysRequest) – The request object. Request message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
parent (str) –
Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format
projects/*/locations/*/keyRings/*
.This corresponds to the
parent
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
Iterating over this object will yield results and resolve additional pages automatically.
- Return type
google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeysPager
- list_import_jobs(request: Optional[google.cloud.kms_v1.types.service.ListImportJobsRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.services.key_management_service.pagers.ListImportJobsPager [source]¶
Lists [ImportJobs][google.cloud.kms.v1.ImportJob].
- Parameters
request (google.cloud.kms_v1.types.ListImportJobsRequest) – The request object. Request message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
parent (str) –
Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format
projects/*/locations/*/keyRings/*
.This corresponds to the
parent
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
Iterating over this object will yield results and resolve additional pages automatically.
- Return type
google.cloud.kms_v1.services.key_management_service.pagers.ListImportJobsPager
- list_key_rings(request: Optional[google.cloud.kms_v1.types.service.ListKeyRingsRequest] = None, *, parent: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.services.key_management_service.pagers.ListKeyRingsPager [source]¶
Lists [KeyRings][google.cloud.kms.v1.KeyRing].
- Parameters
request (google.cloud.kms_v1.types.ListKeyRingsRequest) – The request object. Request message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
parent (str) –
Required. The resource name of the location associated with the [KeyRings][google.cloud.kms.v1.KeyRing], in the format
projects/*/locations/*
.This corresponds to the
parent
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
Iterating over this object will yield results and resolve additional pages automatically.
- Return type
google.cloud.kms_v1.services.key_management_service.pagers.ListKeyRingsPager
- mac_sign(request: Optional[google.cloud.kms_v1.types.service.MacSignRequest] = None, *, name: Optional[str] = None, data: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.MacSignResponse [source]¶
Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, producing a tag that can be verified by another source with the same key.
- Parameters
request (google.cloud.kms_v1.types.MacSignRequest) – The request object. Request message for [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign].
name (str) –
Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for signing.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.data (bytes) –
Required. The data to sign. The MAC tag is computed over this data field based on the specific algorithm.
This corresponds to the
data
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign].
- Return type
- mac_verify(request: Optional[google.cloud.kms_v1.types.service.MacVerifyRequest] = None, *, name: Optional[str] = None, data: Optional[bytes] = None, mac: Optional[bytes] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.service.MacVerifyResponse [source]¶
Verifies MAC tag using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, and returns a response that indicates whether or not the verification was successful.
- Parameters
request (google.cloud.kms_v1.types.MacVerifyRequest) – The request object. Request message for [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify].
name (str) –
Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for verification.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.data (bytes) –
Required. The data used previously as a [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] to generate the MAC tag.
This corresponds to the
data
field on therequest
instance; ifrequest
is provided, this should not be set.mac (bytes) – Required. The signature to verify. This corresponds to the
mac
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify].
- Return type
- static parse_common_billing_account_path(path: str) Dict[str, str] [source]¶
Parse a billing_account path into its component segments.
- static parse_common_folder_path(path: str) Dict[str, str] [source]¶
Parse a folder path into its component segments.
- static parse_common_location_path(path: str) Dict[str, str] [source]¶
Parse a location path into its component segments.
- static parse_common_organization_path(path: str) Dict[str, str] [source]¶
Parse a organization path into its component segments.
- static parse_common_project_path(path: str) Dict[str, str] [source]¶
Parse a project path into its component segments.
- static parse_crypto_key_path(path: str) Dict[str, str] [source]¶
Parses a crypto_key path into its component segments.
- static parse_crypto_key_version_path(path: str) Dict[str, str] [source]¶
Parses a crypto_key_version path into its component segments.
- static parse_import_job_path(path: str) Dict[str, str] [source]¶
Parses a import_job path into its component segments.
- static parse_key_ring_path(path: str) Dict[str, str] [source]¶
Parses a key_ring path into its component segments.
- static parse_public_key_path(path: str) Dict[str, str] [source]¶
Parses a public_key path into its component segments.
- static public_key_path(project: str, location: str, key_ring: str, crypto_key: str, crypto_key_version: str) str [source]¶
Returns a fully-qualified public_key string.
- restore_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.RestoreCryptoKeyVersionRequest] = None, *, name: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion [source]¶
Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] state.
Upon restoration of the CryptoKeyVersion, [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED], and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be cleared.
- Parameters
request (google.cloud.kms_v1.types.RestoreCryptoKeyVersionRequest) – The request object. Request message for [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].
name (str) –
Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
associated key material.
An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.
For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.
- Return type
- set_iam_policy(request: Optional[google.iam.v1.iam_policy_pb2.SetIamPolicyRequest] = None, *, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.iam.v1.policy_pb2.Policy [source]¶
Sets the IAM access control policy on the specified function.
Replaces any existing policy.
- Parameters
request (
SetIamPolicyRequest
) – The request object. Request message for SetIamPolicy method.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources. A
Policy
is a collection ofbindings
. Abinding
binds one or moremembers
to a singlerole
. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). Arole
is a named list of permissions (defined by IAM or configured by users). Abinding
can optionally specify acondition
, which is a logic expression that further constrains the role binding based on attributes about the request and/or target resource.JSON Example:
{ "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": ["user:eve@example.com"], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ] }
YAML Example:
bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
For a description of IAM and its features, see the IAM developer’s guide.
- Return type
Policy
- test_iam_permissions(request: Optional[google.iam.v1.iam_policy_pb2.TestIamPermissionsRequest] = None, *, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.iam.v1.iam_policy_pb2.TestIamPermissionsResponse [source]¶
- Tests the specified IAM permissions against the IAM access control
policy for a function.
If the function does not exist, this will return an empty set of permissions, not a NOT_FOUND error.
- Parameters
request (
TestIamPermissionsRequest
) – The request object. Request message for TestIamPermissions method.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
Response message for
TestIamPermissions
method.- Return type
TestIamPermissionsResponse
- property transport: google.cloud.kms_v1.services.key_management_service.transports.base.KeyManagementServiceTransport¶
Returns the transport used by the client instance.
- Returns
- The transport used by the client
instance.
- Return type
KeyManagementServiceTransport
- update_crypto_key(request: Optional[google.cloud.kms_v1.types.service.UpdateCryptoKeyRequest] = None, *, crypto_key: Optional[google.cloud.kms_v1.types.resources.CryptoKey] = None, update_mask: Optional[google.protobuf.field_mask_pb2.FieldMask] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKey [source]¶
Update a [CryptoKey][google.cloud.kms.v1.CryptoKey].
- Parameters
request (google.cloud.kms_v1.types.UpdateCryptoKeyRequest) – The request object. Request message for [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey].
crypto_key (google.cloud.kms_v1.types.CryptoKey) –
Required. [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values.
This corresponds to the
crypto_key
field on therequest
instance; ifrequest
is provided, this should not be set.update_mask (google.protobuf.field_mask_pb2.FieldMask) –
Required. List of fields to be updated in this request.
This corresponds to the
update_mask
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic
operations.
A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.
- Return type
- update_crypto_key_primary_version(request: Optional[google.cloud.kms_v1.types.service.UpdateCryptoKeyPrimaryVersionRequest] = None, *, name: Optional[str] = None, crypto_key_version_id: Optional[str] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKey [source]¶
Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
Returns an error if called on a key whose purpose is not [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
- Parameters
request (google.cloud.kms_v1.types.UpdateCryptoKeyPrimaryVersionRequest) – The request object. Request message for [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
name (str) –
Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.
This corresponds to the
name
field on therequest
instance; ifrequest
is provided, this should not be set.crypto_key_version_id (str) –
Required. The id of the child [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.
This corresponds to the
crypto_key_version_id
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic
operations.
A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.
- Return type
- update_crypto_key_version(request: Optional[google.cloud.kms_v1.types.service.UpdateCryptoKeyVersionRequest] = None, *, crypto_key_version: Optional[google.cloud.kms_v1.types.resources.CryptoKeyVersion] = None, update_mask: Optional[google.protobuf.field_mask_pb2.FieldMask] = None, retry: google.api_core.retry.Retry = <object object>, timeout: Optional[float] = None, metadata: Sequence[Tuple[str, str]] = ()) google.cloud.kms_v1.types.resources.CryptoKeyVersion [source]¶
Update a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]’s metadata.
[state][google.cloud.kms.v1.CryptoKeyVersion.state] may be changed between [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] and [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] using this method. See [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion] and [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] to move between other states.
- Parameters
request (google.cloud.kms_v1.types.UpdateCryptoKeyVersionRequest) – The request object. Request message for [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].
crypto_key_version (google.cloud.kms_v1.types.CryptoKeyVersion) –
Required. [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with updated values.
This corresponds to the
crypto_key_version
field on therequest
instance; ifrequest
is provided, this should not be set.update_mask (google.protobuf.field_mask_pb2.FieldMask) –
Required. List of fields to be updated in this request.
This corresponds to the
update_mask
field on therequest
instance; ifrequest
is provided, this should not be set.retry (google.api_core.retry.Retry) – Designation of what errors, if any, should be retried.
timeout (float) – The timeout for this request.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- Returns
- A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
associated key material.
An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.
For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.
- Return type
- class google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeyVersionsAsyncPager(method: Callable[[...], Awaitable[google.cloud.kms_v1.types.service.ListCryptoKeyVersionsResponse]], request: google.cloud.kms_v1.types.service.ListCryptoKeyVersionsRequest, response: google.cloud.kms_v1.types.service.ListCryptoKeyVersionsResponse, *, metadata: Sequence[Tuple[str, str]] = ())[source]¶
A pager for iterating through
list_crypto_key_versions
requests.This class thinly wraps an initial
google.cloud.kms_v1.types.ListCryptoKeyVersionsResponse
object, and provides an__aiter__
method to iterate through itscrypto_key_versions
field.If there are more pages, the
__aiter__
method will make additionalListCryptoKeyVersions
requests and continue to iterate through thecrypto_key_versions
field on the corresponding responses.All the usual
google.cloud.kms_v1.types.ListCryptoKeyVersionsResponse
attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.Instantiates the pager.
- Parameters
method (Callable) – The method that was originally called, and which instantiated this pager.
request (google.cloud.kms_v1.types.ListCryptoKeyVersionsRequest) – The initial request object.
response (google.cloud.kms_v1.types.ListCryptoKeyVersionsResponse) – The initial response object.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- class google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeyVersionsPager(method: Callable[[...], google.cloud.kms_v1.types.service.ListCryptoKeyVersionsResponse], request: google.cloud.kms_v1.types.service.ListCryptoKeyVersionsRequest, response: google.cloud.kms_v1.types.service.ListCryptoKeyVersionsResponse, *, metadata: Sequence[Tuple[str, str]] = ())[source]¶
A pager for iterating through
list_crypto_key_versions
requests.This class thinly wraps an initial
google.cloud.kms_v1.types.ListCryptoKeyVersionsResponse
object, and provides an__iter__
method to iterate through itscrypto_key_versions
field.If there are more pages, the
__iter__
method will make additionalListCryptoKeyVersions
requests and continue to iterate through thecrypto_key_versions
field on the corresponding responses.All the usual
google.cloud.kms_v1.types.ListCryptoKeyVersionsResponse
attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.Instantiate the pager.
- Parameters
method (Callable) – The method that was originally called, and which instantiated this pager.
request (google.cloud.kms_v1.types.ListCryptoKeyVersionsRequest) – The initial request object.
response (google.cloud.kms_v1.types.ListCryptoKeyVersionsResponse) – The initial response object.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- class google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeysAsyncPager(method: Callable[[...], Awaitable[google.cloud.kms_v1.types.service.ListCryptoKeysResponse]], request: google.cloud.kms_v1.types.service.ListCryptoKeysRequest, response: google.cloud.kms_v1.types.service.ListCryptoKeysResponse, *, metadata: Sequence[Tuple[str, str]] = ())[source]¶
A pager for iterating through
list_crypto_keys
requests.This class thinly wraps an initial
google.cloud.kms_v1.types.ListCryptoKeysResponse
object, and provides an__aiter__
method to iterate through itscrypto_keys
field.If there are more pages, the
__aiter__
method will make additionalListCryptoKeys
requests and continue to iterate through thecrypto_keys
field on the corresponding responses.All the usual
google.cloud.kms_v1.types.ListCryptoKeysResponse
attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.Instantiates the pager.
- Parameters
method (Callable) – The method that was originally called, and which instantiated this pager.
request (google.cloud.kms_v1.types.ListCryptoKeysRequest) – The initial request object.
response (google.cloud.kms_v1.types.ListCryptoKeysResponse) – The initial response object.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- class google.cloud.kms_v1.services.key_management_service.pagers.ListCryptoKeysPager(method: Callable[[...], google.cloud.kms_v1.types.service.ListCryptoKeysResponse], request: google.cloud.kms_v1.types.service.ListCryptoKeysRequest, response: google.cloud.kms_v1.types.service.ListCryptoKeysResponse, *, metadata: Sequence[Tuple[str, str]] = ())[source]¶
A pager for iterating through
list_crypto_keys
requests.This class thinly wraps an initial
google.cloud.kms_v1.types.ListCryptoKeysResponse
object, and provides an__iter__
method to iterate through itscrypto_keys
field.If there are more pages, the
__iter__
method will make additionalListCryptoKeys
requests and continue to iterate through thecrypto_keys
field on the corresponding responses.All the usual
google.cloud.kms_v1.types.ListCryptoKeysResponse
attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.Instantiate the pager.
- Parameters
method (Callable) – The method that was originally called, and which instantiated this pager.
request (google.cloud.kms_v1.types.ListCryptoKeysRequest) – The initial request object.
response (google.cloud.kms_v1.types.ListCryptoKeysResponse) – The initial response object.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- class google.cloud.kms_v1.services.key_management_service.pagers.ListImportJobsAsyncPager(method: Callable[[...], Awaitable[google.cloud.kms_v1.types.service.ListImportJobsResponse]], request: google.cloud.kms_v1.types.service.ListImportJobsRequest, response: google.cloud.kms_v1.types.service.ListImportJobsResponse, *, metadata: Sequence[Tuple[str, str]] = ())[source]¶
A pager for iterating through
list_import_jobs
requests.This class thinly wraps an initial
google.cloud.kms_v1.types.ListImportJobsResponse
object, and provides an__aiter__
method to iterate through itsimport_jobs
field.If there are more pages, the
__aiter__
method will make additionalListImportJobs
requests and continue to iterate through theimport_jobs
field on the corresponding responses.All the usual
google.cloud.kms_v1.types.ListImportJobsResponse
attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.Instantiates the pager.
- Parameters
method (Callable) – The method that was originally called, and which instantiated this pager.
request (google.cloud.kms_v1.types.ListImportJobsRequest) – The initial request object.
response (google.cloud.kms_v1.types.ListImportJobsResponse) – The initial response object.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- class google.cloud.kms_v1.services.key_management_service.pagers.ListImportJobsPager(method: Callable[[...], google.cloud.kms_v1.types.service.ListImportJobsResponse], request: google.cloud.kms_v1.types.service.ListImportJobsRequest, response: google.cloud.kms_v1.types.service.ListImportJobsResponse, *, metadata: Sequence[Tuple[str, str]] = ())[source]¶
A pager for iterating through
list_import_jobs
requests.This class thinly wraps an initial
google.cloud.kms_v1.types.ListImportJobsResponse
object, and provides an__iter__
method to iterate through itsimport_jobs
field.If there are more pages, the
__iter__
method will make additionalListImportJobs
requests and continue to iterate through theimport_jobs
field on the corresponding responses.All the usual
google.cloud.kms_v1.types.ListImportJobsResponse
attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.Instantiate the pager.
- Parameters
method (Callable) – The method that was originally called, and which instantiated this pager.
request (google.cloud.kms_v1.types.ListImportJobsRequest) – The initial request object.
response (google.cloud.kms_v1.types.ListImportJobsResponse) – The initial response object.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- class google.cloud.kms_v1.services.key_management_service.pagers.ListKeyRingsAsyncPager(method: Callable[[...], Awaitable[google.cloud.kms_v1.types.service.ListKeyRingsResponse]], request: google.cloud.kms_v1.types.service.ListKeyRingsRequest, response: google.cloud.kms_v1.types.service.ListKeyRingsResponse, *, metadata: Sequence[Tuple[str, str]] = ())[source]¶
A pager for iterating through
list_key_rings
requests.This class thinly wraps an initial
google.cloud.kms_v1.types.ListKeyRingsResponse
object, and provides an__aiter__
method to iterate through itskey_rings
field.If there are more pages, the
__aiter__
method will make additionalListKeyRings
requests and continue to iterate through thekey_rings
field on the corresponding responses.All the usual
google.cloud.kms_v1.types.ListKeyRingsResponse
attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.Instantiates the pager.
- Parameters
method (Callable) – The method that was originally called, and which instantiated this pager.
request (google.cloud.kms_v1.types.ListKeyRingsRequest) – The initial request object.
response (google.cloud.kms_v1.types.ListKeyRingsResponse) – The initial response object.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.
- class google.cloud.kms_v1.services.key_management_service.pagers.ListKeyRingsPager(method: Callable[[...], google.cloud.kms_v1.types.service.ListKeyRingsResponse], request: google.cloud.kms_v1.types.service.ListKeyRingsRequest, response: google.cloud.kms_v1.types.service.ListKeyRingsResponse, *, metadata: Sequence[Tuple[str, str]] = ())[source]¶
A pager for iterating through
list_key_rings
requests.This class thinly wraps an initial
google.cloud.kms_v1.types.ListKeyRingsResponse
object, and provides an__iter__
method to iterate through itskey_rings
field.If there are more pages, the
__iter__
method will make additionalListKeyRings
requests and continue to iterate through thekey_rings
field on the corresponding responses.All the usual
google.cloud.kms_v1.types.ListKeyRingsResponse
attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.Instantiate the pager.
- Parameters
method (Callable) – The method that was originally called, and which instantiated this pager.
request (google.cloud.kms_v1.types.ListKeyRingsRequest) – The initial request object.
response (google.cloud.kms_v1.types.ListKeyRingsResponse) – The initial response object.
metadata (Sequence[Tuple[str, str]]) – Strings which should be sent along with the request as metadata.