Cloud Key Management Service (KMS) API

Manages keys and performs cryptographic operations in a central cloud service, for direct use by other cloud resources and applications.

Service: cloudkms.googleapis.com

The Service namecloudkms.googleapis.com is needed to create RPC client stubs.

google.cloud.kms.v1.Autokey

Methods
CreateKeyHandle Creates a newKeyHandle, triggering the provisioning of a newCryptoKey for CMEK use with the given resource type in the configured key project and the same location.
GetKeyHandle Returns theKeyHandle.
ListKeyHandles ListsKeyHandles.

google.cloud.kms.v1.AutokeyAdmin

Methods
GetAutokeyConfig Returns theAutokeyConfig for a folder or project.
ShowEffectiveAutokeyConfig Returns the effective Cloud KMS Autokey configuration for a given project.
UpdateAutokeyConfig Updates theAutokeyConfig for a folder or a project.

google.cloud.kms.v1.EkmService

Methods
CreateEkmConnection Creates a newEkmConnection in a given Project and Location.
GetEkmConfig Returns theEkmConfig singleton resource for a given project and location.
GetEkmConnection Returns metadata for a givenEkmConnection.
ListEkmConnections ListsEkmConnections.
UpdateEkmConfig Updates theEkmConfig singleton resource for a given project and location.
UpdateEkmConnection Updates anEkmConnection's metadata.
VerifyConnectivity Verifies that Cloud KMS can successfully connect to the external key manager specified by anEkmConnection.

google.cloud.kms.v1.HsmManagement

Methods
ApproveSingleTenantHsmInstanceProposal Approves aSingleTenantHsmInstanceProposal for a givenSingleTenantHsmInstance.
CreateSingleTenantHsmInstance Creates a newSingleTenantHsmInstance in a given Project and Location.
CreateSingleTenantHsmInstanceProposal Creates a newSingleTenantHsmInstanceProposal for a givenSingleTenantHsmInstance.
DeleteSingleTenantHsmInstanceProposal Deletes aSingleTenantHsmInstanceProposal.
ExecuteSingleTenantHsmInstanceProposal Executes aSingleTenantHsmInstanceProposal for a givenSingleTenantHsmInstance.
GetSingleTenantHsmInstance Returns metadata for a givenSingleTenantHsmInstance.
GetSingleTenantHsmInstanceProposal Returns metadata for a givenSingleTenantHsmInstanceProposal.
ListSingleTenantHsmInstanceProposals ListsSingleTenantHsmInstanceProposals.
ListSingleTenantHsmInstances ListsSingleTenantHsmInstances.

google.cloud.kms.v1.KeyAccessJustificationsConfig

Methods
GetKeyAccessJustificationsPolicyConfig Gets theKeyAccessJustificationsPolicyConfig for a given organization, folder, or project.
ShowEffectiveKeyAccessJustificationsEnrollmentConfig Returns theKeyAccessJustificationsEnrollmentConfig of the resource closest to the given project in hierarchy.
ShowEffectiveKeyAccessJustificationsPolicyConfig Returns theKeyAccessJustificationsPolicyConfig of the resource closest to the given project in hierarchy.
UpdateKeyAccessJustificationsPolicyConfig Updates theKeyAccessJustificationsPolicyConfig for a given organization, folder, or project.

google.cloud.kms.v1.KeyManagementService

Methods
AsymmetricDecrypt Decrypts data that was encrypted with a public key retrieved fromGetPublicKey corresponding to aCryptoKeyVersion withCryptoKey.purpose ASYMMETRIC_DECRYPT.
AsymmetricSign Signs data using aCryptoKeyVersion withCryptoKey.purpose ASYMMETRIC_SIGN, producing a signature that can be verified with the public key retrieved fromGetPublicKey.
CreateCryptoKey Create a newCryptoKey within aKeyRing.
CreateCryptoKeyVersion Create a newCryptoKeyVersion in aCryptoKey.
CreateImportJob Create a newImportJob within aKeyRing.
CreateKeyRing Create a newKeyRing in a given Project and Location.
Decapsulate Decapsulates data that was encapsulated with a public key retrieved fromGetPublicKey corresponding to aCryptoKeyVersion withCryptoKey.purpose KEY_ENCAPSULATION.
Decrypt Decrypts data that was protected byEncrypt.
DestroyCryptoKeyVersion Schedule aCryptoKeyVersion for destruction.
Encrypt Encrypts data, so that it can only be recovered by a call toDecrypt.
GenerateRandomBytes Generate random bytes using the Cloud KMS randomness source in the provided location.
GetCryptoKey Returns metadata for a givenCryptoKey, as well as itsprimaryCryptoKeyVersion.
GetCryptoKeyVersion Returns metadata for a givenCryptoKeyVersion.
GetImportJob Returns metadata for a givenImportJob.
GetKeyRing Returns metadata for a givenKeyRing.
GetPublicKey Returns the public key for the givenCryptoKeyVersion.
ImportCryptoKeyVersion Import wrapped key material into aCryptoKeyVersion.
ListCryptoKeyVersions ListsCryptoKeyVersions.
ListCryptoKeys ListsCryptoKeys.
ListImportJobs ListsImportJobs.
ListKeyRings ListsKeyRings.
MacSign Signs data using aCryptoKeyVersion withCryptoKey.purpose MAC, producing a tag that can be verified by another source with the same key.
MacVerify Verifies MAC tag using aCryptoKeyVersion withCryptoKey.purpose MAC, and returns a response that indicates whether or not the verification was successful.
RawDecrypt Decrypts data that was originally encrypted using a raw cryptographic mechanism.
RawEncrypt Encrypts data using portable cryptographic primitives.
RestoreCryptoKeyVersion Restore aCryptoKeyVersion in theDESTROY_SCHEDULED state.
UpdateCryptoKey Update aCryptoKey.
UpdateCryptoKeyPrimaryVersion Update the version of aCryptoKey that will be used inEncrypt.
UpdateCryptoKeyVersion Update aCryptoKeyVersion's metadata.

google.cloud.location.Locations

Methods
GetLocation Gets information about a location.
ListLocations Lists information about the supported locations for this service.

google.iam.v1.IAMPolicy

Methods
GetIamPolicy Gets the access control policy for a resource.
SetIamPolicy Sets the access control policy on the specified resource.
TestIamPermissions Returns permissions that a caller has on the specified resource.

google.longrunning.Operations

Methods
GetOperation Gets the latest state of a long-running operation.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-11 UTC.