rpc CreateKeyHandle(CreateKeyHandleRequest) returns (Operation)

Creates a newKeyHandle, triggering the provisioning of a newCryptoKey for CMEK use with the given resource type in the configured key project and the same location.GetOperation should be used to resolve the resulting long-running operation and get the resultingKeyHandle andCryptoKey.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

IAM Permissions

Requires the followingIAM permission on theparent resource:

• cloudkms.keyHandles.create

For more information, see theIAM documentation.

rpc GetKeyHandle(GetKeyHandleRequest) returns (KeyHandle)

Returns theKeyHandle.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

IAM Permissions

Requires the followingIAM permission on thename resource:

• cloudkms.keyHandles.get

For more information, see theIAM documentation.

rpc ListKeyHandles(ListKeyHandlesRequest) returns (ListKeyHandlesResponse)

ListsKeyHandles.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

IAM Permissions

Requires the followingIAM permission on theparent resource:

• cloudkms.keyHandles.list

For more information, see theIAM documentation.

rpc GetAutokeyConfig(GetAutokeyConfigRequest) returns (AutokeyConfig)

Returns theAutokeyConfig for a folder or project.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

IAM Permissions

Requires the followingIAM permission on thename resource:

• cloudkms.autokeyConfigs.get

For more information, see theIAM documentation.

rpc ShowEffectiveAutokeyConfig(ShowEffectiveAutokeyConfigRequest) returns (ShowEffectiveAutokeyConfigResponse)

Returns the effective Cloud KMS Autokey configuration for a given project.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

IAM Permissions

Requires the followingIAM permission on theparent resource:

• cloudkms.projects.showEffectiveAutokeyConfig

For more information, see theIAM documentation.

rpc UpdateAutokeyConfig(UpdateAutokeyConfigRequest) returns (AutokeyConfig)

Updates theAutokeyConfig for a folder or a project. The caller must have bothcloudkms.autokeyConfigs.update permission on the parent folder andcloudkms.cryptoKeys.setIamPolicy permission on the provided key project. AKeyHandle creation in the folder's descendant projects will use this configuration to determine where to create the resultingCryptoKey.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

IAM Permissions

Requires the followingIAM permission on thename resource:

• cloudkms.autokeyConfigs.update

For more information, see theIAM documentation.

rpc CreateEkmConnection(CreateEkmConnectionRequest) returns (EkmConnection)

Creates a newEkmConnection in a given Project and Location.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc GetEkmConfig(GetEkmConfigRequest) returns (EkmConfig)

Returns theEkmConfig singleton resource for a given project and location.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc GetEkmConnection(GetEkmConnectionRequest) returns (EkmConnection)

Returns metadata for a givenEkmConnection.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc ListEkmConnections(ListEkmConnectionsRequest) returns (ListEkmConnectionsResponse)

ListsEkmConnections.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc UpdateEkmConfig(UpdateEkmConfigRequest) returns (EkmConfig)

Updates theEkmConfig singleton resource for a given project and location.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc UpdateEkmConnection(UpdateEkmConnectionRequest) returns (EkmConnection)

Updates anEkmConnection's metadata.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc VerifyConnectivity(VerifyConnectivityRequest) returns (VerifyConnectivityResponse)

Verifies that Cloud KMS can successfully connect to the external key manager specified by anEkmConnection. If there is an error connecting to the EKM, this method returns a FAILED_PRECONDITION status containing structured information as described athttps://cloud.google.com/kms/docs/reference/ekm_errors.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc ApproveSingleTenantHsmInstanceProposal(ApproveSingleTenantHsmInstanceProposalRequest) returns (ApproveSingleTenantHsmInstanceProposalResponse)

Approves aSingleTenantHsmInstanceProposal for a givenSingleTenantHsmInstance. The proposal must be in thePENDING state.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

IAM Permissions

Requires the followingIAM permission on thename resource:

• cloudkms.singleTenantHsmInstanceProposals.approve

For more information, see theIAM documentation.

rpc CreateSingleTenantHsmInstance(CreateSingleTenantHsmInstanceRequest) returns (Operation)

Creates a newSingleTenantHsmInstance in a given Project and Location. User must create a RegisterTwoFactorAuthKeys proposal with this single-tenant HSM instance to finish setup of the instance.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

IAM Permissions

Requires the followingIAM permission on theparent resource:

• cloudkms.singleTenantHsmInstances.create

For more information, see theIAM documentation.

rpc CreateSingleTenantHsmInstanceProposal(CreateSingleTenantHsmInstanceProposalRequest) returns (Operation)

Creates a newSingleTenantHsmInstanceProposal for a givenSingleTenantHsmInstance.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

IAM Permissions

Requires the followingIAM permission on theparent resource:

• cloudkms.singleTenantHsmInstanceProposals.create

For more information, see theIAM documentation.

rpc DeleteSingleTenantHsmInstanceProposal(DeleteSingleTenantHsmInstanceProposalRequest) returns (Empty)

Deletes aSingleTenantHsmInstanceProposal.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

IAM Permissions

Requires the followingIAM permission on thename resource:

• cloudkms.singleTenantHsmInstanceProposals.delete

For more information, see theIAM documentation.

rpc ExecuteSingleTenantHsmInstanceProposal(ExecuteSingleTenantHsmInstanceProposalRequest) returns (Operation)

Executes aSingleTenantHsmInstanceProposal for a givenSingleTenantHsmInstance. The proposal must be in theAPPROVED state.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

IAM Permissions

Requires the followingIAM permission on thename resource:

• cloudkms.singleTenantHsmInstanceProposals.execute

For more information, see theIAM documentation.

rpc GetSingleTenantHsmInstance(GetSingleTenantHsmInstanceRequest) returns (SingleTenantHsmInstance)

Returns metadata for a givenSingleTenantHsmInstance.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

IAM Permissions

Requires the followingIAM permission on thename resource:

• cloudkms.singleTenantHsmInstances.get

For more information, see theIAM documentation.

rpc GetSingleTenantHsmInstanceProposal(GetSingleTenantHsmInstanceProposalRequest) returns (SingleTenantHsmInstanceProposal)

Returns metadata for a givenSingleTenantHsmInstanceProposal.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

IAM Permissions

Requires the followingIAM permission on thename resource:

• cloudkms.singleTenantHsmInstanceProposals.get

For more information, see theIAM documentation.

rpc ListSingleTenantHsmInstanceProposals(ListSingleTenantHsmInstanceProposalsRequest) returns (ListSingleTenantHsmInstanceProposalsResponse)

ListsSingleTenantHsmInstanceProposals.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

IAM Permissions

Requires the followingIAM permission on theparent resource:

• cloudkms.singleTenantHsmInstanceProposals.list

For more information, see theIAM documentation.

rpc ListSingleTenantHsmInstances(ListSingleTenantHsmInstancesRequest) returns (ListSingleTenantHsmInstancesResponse)

ListsSingleTenantHsmInstances.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

IAM Permissions

Requires the followingIAM permission on theparent resource:

• cloudkms.singleTenantHsmInstances.list

For more information, see theIAM documentation.

rpc GetKeyAccessJustificationsPolicyConfig(GetKeyAccessJustificationsPolicyConfigRequest) returns (KeyAccessJustificationsPolicyConfig)

Gets theKeyAccessJustificationsPolicyConfig for a given organization, folder, or project.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc ShowEffectiveKeyAccessJustificationsEnrollmentConfig(ShowEffectiveKeyAccessJustificationsEnrollmentConfigRequest) returns (ShowEffectiveKeyAccessJustificationsEnrollmentConfigResponse)

Returns theKeyAccessJustificationsEnrollmentConfig of the resource closest to the given project in hierarchy.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc ShowEffectiveKeyAccessJustificationsPolicyConfig(ShowEffectiveKeyAccessJustificationsPolicyConfigRequest) returns (ShowEffectiveKeyAccessJustificationsPolicyConfigResponse)

Returns theKeyAccessJustificationsPolicyConfig of the resource closest to the given project in hierarchy.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc UpdateKeyAccessJustificationsPolicyConfig(UpdateKeyAccessJustificationsPolicyConfigRequest) returns (KeyAccessJustificationsPolicyConfig)

Updates theKeyAccessJustificationsPolicyConfig for a given organization, folder, or project.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc AsymmetricDecrypt(AsymmetricDecryptRequest) returns (AsymmetricDecryptResponse)

Decrypts data that was encrypted with a public key retrieved fromGetPublicKey corresponding to aCryptoKeyVersion withCryptoKey.purpose ASYMMETRIC_DECRYPT.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc AsymmetricSign(AsymmetricSignRequest) returns (AsymmetricSignResponse)

Signs data using aCryptoKeyVersion withCryptoKey.purpose ASYMMETRIC_SIGN, producing a signature that can be verified with the public key retrieved fromGetPublicKey.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc CreateCryptoKey(CreateCryptoKeyRequest) returns (CryptoKey)

Create a newCryptoKey within aKeyRing.

CryptoKey.purpose andCryptoKey.version_template.algorithm are required.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc CreateCryptoKeyVersion(CreateCryptoKeyVersionRequest) returns (CryptoKeyVersion)

Create a newCryptoKeyVersion in aCryptoKey.

The server will assign the next sequential id. If unset,state will be set toENABLED.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc CreateImportJob(CreateImportJobRequest) returns (ImportJob)

Create a newImportJob within aKeyRing.

ImportJob.import_method is required.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc CreateKeyRing(CreateKeyRingRequest) returns (KeyRing)

Create a newKeyRing in a given Project and Location.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc Decapsulate(DecapsulateRequest) returns (DecapsulateResponse)

Decapsulates data that was encapsulated with a public key retrieved fromGetPublicKey corresponding to aCryptoKeyVersion withCryptoKey.purpose KEY_ENCAPSULATION.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc Decrypt(DecryptRequest) returns (DecryptResponse)

Decrypts data that was protected byEncrypt. TheCryptoKey.purpose must beENCRYPT_DECRYPT.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc DestroyCryptoKeyVersion(DestroyCryptoKeyVersionRequest) returns (CryptoKeyVersion)

Schedule aCryptoKeyVersion for destruction.

Upon calling this method,CryptoKeyVersion.state will be set toDESTROY_SCHEDULED, anddestroy_time will be set to the timedestroy_scheduled_duration in the future. At that time, thestate will automatically change toDESTROYED, and the key material will be irrevocably destroyed.

Before thedestroy_time is reached,RestoreCryptoKeyVersion may be called to reverse the process.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc Encrypt(EncryptRequest) returns (EncryptResponse)

Encrypts data, so that it can only be recovered by a call toDecrypt. TheCryptoKey.purpose must beENCRYPT_DECRYPT.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc GenerateRandomBytes(GenerateRandomBytesRequest) returns (GenerateRandomBytesResponse)

Generate random bytes using the Cloud KMS randomness source in the provided location.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc GetCryptoKey(GetCryptoKeyRequest) returns (CryptoKey)

Returns metadata for a givenCryptoKey, as well as itsprimaryCryptoKeyVersion.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc GetCryptoKeyVersion(GetCryptoKeyVersionRequest) returns (CryptoKeyVersion)

Returns metadata for a givenCryptoKeyVersion.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc GetImportJob(GetImportJobRequest) returns (ImportJob)

Returns metadata for a givenImportJob.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc GetKeyRing(GetKeyRingRequest) returns (KeyRing)

Returns metadata for a givenKeyRing.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc GetPublicKey(GetPublicKeyRequest) returns (PublicKey)

Returns the public key for the givenCryptoKeyVersion. TheCryptoKey.purpose must beASYMMETRIC_SIGN orASYMMETRIC_DECRYPT.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc ImportCryptoKeyVersion(ImportCryptoKeyVersionRequest) returns (CryptoKeyVersion)

Import wrapped key material into aCryptoKeyVersion.

All requests must specify aCryptoKey. If aCryptoKeyVersion is additionally specified in the request, key material will be reimported into that version. Otherwise, a new version will be created, and will be assigned the next sequential id within theCryptoKey.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc ListCryptoKeyVersions(ListCryptoKeyVersionsRequest) returns (ListCryptoKeyVersionsResponse)

ListsCryptoKeyVersions.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc ListCryptoKeys(ListCryptoKeysRequest) returns (ListCryptoKeysResponse)

ListsCryptoKeys.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc ListImportJobs(ListImportJobsRequest) returns (ListImportJobsResponse)

ListsImportJobs.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc ListKeyRings(ListKeyRingsRequest) returns (ListKeyRingsResponse)

ListsKeyRings.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc MacSign(MacSignRequest) returns (MacSignResponse)

Signs data using aCryptoKeyVersion withCryptoKey.purpose MAC, producing a tag that can be verified by another source with the same key.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc MacVerify(MacVerifyRequest) returns (MacVerifyResponse)

Verifies MAC tag using aCryptoKeyVersion withCryptoKey.purpose MAC, and returns a response that indicates whether or not the verification was successful.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc RawDecrypt(RawDecryptRequest) returns (RawDecryptResponse)

Decrypts data that was originally encrypted using a raw cryptographic mechanism. TheCryptoKey.purpose must beRAW_ENCRYPT_DECRYPT.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc RawEncrypt(RawEncryptRequest) returns (RawEncryptResponse)

Encrypts data using portable cryptographic primitives. Most users should chooseEncrypt andDecrypt rather than their raw counterparts. TheCryptoKey.purpose must beRAW_ENCRYPT_DECRYPT.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc RestoreCryptoKeyVersion(RestoreCryptoKeyVersionRequest) returns (CryptoKeyVersion)

Restore aCryptoKeyVersion in theDESTROY_SCHEDULED state.

Upon restoration of the CryptoKeyVersion,state will be set toDISABLED, anddestroy_time will be cleared.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc UpdateCryptoKey(UpdateCryptoKeyRequest) returns (CryptoKey)

Update aCryptoKey.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc UpdateCryptoKeyPrimaryVersion(UpdateCryptoKeyPrimaryVersionRequest) returns (CryptoKey)

Update the version of aCryptoKey that will be used inEncrypt.

Returns an error if called on a key whose purpose is notENCRYPT_DECRYPT.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc UpdateCryptoKeyVersion(UpdateCryptoKeyVersionRequest) returns (CryptoKeyVersion)

Update aCryptoKeyVersion's metadata.

state may be changed betweenENABLED andDISABLED using this method. SeeDestroyCryptoKeyVersion andRestoreCryptoKeyVersion to move between other states.

Authorization scopes

Requires one of the following OAuth scopes:

• https://www.googleapis.com/auth/cloudkms
• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

Deprecated: This code is no longer generated by Google Cloud. The GOOGLE_RESPONSE_TO_PRODUCTION_ALERT justification codes available in both Key Access Justifications and Access Transparency logs provide customer-visible signals of emergency access in more precise contexts.

Customer uses their account to perform any access to their own data which their IAM policy authorizes, and one of the following is true:

• A Google administrator has reset the root-access account associated with the user's organization within the past 7 days.
• A Google-initiated emergency access operation has interacted with a resource in the same project or folder as the currently accessed resource within the past 7 days.

Deprecated: This code is no longer generated by Google Cloud. The GOOGLE_RESPONSE_TO_PRODUCTION_ALERT justification codes available in both Key Access Justifications and Access Transparency logs provide customer-visible signals of emergency access in more precise contexts.

Google systems access customer data to help optimize the structure of the data or quality for future uses by the customer, and one of the following is true:

• A Google administrator has reset the root-access account associated with the user's organization within the past 7 days.
• A Google-initiated emergency access operation has interacted with a resource in the same project or folder as the currently accessed resource within the past 7 days.

One of the following operations is being executed while simultaneously encountering an internal technical issue which prevented a more precise justification code from being generated:

• Your account has been used to perform any access to your own data which your IAM policy authorizes.
• An automated Google system operates on encrypted customer data which your IAM policy authorizes.
• Customer-initiated Google support access.
• Google-initiated support access to protect system reliability.

string

Required. Thename of theSingleTenantHsmInstanceProposal to approve.

QuorumReply

Required. The reply toQuorumParameters for approving the proposal.

RequiredActionQuorumReply

Required. The reply toRequiredActionQuorumParameters for approving the proposal.

ChallengeReply

Required. The challenge replies to approve the proposal. Challenge replies can be sent across multiple requests. The proposal will be approved whenrequired_approver_count challenge replies are provided.

ChallengeReply

Required. All required challenges must be signed for the proposal to be approved. These can be sent across multiple requests.

ChallengeReply

Required. Quorum members' signed challenge replies. These can be provided across multiple requests. The proposal will be approved whenrequired_approver_count quorum_challenge_replies are provided and when all required_challenge_replies are provided.

string

Required. The resource name of theCryptoKeyVersion to use for decryption.

Authorization requires the followingIAM permission on the specified resourcename:

• cloudkms.cryptoKeyVersions.useToDecrypt

bytes

Required. The data encrypted with the namedCryptoKeyVersion's public key using OAEP.

Int64Value

Optional. An optional CRC32C checksum of theAsymmetricDecryptRequest.ciphertext. If specified,KeyManagementService will verify the integrity of the receivedAsymmetricDecryptRequest.ciphertext using this checksum.KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(AsymmetricDecryptRequest.ciphertext) is equal toAsymmetricDecryptRequest.ciphertext_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

bytes

The decrypted data originally encrypted with the matching public key.

Int64Value

Integrity verification field. A CRC32C checksum of the returnedAsymmetricDecryptResponse.plaintext. An integrity check ofAsymmetricDecryptResponse.plaintext can be performed by computing the CRC32C checksum ofAsymmetricDecryptResponse.plaintext and comparing your results to this field. Discard the response in case of non-matching checksum values, and perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

bool

Integrity verification field. A flag indicating whetherAsymmetricDecryptRequest.ciphertext_crc32c was received byKeyManagementService and used for the integrity verification of theciphertext. A false value of this field indicates either thatAsymmetricDecryptRequest.ciphertext_crc32c was left unset or that it was not delivered toKeyManagementService. If you've setAsymmetricDecryptRequest.ciphertext_crc32c but this field is still false, discard the response and perform a limited number of retries.

ProtectionLevel

TheProtectionLevel of theCryptoKeyVersion used in decryption.

string

Required. The resource name of theCryptoKeyVersion to use for signing.

Authorization requires the followingIAM permission on the specified resourcename:

• cloudkms.cryptoKeyVersions.useToSign

Digest

Optional. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version'salgorithm.

This field may not be supplied ifAsymmetricSignRequest.data is supplied.

Int64Value

Optional. An optional CRC32C checksum of theAsymmetricSignRequest.digest. If specified,KeyManagementService will verify the integrity of the receivedAsymmetricSignRequest.digest using this checksum.KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(AsymmetricSignRequest.digest) is equal toAsymmetricSignRequest.digest_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

bytes

Optional. The data to sign. It can't be supplied ifAsymmetricSignRequest.digest is supplied.

Int64Value

Optional. An optional CRC32C checksum of theAsymmetricSignRequest.data. If specified,KeyManagementService will verify the integrity of the receivedAsymmetricSignRequest.data using this checksum.KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(AsymmetricSignRequest.data) is equal toAsymmetricSignRequest.data_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

bytes

The created signature.

Int64Value

Integrity verification field. A CRC32C checksum of the returnedAsymmetricSignResponse.signature. An integrity check ofAsymmetricSignResponse.signature can be performed by computing the CRC32C checksum ofAsymmetricSignResponse.signature and comparing your results to this field. Discard the response in case of non-matching checksum values, and perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

bool

Integrity verification field. A flag indicating whetherAsymmetricSignRequest.digest_crc32c was received byKeyManagementService and used for the integrity verification of thedigest. A false value of this field indicates either thatAsymmetricSignRequest.digest_crc32c was left unset or that it was not delivered toKeyManagementService. If you've setAsymmetricSignRequest.digest_crc32c but this field is still false, discard the response and perform a limited number of retries.

string

The resource name of theCryptoKeyVersion used for signing. Check this field to verify that the intended resource was used for signing.

bool

Integrity verification field. A flag indicating whetherAsymmetricSignRequest.data_crc32c was received byKeyManagementService and used for the integrity verification of thedata. A false value of this field indicates either thatAsymmetricSignRequest.data_crc32c was left unset or that it was not delivered toKeyManagementService. If you've setAsymmetricSignRequest.data_crc32c but this field is still false, discard the response and perform a limited number of retries.

ProtectionLevel

TheProtectionLevel of theCryptoKeyVersion used for signing.

string

Identifier. Name of theAutokeyConfig resource, e.g.folders/{FOLDER_NUMBER}/autokeyConfig orprojects/{PROJECT_NUMBER}/autokeyConfig.

string

Optional. Name of the key project, e.g.projects/{PROJECT_ID} orprojects/{PROJECT_NUMBER}, where Cloud KMS Autokey will provision a newCryptoKey when aKeyHandle is created. OnUpdateAutokeyConfig, the caller will requirecloudkms.cryptoKeys.setIamPolicy permission on this key project. Once configured, for Cloud KMS Autokey to function properly, this key project must have the Cloud KMS API activated and the Cloud KMS Service Agent for this key project must be granted thecloudkms.admin role (or pertinent permissions). A request with an empty key project field will clear the configuration.

State

Output only. The state for the AutokeyConfig.

string

Optional. A checksum computed by the server based on the value of other fields. This may be sent on update requests to ensure that the client has an up-to-date value before proceeding. The request will be rejected with an ABORTED error on a mismatched etag.

KeyProjectResolutionMode

Optional. KeyProjectResolutionMode for the AutokeyConfig. Valid values areDEDICATED_KEY_PROJECT,RESOURCE_PROJECT, orDISABLED.

bytes

Required. The raw certificate bytes in DER format.

bool

Output only. True if the certificate was parsed successfully.

string

Output only. The issuer distinguished name in RFC 2253 format. Only present ifparsed is true.

string

Output only. The subject distinguished name in RFC 2253 format. Only present ifparsed is true.

string

Output only. The subject Alternative DNS names. Only present ifparsed is true.

Timestamp

Output only. The certificate is not valid before this time. Only present ifparsed is true.

Timestamp

Output only. The certificate is not valid after this time. Only present ifparsed is true.

string

Output only. The certificate serial number as a hex string. Only present ifparsed is true.

string

Output only. The SHA-256 certificate fingerprint as a hex string. Only present ifparsed is true.

bytes

Output only. The challenge to be signed by the 2FA key indicated by the public key.

string

Output only. The public key associated with the 2FA key that should sign the challenge.

bytes

Required. The signed challenge associated with the 2FA key. The signature must be RSASSA-PKCS1 v1.5 with a SHA256 digest.

string

Required. The public key associated with the 2FA key.

bytes

Raw Data.

Int64Value

Integrity verification field. A CRC32C checksum of the returnedChecksummedData.data. An integrity check ofChecksummedData.data can be performed by computing the CRC32C checksum ofChecksummedData.data and comparing your results to this field. Discard the response in case of non-matching checksum values, and perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed2^32-1, and can be safely downconverted to uint32 in languages that support this type.

string

Required. Thename of the KeyRing associated with theCryptoKeys.

Authorization requires the followingIAM permission on the specified resourceparent:

• cloudkms.cryptoKeys.create

string

Required. It must be unique within a KeyRing and match the regular expression[a-zA-Z0-9_-]{1,63}

CryptoKey

Required. ACryptoKey with initial field values.

bool

If set to true, the request will create aCryptoKey without anyCryptoKeyVersions. You must manually callCreateCryptoKeyVersion orImportCryptoKeyVersion before you can use thisCryptoKey.

string

Required. Thename of theCryptoKey associated with theCryptoKeyVersions.

Authorization requires the followingIAM permission on the specified resourceparent:

• cloudkms.cryptoKeyVersions.create

CryptoKeyVersion

Required. ACryptoKeyVersion with initial field values.

string

Required. The resource name of the location associated with theEkmConnection, in the formatprojects/*/locations/*.

Authorization requires the followingIAM permission on the specified resourceparent:

• cloudkms.ekmConnections.create

string

Required. It must be unique within a location and match the regular expression[a-zA-Z0-9_-]{1,63}.

EkmConnection

Required. AnEkmConnection with initial field values.

string

Required. Thename of theKeyRing associated with theImportJobs.

Authorization requires the followingIAM permission on the specified resourceparent:

• cloudkms.importJobs.create

string

Required. It must be unique within a KeyRing and match the regular expression[a-zA-Z0-9_-]{1,63}

ImportJob

Required. AnImportJob with initial field values.

string

Required. Name of the resource project and location to create theKeyHandle in, e.g.projects/{PROJECT_ID}/locations/{LOCATION}.

string

Optional. Id of theKeyHandle. Must be unique to the resource project and location. If not provided by the caller, a new UUID is used.

KeyHandle

Required.KeyHandle to create.

string

Required. The resource name of the location associated with theKeyRings, in the formatprojects/*/locations/*.

Authorization requires the followingIAM permission on the specified resourceparent:

• cloudkms.keyRings.create

string

Required. It must be unique within a location and match the regular expression[a-zA-Z0-9_-]{1,63}

KeyRing

Required. AKeyRing with initial field values.

string

Required. Thename of theSingleTenantHsmInstance associated with theSingleTenantHsmInstanceProposals.

string

Optional. It must be unique within a location and match the regular expression[a-zA-Z0-9_-]{1,63}.

SingleTenantHsmInstanceProposal

Required. TheSingleTenantHsmInstanceProposal to create.

string

Required. The resource name of the location associated with theSingleTenantHsmInstance, in the formatprojects/*/locations/*.

string

Optional. It must be unique within a location and match the regular expression[a-zA-Z0-9_-]{1,63}.

SingleTenantHsmInstance

Required. AnSingleTenantHsmInstance with initial field values.

string

Output only. The resource name for thisCryptoKey in the formatprojects/*/locations/*/keyRings/*/cryptoKeys/*.

CryptoKeyVersion

Output only. A copy of the "primary"CryptoKeyVersion that will be used byEncrypt when thisCryptoKey is given inEncryptRequest.name.

TheCryptoKey's primary version can be updated viaUpdateCryptoKeyPrimaryVersion.

Keys withpurposeENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.

CryptoKeyPurpose

Immutable. The immutable purpose of thisCryptoKey.

Timestamp

Output only. The time at which thisCryptoKey was created.

Timestamp

Atnext_rotation_time, the Key Management Service will automatically:

1. Create a new version of thisCryptoKey.
2. Mark the new version as primary.

Key rotations performed manually viaCreateCryptoKeyVersion andUpdateCryptoKeyPrimaryVersion do not affectnext_rotation_time.

Keys withpurposeENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.

CryptoKeyVersionTemplate

A template describing settings for newCryptoKeyVersion instances. The properties of newCryptoKeyVersion instances created by eitherCreateCryptoKeyVersion or auto-rotation are controlled by this template.

map<string, string>

Labels with user-defined metadata. For more information, seeLabeling Keys.

bool

Immutable. Whether this key may contain imported versions only.

Duration

Immutable. The period of time that versions of this key spend in theDESTROY_SCHEDULED state before transitioning toDESTROYED. If not specified at creation time, the default duration is 30 days.

string

Immutable. The resource name of the backend environment where the key material for allCryptoKeyVersions associated with thisCryptoKey reside and where all related cryptographic operations are performed. Only applicable ifCryptoKeyVersions have aProtectionLevel ofEXTERNAL_VPC, with the resource name in the formatprojects/*/locations/*/ekmConnections/*. Only applicable ifCryptoKeyVersions have aProtectionLevel ofHSM_SINGLE_TENANT, with the resource name in the formatprojects/*/locations/*/singleTenantHsmInstances/*. Note, this list is non-exhaustive and may apply to additionalProtectionLevels in the future.

KeyAccessJustificationsPolicy

Optional. The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes.https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed.

Duration

next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours.

Ifrotation_period is set,next_rotation_time must also be set.

Keys withpurposeENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.

string

Output only. The resource name for thisCryptoKeyVersion in the formatprojects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.

CryptoKeyVersionState

The current state of theCryptoKeyVersion.

ProtectionLevel

Output only. TheProtectionLevel describing how crypto operations are performed with thisCryptoKeyVersion.

CryptoKeyVersionAlgorithm

Output only. TheCryptoKeyVersionAlgorithm that thisCryptoKeyVersion supports.

KeyOperationAttestation

Output only. Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions withprotection_levelHSM.

Timestamp

Output only. The time at which thisCryptoKeyVersion was created.

Timestamp

Output only. The time thisCryptoKeyVersion's key material was generated.

Timestamp

Output only. The time thisCryptoKeyVersion's key material is scheduled for destruction. Only present ifstate isDESTROY_SCHEDULED.

Timestamp

Output only. The time this CryptoKeyVersion's key material was destroyed. Only present ifstate isDESTROYED.

string

Output only. The name of theImportJob used in the most recent import of thisCryptoKeyVersion. Only present if the underlying key material was imported.

Timestamp

Output only. The time at which thisCryptoKeyVersion's key material was most recently imported.

string

Output only. The root cause of the most recent import failure. Only present ifstate isIMPORT_FAILED.

string

Output only. The root cause of the most recent generation failure. Only present ifstate isGENERATION_FAILED.

string

Output only. The root cause of the most recent external destruction failure. Only present ifstate isEXTERNAL_DESTRUCTION_FAILED.

ExternalProtectionLevelOptions

ExternalProtectionLevelOptions stores a group of additional fields for configuring aCryptoKeyVersion that are specific to theEXTERNAL protection level andEXTERNAL_VPC protection levels.

bool

Output only. Whether or not this key version is eligible for reimport, by being specified as a target inImportCryptoKeyVersionRequest.crypto_key_version.

ProtectionLevel

ProtectionLevel to use when creating aCryptoKeyVersion based on this template. Immutable. Defaults toSOFTWARE.

CryptoKeyVersionAlgorithm

Required.Algorithm to use when creating aCryptoKeyVersion based on this template.

For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted andCryptoKey.purpose isENCRYPT_DECRYPT.

string

Required. The resource name of theCryptoKeyVersion to use for decapsulation.

Authorization requires the followingIAM permission on the specified resourcename:

• cloudkms.cryptoKeyVersions.useToDecapsulate

bytes

Required. The ciphertext produced from encapsulation with the namedCryptoKeyVersion public key(s).

Int64Value

Optional. A CRC32C checksum of theDecapsulateRequest.ciphertext. If specified,KeyManagementService will verify the integrity of the receivedDecapsulateRequest.ciphertext using this checksum.KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(DecapsulateRequest.ciphertext) is equal toDecapsulateRequest.ciphertext_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

string

The resource name of theCryptoKeyVersion used for decapsulation. Check this field to verify that the intended resource was used for decapsulation.

bytes

The decapsulated shared_secret originally encapsulated with the matching public key.

bool

Integrity verification field. A flag indicating whetherDecapsulateRequest.ciphertext_crc32c was received byKeyManagementService and used for the integrity verification of theciphertext. A false value of this field indicates either thatDecapsulateRequest.ciphertext_crc32c was left unset or that it was not delivered toKeyManagementService. If you've setDecapsulateRequest.ciphertext_crc32c but this field is still false, discard the response and perform a limited number of retries.

ProtectionLevel

TheProtectionLevel of theCryptoKeyVersion used in decapsulation.

int64

Integrity verification field. A CRC32C checksum of the returnedDecapsulateResponse.shared_secret. An integrity check ofDecapsulateResponse.shared_secret can be performed by computing the CRC32C checksum ofDecapsulateResponse.shared_secret and comparing your results to this field. Discard the response in case of non-matching checksum values, and perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: receiving this response message indicates thatKeyManagementService is able to successfully decrypt theciphertext. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

string

Required. The resource name of theCryptoKey to use for decryption. The server will choose the appropriate version.

Authorization requires the followingIAM permission on the specified resourcename:

• cloudkms.cryptoKeyVersions.useToDecrypt

bytes

Required. The encrypted data originally returned inEncryptResponse.ciphertext.

bytes

Optional. Optional data that must match the data originally supplied inEncryptRequest.additional_authenticated_data.

Int64Value

Optional. An optional CRC32C checksum of theDecryptRequest.ciphertext. If specified,KeyManagementService will verify the integrity of the receivedDecryptRequest.ciphertext using this checksum.KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(DecryptRequest.ciphertext) is equal toDecryptRequest.ciphertext_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

Int64Value

Optional. An optional CRC32C checksum of theDecryptRequest.additional_authenticated_data. If specified,KeyManagementService will verify the integrity of the receivedDecryptRequest.additional_authenticated_data using this checksum.KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(DecryptRequest.additional_authenticated_data) is equal toDecryptRequest.additional_authenticated_data_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

bytes

The decrypted data originally supplied inEncryptRequest.plaintext.

Int64Value

Integrity verification field. A CRC32C checksum of the returnedDecryptResponse.plaintext. An integrity check ofDecryptResponse.plaintext can be performed by computing the CRC32C checksum ofDecryptResponse.plaintext and comparing your results to this field. Discard the response in case of non-matching checksum values, and perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: receiving this response message indicates thatKeyManagementService is able to successfully decrypt theciphertext. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

bool

Whether the Decryption was performed using the primary key version.

ProtectionLevel

TheProtectionLevel of theCryptoKeyVersion used in decryption.

string

Required. Thename of theSingleTenantHsmInstanceProposal to delete.

string

Required. The resource name of theCryptoKeyVersion to destroy.

Authorization requires the followingIAM permission on the specified resourcename:

• cloudkms.cryptoKeyVersions.destroy

bytes

A message digest produced with the SHA-256 algorithm.

bytes

A message digest produced with the SHA-384 algorithm.

bytes

A message digest produced with the SHA-512 algorithm.

string

Output only. The resource name for theEkmConfig in the formatprojects/*/locations/*/ekmConfig.

string

Optional. Resource name of the defaultEkmConnection. Setting this field to the empty string removes the default.

string

Output only. The resource name for theEkmConnection in the formatprojects/*/locations/*/ekmConnections/*.

Timestamp

Output only. The time at which theEkmConnection was created.

ServiceResolver

Optional. A list ofServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a singleServiceResolver is supported.

string

Optional. Etag of the currently storedEkmConnection.

KeyManagementMode

Optional. Describes who can perform control plane operations on the EKM. If unset, this defaults toMANUAL.

string

Optional. Identifies the EKM Crypto Space that thisEkmConnection maps to. Note: This field is required ifKeyManagementMode isCLOUD_KMS.

AllCryptoKeys created with thisEkmConnection use EKM-side key management operations initiated from Cloud KMS. This means that:

• When aCryptoKeyVersion associated with thisEkmConnection is created, the EKM automatically generates new key material and a new key path. The caller cannot supply the key path of pre-existing external key material.
• Destruction of external key material associated with thisEkmConnection can be requested by callingDestroyCryptoKeyVersion.
• Automatic rotation of key material is supported.

string

Required. The resource name of the Service Directory service pointing to an EKM replica, in the formatprojects/*/locations/*/namespaces/*/services/*.

string

Optional. The filter applied to the endpoints of the resolved service. If no filter is specified, all endpoints will be considered. An endpoint will be chosen arbitrarily from the filtered list for each request.

For endpoint filter syntax and examples, seehttps://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest.

string

Required. The hostname of the EKM replica used at TLS and HTTP layers.

Certificate

Required. A list of leaf server certificates used to authenticate HTTPS connections to the EKM replica. Currently, a maximum of 10Certificate is supported.

string

Required. The resource name of theCryptoKey orCryptoKeyVersion to use for encryption.

If aCryptoKey is specified, the server will use itsprimary version.

Authorization requires the followingIAM permission on the specified resourcename:

• cloudkms.cryptoKeyVersions.useToEncrypt

bytes

Required. The data to encrypt. Must be no larger than 64KiB.

The maximum size depends on the key version'sprotection_level. ForSOFTWARE,EXTERNAL, andEXTERNAL_VPC keys, the plaintext must be no larger than 64KiB. ForHSM keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.

bytes

Optional. Optional data that, if specified, must also be provided during decryption throughDecryptRequest.additional_authenticated_data.

The maximum size depends on the key version'sprotection_level. ForSOFTWARE,EXTERNAL, andEXTERNAL_VPC keys the AAD must be no larger than 64KiB. ForHSM keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.

Int64Value

Optional. An optional CRC32C checksum of theEncryptRequest.plaintext. If specified,KeyManagementService will verify the integrity of the receivedEncryptRequest.plaintext using this checksum.KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(EncryptRequest.plaintext) is equal toEncryptRequest.plaintext_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

Int64Value

Optional. An optional CRC32C checksum of theEncryptRequest.additional_authenticated_data. If specified,KeyManagementService will verify the integrity of the receivedEncryptRequest.additional_authenticated_data using this checksum.KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(EncryptRequest.additional_authenticated_data) is equal toEncryptRequest.additional_authenticated_data_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

string

The resource name of theCryptoKeyVersion used in encryption. Check this field to verify that the intended resource was used for encryption.

bytes

The encrypted data.

Int64Value

Integrity verification field. A CRC32C checksum of the returnedEncryptResponse.ciphertext. An integrity check ofEncryptResponse.ciphertext can be performed by computing the CRC32C checksum ofEncryptResponse.ciphertext and comparing your results to this field. Discard the response in case of non-matching checksum values, and perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

bool

Integrity verification field. A flag indicating whetherEncryptRequest.plaintext_crc32c was received byKeyManagementService and used for the integrity verification of theplaintext. A false value of this field indicates either thatEncryptRequest.plaintext_crc32c was left unset or that it was not delivered toKeyManagementService. If you've setEncryptRequest.plaintext_crc32c but this field is still false, discard the response and perform a limited number of retries.

bool

Integrity verification field. A flag indicating whetherEncryptRequest.additional_authenticated_data_crc32c was received byKeyManagementService and used for the integrity verification of theAAD. A false value of this field indicates either thatEncryptRequest.additional_authenticated_data_crc32c was left unset or that it was not delivered toKeyManagementService. If you've setEncryptRequest.additional_authenticated_data_crc32c but this field is still false, discard the response and perform a limited number of retries.

ProtectionLevel

TheProtectionLevel of theCryptoKeyVersion used in encryption.

string

Required. Thename of theSingleTenantHsmInstanceProposal to execute.

string

The URI for an external resource that thisCryptoKeyVersion represents.

string

The path to the external key material on the EKM when usingEkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using anEkmConnection.

string

The project-specific location in which to generate random bytes. For example, "projects/my-project/locations/us-central1".

int32

The length in bytes of the amount of randomness to retrieve. Minimum 8 bytes, maximum 1024 bytes.

ProtectionLevel

TheProtectionLevel to use when generating the random data. Currently, onlyHSM protection level is supported.

bytes

The generated data.

Int64Value

Integrity verification field. A CRC32C checksum of the returnedGenerateRandomBytesResponse.data. An integrity check ofGenerateRandomBytesResponse.data can be performed by computing the CRC32C checksum ofGenerateRandomBytesResponse.data and comparing your results to this field. Discard the response in case of non-matching checksum values, and perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

string

Required. Name of theAutokeyConfig resource, e.g.folders/{FOLDER_NUMBER}/autokeyConfig orprojects/{PROJECT_NUMBER}/autokeyConfig.

string

Required. Thename of theCryptoKey to get.

Authorization requires the followingIAM permission on the specified resourcename:

• cloudkms.cryptoKeys.get

string

Required. Thename of theCryptoKeyVersion to get.

Authorization requires the followingIAM permission on the specified resourcename:

• cloudkms.cryptoKeyVersions.get

string

Required. Thename of theEkmConfig to get.

Authorization requires the followingIAM permission on the specified resourcename:

• cloudkms.ekmConfigs.get

string

Required. Thename of theEkmConnection to get.

Authorization requires the followingIAM permission on the specified resourcename:

• cloudkms.ekmConnections.get

string

Required. Thename of theImportJob to get.

Authorization requires the followingIAM permission on the specified resourcename:

• cloudkms.importJobs.get

string

Required. Thename of theKeyAccessJustificationsPolicyConfig to get.

string

Required. Name of theKeyHandle resource, e.g.projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEY_HANDLE_ID}.

string

Required. Thename of theKeyRing to get.

Authorization requires the followingIAM permission on the specified resourcename:

• cloudkms.keyRings.get

string

Required. Thename of theCryptoKeyVersion public key to get.

Authorization requires the followingIAM permission on the specified resourcename:

• cloudkms.cryptoKeyVersions.viewPublicKey

PublicKeyFormat

Optional. ThePublicKey format specified by the user. This field is required for PQC algorithms. If specified, the public key will be exported through thepublic_key field in the requested format. Otherwise, thepem field will be populated for non-PQC algorithms, and an error will be returned for PQC algorithms.

string

Required. Thename of theSingleTenantHsmInstanceProposal to get.

string

Required. Thename of theSingleTenantHsmInstance to get.

string

Required. Thename of theCryptoKey to be imported into.

The create permission is only required on this key when creating a newCryptoKeyVersion.

Authorization requires the followingIAM permission on the specified resourceparent:

• cloudkms.cryptoKeyVersions.create

string

Optional. The optionalname of an existingCryptoKeyVersion to target for an import operation. If this field is not present, a newCryptoKeyVersion containing the supplied key material is created.

If this field is present, the supplied key material is imported into the existingCryptoKeyVersion. To import into an existingCryptoKeyVersion, theCryptoKeyVersion must be a child ofImportCryptoKeyVersionRequest.parent, have been previously created viaImportCryptoKeyVersion, and be inDESTROYED orIMPORT_FAILED state. The key material and algorithm must match the previousCryptoKeyVersion exactly if theCryptoKeyVersion has ever contained key material.

Authorization requires the followingIAM permission on the specified resourcecryptoKeyVersion:

• cloudkms.cryptoKeyVersions.update

CryptoKeyVersionAlgorithm

Required. Thealgorithm of the key being imported. This does not need to match theversion_template of theCryptoKey this version imports into.

string

Required. Thename of theImportJob that was used to wrap this key material.

Authorization requires the followingIAM permission on the specified resourceimportJob:

• cloudkms.importjobs.useToImport

bytes

Optional. The wrapped key material to import.

Before wrapping, key material must be formatted. If importing symmetric key material, the expected key material format is plain bytes. If importing asymmetric key material, the expected key material format is PKCS#8-encoded DER (the PrivateKeyInfo structure from RFC 5208).

When wrapping with import methods (RSA_OAEP_3072_SHA1_AES_256 orRSA_OAEP_4096_SHA1_AES_256 orRSA_OAEP_3072_SHA256_AES_256 orRSA_OAEP_4096_SHA256_AES_256),

this field must contain the concatenation of:

1. An ephemeral AES-256 wrapping key wrapped with thepublic_key using RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an empty label.
2. The formatted key to be imported, wrapped with the ephemeral AES-256 key using AES-KWP (RFC 5649).

This format is the same as the format produced by PKCS#11 mechanism CKM_RSA_AES_KEY_WRAP.

When wrapping with import methods (RSA_OAEP_3072_SHA256 orRSA_OAEP_4096_SHA256),

this field must contain the formatted key to be imported, wrapped with thepublic_key using RSAES-OAEP with SHA-256, MGF1 with SHA-256, and an empty label.

bytes

Optional. This field has the same meaning aswrapped_key. Prefer to use that field in new work. Either that field or this field (but not both) must be specified.

string

Output only. The resource name for thisImportJob in the formatprojects/*/locations/*/keyRings/*/importJobs/*.

ImportMethod

Required. Immutable. The wrapping method to be used for incoming key material.

ProtectionLevel

Required. Immutable. The protection level of theImportJob. This must match theprotection_level of theversion_template on theCryptoKey you attempt to import into.

Timestamp

Output only. The time at which thisImportJob was created.

Timestamp

Output only. The time thisImportJob's key material was generated.

Timestamp

Output only. The time at which thisImportJob is scheduled for expiration and can no longer be used to import key material.

Timestamp

Output only. The time thisImportJob expired. Only present ifstate isEXPIRED.

ImportJobState

Output only. The current state of theImportJob, indicating if it can be used.

WrappingPublicKey

Output only. The public key with which to wrap key material prior to import. Only returned ifstate isACTIVE.

KeyOperationAttestation

Output only. Statement that was generated and signed by the key creator (for example, an HSM) at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only present if the chosenImportMethod is one with a protection level ofHSM.

string

Immutable. The resource name of the backend environment where the key material for the wrapping key resides and where all related cryptographic operations are performed. Currently, this field is only populated for keys stored in HSM_SINGLE_TENANT. Note, this list is non-exhaustive and may apply to additionalProtectionLevels in the future. Supported resources: *"projects/*/locations/*/singleTenantHsmInstances/*"

string

The public key, encoded in PEM format. For more information, see theRFC 7468 sections forGeneral Considerations andTextual Encoding of Subject Public Key Info.

bool

Whether the project has KAJ logging enabled.

bool

Whether the project is enrolled in KAJ policy enforcement.

AccessReason

The list of allowed reasons for access to aCryptoKey. Zero allowed access reasons means all encrypt, decrypt, and sign operations for theCryptoKey associated with this policy will fail.

string

Identifier. The resource name for thisKeyAccessJustificationsPolicyConfig in the format of "{organizations|folders|projects}/*/kajPolicyConfig".

KeyAccessJustificationsPolicy

Optional. The default key access justification policy used when aCryptoKey is created in this folder. This is only used when a Key Access Justifications policy is not provided in theCreateCryptoKeyRequest. This overrides any default policies in its ancestry.

string

Identifier. Name of theKeyHandle resource, e.g.projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEY_HANDLE_ID}.

string

Output only. Name of aCryptoKey that has been provisioned for Customer Managed Encryption Key (CMEK) use in theKeyHandle project and location for the requested resource type. TheCryptoKey project will reflect the value configured in theAutokeyConfig on the resource project's ancestor folder at the time of theKeyHandle creation. If more than one ancestor folder has a configuredAutokeyConfig, the nearest of these configurations is used.

string

Required. Indicates the resource type that the resultingCryptoKey is meant to protect, e.g.{SERVICE}.googleapis.com/{TYPE}. See documentation for supported resource types.

AttestationFormat

Output only. The format of the attestation data.

bytes

Output only. The attestation data provided by the HSM when the key operation was performed.

CertificateChains

Output only. The certificate chains needed to validate the attestation

Cavium HSM attestation compressed with gzip. Note that this format is defined by Cavium and subject to change at any time.

Seehttps://www.marvell.com/products/security-solutions/nitrox-hs-adapters/software-key-attestation.html.

string

Cavium certificate chain corresponding to the attestation.

string

Google card certificate chain corresponding to the attestation.

string

Google partition certificate chain corresponding to the attestation.

string

Output only. The resource name for theKeyRing in the formatprojects/*/locations/*/keyRings/*.

Timestamp

Output only. The time at which thisKeyRing was created.

string

Required. The resource name of theCryptoKey to list, in the formatprojects/*/locations/*/keyRings/*/cryptoKeys/*.

Authorization requires the followingIAM permission on the specified resourceparent:

• cloudkms.cryptoKeyVersions.list

int32

Optional. Optional limit on the number ofCryptoKeyVersions to include in the response. FurtherCryptoKeyVersions can subsequently be obtained by including theListCryptoKeyVersionsResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

string

Optional. Optional pagination token, returned earlier viaListCryptoKeyVersionsResponse.next_page_token.

CryptoKeyVersionView

The fields to include in the response.

string

Optional. Only include resources that match the filter in the response. For more information, seeSorting and filtering list results.

string

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, seeSorting and filtering list results.

CryptoKeyVersion

The list ofCryptoKeyVersions.

string

A token to retrieve next page of results. Pass this value inListCryptoKeyVersionsRequest.page_token to retrieve the next page of results.

int32

The total number ofCryptoKeyVersions that matched the query.

This field is not populated ifListCryptoKeyVersionsRequest.filter is applied.

string

Required. The resource name of theKeyRing to list, in the formatprojects/*/locations/*/keyRings/*.

Authorization requires the followingIAM permission on the specified resourceparent:

• cloudkms.cryptoKeys.list

int32

Optional. Optional limit on the number ofCryptoKeys to include in the response. FurtherCryptoKeys can subsequently be obtained by including theListCryptoKeysResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

string

Optional. Optional pagination token, returned earlier viaListCryptoKeysResponse.next_page_token.

CryptoKeyVersionView

The fields of the primary version to include in the response.

string

Optional. Only include resources that match the filter in the response. For more information, seeSorting and filtering list results.

string

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, seeSorting and filtering list results.

CryptoKey

The list ofCryptoKeys.

string

A token to retrieve next page of results. Pass this value inListCryptoKeysRequest.page_token to retrieve the next page of results.

int32

The total number ofCryptoKeys that matched the query.

This field is not populated ifListCryptoKeysRequest.filter is applied.

string

Required. The resource name of the location associated with theEkmConnections to list, in the formatprojects/*/locations/*.

Authorization requires the followingIAM permission on the specified resourceparent:

• cloudkms.ekmConnections.list

int32

Optional. Optional limit on the number ofEkmConnections to include in the response. FurtherEkmConnections can subsequently be obtained by including theListEkmConnectionsResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

string

Optional. Optional pagination token, returned earlier viaListEkmConnectionsResponse.next_page_token.

string

Optional. Only include resources that match the filter in the response. For more information, seeSorting and filtering list results.

string

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, seeSorting and filtering list results.

EkmConnection

The list ofEkmConnections.

string

A token to retrieve next page of results. Pass this value inListEkmConnectionsRequest.page_token to retrieve the next page of results.

int32

The total number ofEkmConnections that matched the query.

This field is not populated ifListEkmConnectionsRequest.filter is applied.

string

Required. The resource name of theKeyRing to list, in the formatprojects/*/locations/*/keyRings/*.

Authorization requires the followingIAM permission on the specified resourceparent:

• cloudkms.importJobs.list

int32

Optional. Optional limit on the number ofImportJobs to include in the response. FurtherImportJobs can subsequently be obtained by including theListImportJobsResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

string

Optional. Optional pagination token, returned earlier viaListImportJobsResponse.next_page_token.

string

Optional. Only include resources that match the filter in the response. For more information, seeSorting and filtering list results.

string

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, seeSorting and filtering list results.

ImportJob

The list ofImportJobs.

string

A token to retrieve next page of results. Pass this value inListImportJobsRequest.page_token to retrieve the next page of results.

int32

The total number ofImportJobs that matched the query.

This field is not populated ifListImportJobsRequest.filter is applied.

string

Required. Name of the resource project and location from which to listKeyHandles, e.g.projects/{PROJECT_ID}/locations/{LOCATION}.

int32

Optional. Optional limit on the number ofKeyHandles to include in the response. The service may return fewer than this value. FurtherKeyHandles can subsequently be obtained by including theListKeyHandlesResponse.next_page_token in a subsequent request. If unspecified, at most 100KeyHandles will be returned.

string

Optional. Optional pagination token, returned earlier viaListKeyHandlesResponse.next_page_token.

string

Optional. Filter to apply when listingKeyHandles, e.g.resource_type_selector="{SERVICE}.googleapis.com/{TYPE}".

KeyHandle

ResultingKeyHandles.

string

A token to retrieve next page of results. Pass this value inListKeyHandlesRequest.page_token to retrieve the next page of results.

string

Required. The resource name of the location associated with theKeyRings, in the formatprojects/*/locations/*.

Authorization requires the followingIAM permission on the specified resourceparent:

• cloudkms.keyRings.list

int32

Optional. Optional limit on the number ofKeyRings to include in the response. FurtherKeyRings can subsequently be obtained by including theListKeyRingsResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

string

Optional. Optional pagination token, returned earlier viaListKeyRingsResponse.next_page_token.

string

Optional. Only include resources that match the filter in the response. For more information, seeSorting and filtering list results.

string

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, seeSorting and filtering list results.

KeyRing

The list ofKeyRings.

string

A token to retrieve next page of results. Pass this value inListKeyRingsRequest.page_token to retrieve the next page of results.

int32

The total number ofKeyRings that matched the query.

This field is not populated ifListKeyRingsRequest.filter is applied.

string

Required. The resource name of the single tenant HSM instance associated with theSingleTenantHsmInstanceProposals to list, in the formatprojects/*/locations/*/singleTenantHsmInstances/*.

int32

Optional. Optional limit on the number ofSingleTenantHsmInstanceProposals to include in the response. FurtherSingleTenantHsmInstanceProposals can subsequently be obtained by including theListSingleTenantHsmInstanceProposalsResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

string

Optional. Optional pagination token, returned earlier viaListSingleTenantHsmInstanceProposalsResponse.next_page_token.

string

Optional. Only include resources that match the filter in the response. For more information, seeSorting and filtering list results.

string

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, seeSorting and filtering list results.

bool

Optional. If set to true,HsmManagement.ListSingleTenantHsmInstanceProposals will also returnSingleTenantHsmInstanceProposals in DELETED state.

SingleTenantHsmInstanceProposal

The list ofSingleTenantHsmInstanceProposals.

string

A token to retrieve next page of results. Pass this value inListSingleTenantHsmInstanceProposalsRequest.page_token to retrieve the next page of results.

int32

The total number ofSingleTenantHsmInstanceProposals that matched the query.

This field is not populated ifListSingleTenantHsmInstanceProposalsRequest.filter is applied.

string

Required. The resource name of the location associated with theSingleTenantHsmInstances to list, in the formatprojects/*/locations/*.

int32

Optional. Optional limit on the number ofSingleTenantHsmInstances to include in the response. FurtherSingleTenantHsmInstances can subsequently be obtained by including theListSingleTenantHsmInstancesResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

string

Optional. Optional pagination token, returned earlier viaListSingleTenantHsmInstancesResponse.next_page_token.

string

Optional. Only include resources that match the filter in the response. For more information, seeSorting and filtering list results.

string

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, seeSorting and filtering list results.

bool

Optional. If set to true,HsmManagement.ListSingleTenantHsmInstances will also returnSingleTenantHsmInstances in DELETED state.

SingleTenantHsmInstance

The list ofSingleTenantHsmInstances.

string

A token to retrieve next page of results. Pass this value inListSingleTenantHsmInstancesRequest.page_token to retrieve the next page of results.

int32

The total number ofSingleTenantHsmInstances that matched the query.

This field is not populated ifListSingleTenantHsmInstancesRequest.filter is applied.

bool

Indicates whetherCryptoKeys withprotection_levelHSM can be created in this location.

bool

Indicates whetherCryptoKeys withprotection_levelEXTERNAL can be created in this location.

bool

Indicates whetherCryptoKeys withprotection_levelHSM_SINGLE_TENANT can be created in this location.

string

Required. The resource name of theCryptoKeyVersion to use for signing.

Authorization requires the followingIAM permission on the specified resourcename:

• cloudkms.cryptoKeyVersions.useToSign

bytes

Required. The data to sign. The MAC tag is computed over this data field based on the specific algorithm.

Int64Value

Optional. An optional CRC32C checksum of theMacSignRequest.data. If specified,KeyManagementService will verify the integrity of the receivedMacSignRequest.data using this checksum.KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(MacSignRequest.data) is equal toMacSignRequest.data_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

string

The resource name of theCryptoKeyVersion used for signing. Check this field to verify that the intended resource was used for signing.

bytes

The created signature.

Int64Value

Integrity verification field. A CRC32C checksum of the returnedMacSignResponse.mac. An integrity check ofMacSignResponse.mac can be performed by computing the CRC32C checksum ofMacSignResponse.mac and comparing your results to this field. Discard the response in case of non-matching checksum values, and perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

bool

Integrity verification field. A flag indicating whetherMacSignRequest.data_crc32c was received byKeyManagementService and used for the integrity verification of thedata. A false value of this field indicates either thatMacSignRequest.data_crc32c was left unset or that it was not delivered toKeyManagementService. If you've setMacSignRequest.data_crc32c but this field is still false, discard the response and perform a limited number of retries.

ProtectionLevel

TheProtectionLevel of theCryptoKeyVersion used for signing.

string

Required. The resource name of theCryptoKeyVersion to use for verification.

Authorization requires the followingIAM permission on the specified resourcename:

• cloudkms.cryptoKeyVersions.useToVerify

bytes

Required. The data used previously as aMacSignRequest.data to generate the MAC tag.

Int64Value

Optional. An optional CRC32C checksum of theMacVerifyRequest.data. If specified,KeyManagementService will verify the integrity of the receivedMacVerifyRequest.data using this checksum.KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(MacVerifyRequest.data) is equal toMacVerifyRequest.data_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

bytes

Required. The signature to verify.

Int64Value

Optional. An optional CRC32C checksum of theMacVerifyRequest.mac. If specified,KeyManagementService will verify the integrity of the receivedMacVerifyRequest.mac using this checksum.KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(MacVerifyRequest.mac) is equal toMacVerifyRequest.mac_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

string

The resource name of theCryptoKeyVersion used for verification. Check this field to verify that the intended resource was used for verification.

bool

This field indicates whether or not the verification operation forMacVerifyRequest.mac overMacVerifyRequest.data was successful.

bool

Integrity verification field. A flag indicating whetherMacVerifyRequest.data_crc32c was received byKeyManagementService and used for the integrity verification of thedata. A false value of this field indicates either thatMacVerifyRequest.data_crc32c was left unset or that it was not delivered toKeyManagementService. If you've setMacVerifyRequest.data_crc32c but this field is still false, discard the response and perform a limited number of retries.

bool

Integrity verification field. A flag indicating whetherMacVerifyRequest.mac_crc32c was received byKeyManagementService and used for the integrity verification of thedata. A false value of this field indicates either thatMacVerifyRequest.mac_crc32c was left unset or that it was not delivered toKeyManagementService. If you've setMacVerifyRequest.mac_crc32c but this field is still false, discard the response and perform a limited number of retries.

bool

Integrity verification field. This value is used for the integrity verification of [MacVerifyResponse.success]. If the value of this field contradicts the value of [MacVerifyResponse.success], discard the response and perform a limited number of retries.

ProtectionLevel

TheProtectionLevel of theCryptoKeyVersion used for verification.

string

The public key, encoded in PEM format. For more information, see theRFC 7468 sections forGeneral Considerations andTextual Encoding of Subject Public Key Info.

CryptoKeyVersionAlgorithm

TheAlgorithm associated with this key.

Int64Value

Integrity verification field. A CRC32C checksum of the returnedPublicKey.pem. An integrity check ofPublicKey.pem can be performed by computing the CRC32C checksum ofPublicKey.pem and comparing your results to this field. Discard the response in case of non-matching checksum values, and perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed2^32-1, and can be safely downconverted to uint32 in languages that support this type.

NOTE: This field is in Beta.

string

Thename of theCryptoKeyVersion public key. Provided here for verification.

NOTE: This field is in Beta.

ProtectionLevel

TheProtectionLevel of theCryptoKeyVersion public key.

PublicKeyFormat

ThePublicKey format specified by the customer through thepublic_key_format field.

ChecksummedData

This field contains the public key (with integrity verification), formatted according to thepublic_key_format field.