Skip to main content

crypto_keys

Creates, updates, deletes, gets or lists a crypto_keys resource.

Overview

Namecrypto_keys
TypeResource
Idgoogle.cloudkms.crypto_keys

Fields

The following fields are returned by SELECT queries:

Successful response

NameDatatypeDescription
namestringOutput only. The resource name for this CryptoKey in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.
createTimestring (google-datetime)Output only. The time at which this CryptoKey was created.
cryptoKeyBackendstringImmutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format projects/*/locations/*/ekmConnections/*. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.
destroyScheduledDurationstring (google-duration)Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
importOnlybooleanImmutable. Whether this key may contain imported versions only.
keyAccessJustificationsPolicyobjectOptional. The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. (id: KeyAccessJustificationsPolicy)
labelsobjectLabels with user-defined metadata. For more information, see Labeling Keys.
nextRotationTimestring (google-datetime)At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
primaryobjectOutput only. A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted. (id: CryptoKeyVersion)
purposestringImmutable. The immutable purpose of this CryptoKey.
rotationPeriodstring (google-duration)next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
versionTemplateobjectA template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template. (id: CryptoKeyVersionTemplate)

Methods

The following methods are available for this resource:

NameAccessible byRequired ParamsOptional ParamsDescription
getselectprojectsId, locationsId, keyRingsId, cryptoKeysIdReturns metadata for a given CryptoKey, as well as its primary CryptoKeyVersion.
listselectprojectsId, locationsId, keyRingsIdpageSize, pageToken, versionView, filter, orderByLists CryptoKeys.
createinsertprojectsId, locationsId, keyRingsIdcryptoKeyId, skipInitialVersionCreationCreate a new CryptoKey within a KeyRing. CryptoKey.purpose and CryptoKey.version_template.algorithm are required.
patchupdateprojectsId, locationsId, keyRingsId, cryptoKeysIdupdateMaskUpdate a CryptoKey.
update_primary_versionexecprojectsId, locationsId, keyRingsId, cryptoKeysIdUpdate the version of a CryptoKey that will be used in Encrypt. Returns an error if called on a key whose purpose is not ENCRYPT_DECRYPT.
encryptexecprojectsId, locationsId, keyRingsId, cryptoKeysIdEncrypts data, so that it can only be recovered by a call to Decrypt. The CryptoKey.purpose must be ENCRYPT_DECRYPT.
decryptexecprojectsId, locationsId, keyRingsId, cryptoKeysIdDecrypts data that was protected by Encrypt. The CryptoKey.purpose must be ENCRYPT_DECRYPT.

Parameters

Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.

NameDatatypeDescription
cryptoKeysIdstring
keyRingsIdstring
locationsIdstring
projectsIdstring
cryptoKeyIdstring
filterstring
orderBystring
pageSizeinteger (int32)
pageTokenstring
skipInitialVersionCreationboolean
updateMaskstring (google-fieldmask)
versionViewstring

SELECT examples

Returns metadata for a given CryptoKey, as well as its primary CryptoKeyVersion.

SELECT
name,
createTime,
cryptoKeyBackend,
destroyScheduledDuration,
importOnly,
keyAccessJustificationsPolicy,
labels,
nextRotationTime,
primary,
purpose,
rotationPeriod,
versionTemplate
FROM google.cloudkms.crypto_keys
WHERE projectsId = '{{ projectsId }}' -- required
AND locationsId = '{{ locationsId }}' -- required
AND keyRingsId = '{{ keyRingsId }}' -- required
AND cryptoKeysId = '{{ cryptoKeysId }}' -- required;

INSERT examples

Create a new CryptoKey within a KeyRing. CryptoKey.purpose and CryptoKey.version_template.algorithm are required.

INSERT INTO google.cloudkms.crypto_keys (
data__purpose,
data__nextRotationTime,
data__rotationPeriod,
data__versionTemplate,
data__labels,
data__importOnly,
data__destroyScheduledDuration,
data__cryptoKeyBackend,
data__keyAccessJustificationsPolicy,
projectsId,
locationsId,
keyRingsId,
cryptoKeyId,
skipInitialVersionCreation
)
SELECT 
'{{ purpose }}',
'{{ nextRotationTime }}',
'{{ rotationPeriod }}',
'{{ versionTemplate }}',
'{{ labels }}',
{{ importOnly }},
'{{ destroyScheduledDuration }}',
'{{ cryptoKeyBackend }}',
'{{ keyAccessJustificationsPolicy }}',
'{{ projectsId }}',
'{{ locationsId }}',
'{{ keyRingsId }}',
'{{ cryptoKeyId }}',
'{{ skipInitialVersionCreation }}'
RETURNING
name,
createTime,
cryptoKeyBackend,
destroyScheduledDuration,
importOnly,
keyAccessJustificationsPolicy,
labels,
nextRotationTime,
primary,
purpose,
rotationPeriod,
versionTemplate
;

UPDATE examples

Update a CryptoKey.

UPDATE google.cloudkms.crypto_keys
SET 
data__purpose = '{{ purpose }}',
data__nextRotationTime = '{{ nextRotationTime }}',
data__rotationPeriod = '{{ rotationPeriod }}',
data__versionTemplate = '{{ versionTemplate }}',
data__labels = '{{ labels }}',
data__importOnly = {{ importOnly }},
data__destroyScheduledDuration = '{{ destroyScheduledDuration }}',
data__cryptoKeyBackend = '{{ cryptoKeyBackend }}',
data__keyAccessJustificationsPolicy = '{{ keyAccessJustificationsPolicy }}'
WHERE 
projectsId = '{{ projectsId }}' --required
AND locationsId = '{{ locationsId }}' --required
AND keyRingsId = '{{ keyRingsId }}' --required
AND cryptoKeysId = '{{ cryptoKeysId }}' --required
AND updateMask = '{{ updateMask}}'
RETURNING
name,
createTime,
cryptoKeyBackend,
destroyScheduledDuration,
importOnly,
keyAccessJustificationsPolicy,
labels,
nextRotationTime,
primary,
purpose,
rotationPeriod,
versionTemplate;

Lifecycle Methods

Update the version of a CryptoKey that will be used in Encrypt. Returns an error if called on a key whose purpose is not ENCRYPT_DECRYPT.

EXEC google.cloudkms.crypto_keys.update_primary_version 
@projectsId='{{ projectsId }}' --required, 
@locationsId='{{ locationsId }}' --required, 
@keyRingsId='{{ keyRingsId }}' --required, 
@cryptoKeysId='{{ cryptoKeysId }}' --required 
@@json=
'{
"cryptoKeyVersionId": "{{ cryptoKeyVersionId }}"
}';