keys

Creates, updates, deletes, gets or lists a keys resource.

Overview

Name	keys
Type	Resource
Id	google.apikeys.keys

Fields

The following fields are returned by SELECT queries:

get

Successful response

Name	Datatype	Description
name	string	Output only. The resource name of the key. The name has the form: projects//locations/global/keys/. For example: projects/123456867718/locations/global/keys/b7ff1f9f-8275-410a-94dd-3855ee9b5dd2 NOTE: Key is a global resource; hence the only supported value for location is global.
annotations	object	Annotations is an unstructured key-value map stored with a policy that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects.
createTime	string (google-datetime)	Output only. A timestamp identifying the time this key was originally created.
deleteTime	string (google-datetime)	Output only. A timestamp when this key was deleted. If the resource is not deleted, this must be empty.
displayName	string	Human-readable display name of this key that you can modify. The maximum length is 63 characters.
etag	string	Output only. A checksum computed by the server based on the current value of the Key resource. This may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding. See https://google.aip.dev/154.
keyString	string	Output only. An encrypted and signed value held by this key. This field can be accessed only through the GetKeyString method.
restrictions	object	Key restrictions. (id: V2Restrictions)
serviceAccountEmail	string	Optional. The email address of the service account the key is bound to.
uid	string	Output only. Unique id in UUID4 format.
updateTime	string (google-datetime)	Output only. A timestamp identifying the time this key was last updated.

list

Successful response

Name	Datatype	Description
name	string	Output only. The resource name of the key. The name has the form: projects//locations/global/keys/. For example: projects/123456867718/locations/global/keys/b7ff1f9f-8275-410a-94dd-3855ee9b5dd2 NOTE: Key is a global resource; hence the only supported value for location is global.
annotations	object	Annotations is an unstructured key-value map stored with a policy that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects.
createTime	string (google-datetime)	Output only. A timestamp identifying the time this key was originally created.
deleteTime	string (google-datetime)	Output only. A timestamp when this key was deleted. If the resource is not deleted, this must be empty.
displayName	string	Human-readable display name of this key that you can modify. The maximum length is 63 characters.
etag	string	Output only. A checksum computed by the server based on the current value of the Key resource. This may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding. See https://google.aip.dev/154.
keyString	string	Output only. An encrypted and signed value held by this key. This field can be accessed only through the GetKeyString method.
restrictions	object	Key restrictions. (id: V2Restrictions)
serviceAccountEmail	string	Optional. The email address of the service account the key is bound to.
uid	string	Output only. Unique id in UUID4 format.
updateTime	string (google-datetime)	Output only. A timestamp identifying the time this key was last updated.

Methods

The following methods are available for this resource:

Name	Accessible by	Required Params	Optional Params	Description
get	select	projectsId, locationsId, keysId		Gets the metadata for an API key. The key string of the API key isn't included in the response. NOTE: Key is a global resource; hence the only supported value for location is global.
list	select	projectsId, locationsId	pageToken, pageSize, showDeleted	Lists the API keys owned by a project. The key string of the API key isn't included in the response. NOTE: Key is a global resource; hence the only supported value for location is global.
create	insert	projectsId, locationsId	keyId	Creates a new API key. NOTE: Key is a global resource; hence the only supported value for location is global.
patch	update	projectsId, locationsId, keysId	updateMask	Patches the modifiable fields of an API key. The key string of the API key isn't included in the response. NOTE: Key is a global resource; hence the only supported value for location is global.
delete	delete	projectsId, locationsId, keysId	etag	Deletes an API key. Deleted key can be retrieved within 30 days of deletion. Afterward, key will be purged from the project. NOTE: Key is a global resource; hence the only supported value for location is global.
lookup_key	exec		keyString	Find the parent project and resource name of the API key that matches the key string in the request. If the API key has been purged, resource name will not be set. The service account must have the apikeys.keys.lookup permission on the parent project.
undelete	exec	projectsId, locationsId, keysId		Undeletes an API key which was deleted within 30 days. NOTE: Key is a global resource; hence the only supported value for location is global.

Parameters

Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.

Name	Datatype	Description
keysId	string
locationsId	string
projectsId	string
etag	string
keyId	string
keyString	string
pageSize	integer (int32)
pageToken	string
showDeleted	boolean
updateMask	string (google-fieldmask)

SELECT examples

get

Gets the metadata for an API key. The key string of the API key isn't included in the response. NOTE: Key is a global resource; hence the only supported value for location is global.

SELECT
name,
annotations,
createTime,
deleteTime,
displayName,
etag,
keyString,
restrictions,
serviceAccountEmail,
uid,
updateTime
FROM google.apikeys.keys
WHERE projectsId = '{{ projectsId }}' -- required
AND locationsId = '{{ locationsId }}' -- required
AND keysId = '{{ keysId }}' -- required;

list

Lists the API keys owned by a project. The key string of the API key isn't included in the response. NOTE: Key is a global resource; hence the only supported value for location is global.

SELECT
name,
annotations,
createTime,
deleteTime,
displayName,
etag,
keyString,
restrictions,
serviceAccountEmail,
uid,
updateTime
FROM google.apikeys.keys
WHERE projectsId = '{{ projectsId }}' -- required
AND locationsId = '{{ locationsId }}' -- required
AND pageToken = '{{ pageToken }}'
AND pageSize = '{{ pageSize }}'
AND showDeleted = '{{ showDeleted }}';

INSERT examples

create

Creates a new API key. NOTE: Key is a global resource; hence the only supported value for location is global.

INSERT INTO google.apikeys.keys (
data__serviceAccountEmail,
data__annotations,
data__restrictions,
data__displayName,
projectsId,
locationsId,
keyId
)
SELECT 
'{{ serviceAccountEmail }}',
'{{ annotations }}',
'{{ restrictions }}',
'{{ displayName }}',
'{{ projectsId }}',
'{{ locationsId }}',
'{{ keyId }}'
RETURNING
name,
done,
error,
metadata,
response
;

Manifest

# Description fields are for documentation purposes
- name: keys
  props:
    - name: projectsId
      value: string
      description: Required parameter for the keys resource.
    - name: locationsId
      value: string
      description: Required parameter for the keys resource.
    - name: serviceAccountEmail
      value: string
      description: >
        Optional. The email address of [the service account](https://cloud.google.com/iam/docs/service-accounts) the key is bound to.
        
    - name: annotations
      value: object
      description: >
        Annotations is an unstructured key-value map stored with a policy that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects.
        
    - name: restrictions
      value: object
      description: >
        Key restrictions.
        
    - name: displayName
      value: string
      description: >
        Human-readable display name of this key that you can modify. The maximum length is 63 characters.
        
    - name: keyId
      value: string

UPDATE examples

patch

Patches the modifiable fields of an API key. The key string of the API key isn't included in the response. NOTE: Key is a global resource; hence the only supported value for location is global.

UPDATE google.apikeys.keys
SET 
data__serviceAccountEmail = '{{ serviceAccountEmail }}',
data__annotations = '{{ annotations }}',
data__restrictions = '{{ restrictions }}',
data__displayName = '{{ displayName }}'
WHERE 
projectsId = '{{ projectsId }}' --required
AND locationsId = '{{ locationsId }}' --required
AND keysId = '{{ keysId }}' --required
AND updateMask = '{{ updateMask}}'
RETURNING
name,
done,
error,
metadata,
response;

DELETE examples

delete

Deletes an API key. Deleted key can be retrieved within 30 days of deletion. Afterward, key will be purged from the project. NOTE: Key is a global resource; hence the only supported value for location is global.

DELETE FROM google.apikeys.keys
WHERE projectsId = '{{ projectsId }}' --required
AND locationsId = '{{ locationsId }}' --required
AND keysId = '{{ keysId }}' --required
AND etag = '{{ etag }}';

Lifecycle Methods

lookup_key

Find the parent project and resource name of the API key that matches the key string in the request. If the API key has been purged, resource name will not be set. The service account must have the apikeys.keys.lookup permission on the parent project.

EXEC google.apikeys.keys.lookup_key 
@keyString='{{ keyString }}';

undelete

Undeletes an API key which was deleted within 30 days. NOTE: Key is a global resource; hence the only supported value for location is global.

EXEC google.apikeys.keys.undelete 
@projectsId='{{ projectsId }}' --required, 
@locationsId='{{ locationsId }}' --required, 
@keysId='{{ keysId }}' --required;