KMSCryptoKey


Property Value
Google Cloud Service Name Cloud Key Management Service
Google Cloud Service Documentation /kms/docs/
Google Cloud REST Resource Name v1.projects.locations.keyRings.cryptoKeys
Google Cloud REST Resource Documentation /kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys
Config Connector Resource Short Names KMSCryptoKey
gcpkmscryptokey
gcpkmscryptokeys
kmscryptokey
Config Connector Service Name cloudkms.googleapis.com
Config Connector Resource Fully Qualified Name kmscryptokeys.kms.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember Yes
Supports IAM Conditions Yes
Supports IAM Audit Configs No
IAM External Reference Format

projects/{{project}}/locations/{{location}}/keyRings/{{key_ring_id}}/cryptoKeys/{{name}}

Config Connector Default Average Reconcile Interval In Seconds 600

Custom Resource Definition Properties

Annotations

Fields
cnrm.cloud.google.com/state-into-spec

Spec

Schema

destroyScheduledDuration: string
importOnly: boolean
keyRingRef:
  external: string
  name: string
  namespace: string
purpose: string
resourceID: string
rotationPeriod: string
skipInitialVersionCreation: boolean
versionTemplate:
  algorithm: string
  protectionLevel: string
Fields

destroyScheduledDuration

Optional

string

Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.

importOnly

Optional

boolean

Immutable. Whether this key may contain imported versions only.

keyRingRef

Required

object

The KMSKeyRing that this key belongs to.

keyRingRef.external

Optional

string

Allowed value: The `selfLink` field of a `KMSKeyRing` resource.

keyRingRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

keyRingRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

purpose

Optional

string

Immutable. The immutable purpose of this CryptoKey. See the [purpose reference](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose) for possible inputs. Default value is "ENCRYPT_DECRYPT".

resourceID

Optional

string

Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.

rotationPeriod

Optional

string

Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter 's' (seconds). It must be greater than a day (ie, 86400).

skipInitialVersionCreation

Optional

boolean

Immutable. If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the 'google_kms_key_ring_import_job' resource to import the CryptoKeyVersion.

versionTemplate

Optional

object

A template describing settings for new crypto key versions.

versionTemplate.algorithm

Required*

string

The algorithm to use when creating a version based on this template. See the [algorithm reference](https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm) for possible inputs.

versionTemplate.protectionLevel

Optional

string

Immutable. The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".

* Field is required when parent field is specified

Status

Schema

conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
observedGeneration: integer
selfLink: string
Fields
conditions

list (object)

Conditions represent the latest available observation of the resource's current state.

conditions[]

object

conditions[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions[].message

string

Human-readable message indicating details about last transition.

conditions[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions[].type

string

Type is the type of the condition.

observedGeneration

integer

ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

selfLink

string

The self link of the created key in the format projects/{project}/locations/{location}/keyRings/{keyRingName}/cryptoKeys/{name}.

Sample YAML(s)

Typical Use Case

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSCryptoKey
metadata:
  labels:
    key-one: value-one
  name: kmscryptokey-sample
spec:
  keyRingRef:
    name: kmscryptokey-dep
  purpose: ASYMMETRIC_SIGN
  versionTemplate:
    algorithm: EC_SIGN_P384_SHA384
    protectionLevel: SOFTWARE
  importOnly: false
---
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSKeyRing
metadata:
  name: kmscryptokey-dep
spec:
  location: us-central1