Class CryptoKey (3.7.0)
CryptoKey(mapping=None,*,ignore_unknown_fields=False,**kwargs)ACryptoKey represents a logicalkey that can be used for cryptographic operations.
ACryptoKey is made up of zero ormoreversions, whichrepresent the actual key material used in cryptographic operations.
.. _oneof:https://proto-plus-python.readthedocs.io/en/stable/fields.html#oneofs-mutually-exclusive-fields
Attributes | |
|---|---|
| Name | Description |
name | strOutput only. The resource name for thisCryptoKey in the format projects/*/locations/*/keyRings/*/cryptoKeys/*. |
primary | google.cloud.kms_v1.types.CryptoKeyVersionOutput only. A copy of the "primary"CryptoKeyVersion that will be used byEncrypt when thisCryptoKey is given inEncryptRequest.name. TheCryptoKey's primary version can be updated viaUpdateCryptoKeyPrimaryVersion. Keys withpurposeENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted. |
purpose | google.cloud.kms_v1.types.CryptoKey.CryptoKeyPurposeImmutable. The immutable purpose of thisCryptoKey. |
create_time | google.protobuf.timestamp_pb2.TimestampOutput only. The time at which thisCryptoKey was created. |
next_rotation_time | google.protobuf.timestamp_pb2.TimestampAtnext_rotation_time, the Key Management Service will automatically: 1. Create a new version of thisCryptoKey. 2. Mark the new version as primary. Key rotations performed manually viaCreateCryptoKeyVersion andUpdateCryptoKeyPrimaryVersion do not affectnext_rotation_time. Keys withpurposeENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted. |
rotation_period | google.protobuf.duration_pb2.Durationnext_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. Ifrotation_period is set,next_rotation_time must also be set. Keys withpurposeENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted. This field is a member of oneof_rotation_schedule. |
version_template | google.cloud.kms_v1.types.CryptoKeyVersionTemplateA template describing settings for newCryptoKeyVersion instances. The properties of newCryptoKeyVersion instances created by eitherCreateCryptoKeyVersion or auto-rotation are controlled by this template. |
labels | MutableMapping[str, str]Labels with user-defined metadata. For more information, see `Labeling Keys |
import_only | boolImmutable. Whether this key may contain imported versions only. |
destroy_scheduled_duration | google.protobuf.duration_pb2.DurationImmutable. The period of time that versions of this key spend in theDESTROY_SCHEDULED state before transitioning toDESTROYED. If not specified at creation time, the default duration is 30 days. |
crypto_key_backend | strImmutable. The resource name of the backend environment where the key material for allCryptoKeyVersions associated with thisCryptoKey reside and where all related cryptographic operations are performed. Only applicable ifCryptoKeyVersions have aProtectionLevel ofEXTERNAL_VPC, with the resource name in the format projects/*/locations/*/ekmConnections/*. Note, this list is non-exhaustive and may apply to additionalProtectionLevels in the future. |
key_access_justifications_policy | google.cloud.kms_v1.types.KeyAccessJustificationsPolicyOptional. The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. |
Classes
CryptoKeyPurpose
CryptoKeyPurpose(value)CryptoKeyPurposedescribes the cryptographic capabilities of aCryptoKey. A given key can only beused for the operations allowed by its purpose. For moreinformation, seeKeypurposes <https://cloud.google.com/kms/docs/algorithms#key_purposes>__.
LabelsEntry
LabelsEntry(mapping=None,*,ignore_unknown_fields=False,**kwargs)The abstract base class for a message.
| Parameters | |
|---|---|
| Name | Description |
kwargs | dictKeys and values corresponding to the fields of the message. |
mapping | Union[dict,A dictionary or message to be used to determine the values for this message. |
ignore_unknown_fields | Optional(bool)If True, do not raise errors for unknown fields. Only applied if |
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-11-13 UTC.