Class CryptoKey (2.23.0)

CryptoKey(mapping=None,*,ignore_unknown_fields=False,**kwargs)

Attributes

NameDescription
namestr
Output only. The resource name for thisCryptoKey in the formatprojects/*/locations/*/keyRings/*/cryptoKeys/*.
primarygoogle.cloud.kms_v1.types.CryptoKeyVersion
Output only. A copy of the "primary"CryptoKeyVersion that will be used byEncrypt when thisCryptoKey is given inEncryptRequest.name. TheCryptoKey's primary version can be updated viaUpdateCryptoKeyPrimaryVersion. Keys withpurposeENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.
purposegoogle.cloud.kms_v1.types.CryptoKey.CryptoKeyPurpose
Immutable. The immutable purpose of thisCryptoKey.
create_timegoogle.protobuf.timestamp_pb2.Timestamp
Output only. The time at which thisCryptoKey was created.
next_rotation_timegoogle.protobuf.timestamp_pb2.Timestamp
Atnext_rotation_time, the Key Management Service will automatically: 1. Create a new version of thisCryptoKey. 2. Mark the new version as primary. Key rotations performed manually viaCreateCryptoKeyVersion andUpdateCryptoKeyPrimaryVersion do not affectnext_rotation_time. Keys withpurposeENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
rotation_periodgoogle.protobuf.duration_pb2.Duration
next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. Ifrotation_period is set,next_rotation_time must also be set. Keys withpurposeENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted. This field is a member ofoneof_rotation_schedule.
version_templategoogle.cloud.kms_v1.types.CryptoKeyVersionTemplate
A template describing settings for newCryptoKeyVersion instances. The properties of newCryptoKeyVersion instances created by eitherCreateCryptoKeyVersion or auto-rotation are controlled by this template.
labelsMutableMapping[str, str]
Labels with user-defined metadata. For more information, see `Labeling Keys
import_onlybool
Immutable. Whether this key may contain imported versions only.
destroy_scheduled_durationgoogle.protobuf.duration_pb2.Duration
Immutable. The period of time that versions of this key spend in theDESTROY_SCHEDULED state before transitioning toDESTROYED. If not specified at creation time, the default duration is 24 hours.
crypto_key_backendstr
Immutable. The resource name of the backend environment where the key material for allCryptoKeyVersions associated with thisCryptoKey reside and where all related cryptographic operations are performed. Only applicable ifCryptoKeyVersions have aProtectionLevel ofEXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], with the resource name in the formatprojects/*/locations/*/ekmConnections/*. Note, this list is non-exhaustive and may apply to additionalProtectionLevels in the future.

Classes

CryptoKeyPurpose

CryptoKeyPurpose(value)

CryptoKeyPurposedescribes the cryptographic capabilities of aCryptoKey. A given key can only beused for the operations allowed by its purpose. For moreinformation, seeKeypurposes <https://cloud.google.com/kms/docs/algorithms#key_purposes>__.

LabelsEntry

LabelsEntry(mapping=None,*,ignore_unknown_fields=False,**kwargs)

The abstract base class for a message.

Parameters
NameDescription
kwargsdict

Keys and values corresponding to the fields of the message.

mappingUnion[dict,.Message]

A dictionary or message to be used to determine the values for this message.

ignore_unknown_fieldsOptional(bool)

If True, do not raise errors for unknown fields. Only applied ifmapping is a mapping type or there are keyword parameters.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-11-13 UTC.