This document provides information about the impact of consistency whenCloud KMS resources are created or modified.

Some operations to Cloud Key Management Service resources are strongly consistent,while others are eventually consistent. Eventually consistent operationstypically propagate within 1 minute, but may take several hours in exceptionalcases.

Disabling a key version is an eventually consistent operation. The keyversion typically remains usable for encrypting and decrypting data forup to 1 minute after it is disabled. In exceptional cases, the key versionremains usable for several hours after it is disabled. See theService Health dashboard forCloud KMS data freshness issues.

Changing the primary key version, manually or during key rotation, is aneventually consistent operation. While such eventually-consistent changespropagate,Encrypt operations for aCryptoKey might use theCryptoKey'sprevious primary version to encrypt.

Impact of changing IAM access

If you need to prevent a user from using a Cloud KMS resourceduring the time needed for propagation of an eventually consistent operation,remove the Identity and Access Management (IAM) permission for the resource. For example,you can prevent a user from using a newly-disabled key version by removingthe IAM role that allows the user to access the key.IAM changes are consistent within seconds; to learn more, seeAccess change propagation.