KMSCryptoKey

Property Value
Google Cloud Service Name Cloud Key Management Service
Google Cloud Service Documentation /kms/docs/
Google Cloud REST Resource Name v1.projects.locations.keyRings.cryptoKeys
Google Cloud REST Resource Documentation /kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys
Config Connector Resource Short Names KMSCryptoKey
gcpkmscryptokey
gcpkmscryptokeys
kmscryptokey
Config Connector Service Name cloudkms.googleapis.com
Config Connector Resource Fully Qualified Name kmscryptokeys.kms.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember Yes
Supports IAM Conditions Yes
Supports IAM Audit Configs No
IAM External Reference Format

{{key_ring}}/cryptoKeys/{{name}}

Custom Resource Definition Properties

Spec

Schema

  keyRingRef:
    external: string
    name: string
    namespace: string
  purpose: string
  rotationPeriod: string
  versionTemplate:
    algorithm: string
    protectionLevel: string
Fields

keyRingRef

Required

object

The KMSKeyRing that this key belongs to.

keyRingRef.external

Optional

string

The selfLink of a KMSKeyRing.

keyRingRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

keyRingRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

purpose

Optional

string

The immutable purpose of this CryptoKey. See the [purpose reference](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose) for possible inputs. Default value: "ENCRYPT_DECRYPT" Possible values: ["ENCRYPT_DECRYPT", "ASYMMETRIC_SIGN", "ASYMMETRIC_DECRYPT"]

rotationPeriod

Optional

string

Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter 's' (seconds). It must be greater than a day (ie, 86400).

versionTemplate

Optional

object

A template describing settings for new crypto key versions.

versionTemplate.algorithm

Required*

string

The algorithm to use when creating a version based on this template. See the [algorithm reference](https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm) for possible inputs.

versionTemplate.protectionLevel

Optional

string

The protection level to use when creating a version based on this template. Default value: "SOFTWARE" Possible values: ["SOFTWARE", "HSM"]

* Field is required when parent field is specified

Status

Schema

  conditions:
  - lastTransitionTime: string
    message: string
    reason: string
    status: string
    type: string
  selfLink: string
Fields
conditions

list (object)

Conditions represents the latest available observation of the resource's current state.

conditions.[]

object

conditions.[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions.[].message

string

Human-readable message indicating details about last transition.

conditions.[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions.[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions.[].type

string

Type is the type of the condition.

selfLink

string

Sample YAML(s)

Typical Use Case

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: kms.cnrm.cloud.google.com/v1beta1
  kind: KMSCryptoKey
  metadata:
    labels:
      key-one: value-one
    name: kmscryptokey-sample
  spec:
    keyRingRef:
      name: kmscryptokey-dep
    purpose: ASYMMETRIC_SIGN
    versionTemplate:
      algorithm: EC_SIGN_P384_SHA384
      protectionLevel: SOFTWARE
  ---
  apiVersion: kms.cnrm.cloud.google.com/v1beta1
  kind: KMSKeyRing
  metadata:
    name: kmscryptokey-dep
  spec:
    location: us-central1