KMSCryptoKey

Property Value
Google Cloud Service Name Cloud Key Management Service
Google Cloud Service Documentation /kms/docs/
Google Cloud REST Resource Name v1.projects.locations.keyRings.cryptoKeys
Google Cloud REST Resource Documentation /kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys
Config Connector Resource Short Names KMSCryptoKey
gcpkmscryptokey
gcpkmscryptokeys
kmscryptokey
Config Connector Service Name cloudkms.googleapis.com
Config Connector Resource Fully Qualified Name kmscryptokeys.kms.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember Yes
Supports IAM Conditions Yes
IAM External Reference Format

{{key_ring}}/cryptoKeys/{{name}}

Custom Resource Definition Properties

Spec

Schema

keyRingRef:
  external: string
  name: string
  namespace: string
purpose: string
rotationPeriod: string
versionTemplate:
  algorithm: string
  protectionLevel: string
Fields

keyRingRef

Required

object

The KMSKeyRing that this key belongs to.

keyRingRef.external

Optional

string

The selfLink of a KMSKeyRing.

keyRingRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

keyRingRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

purpose

Optional

string

The immutable purpose of this CryptoKey. See the [purpose reference](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose) for possible inputs. Default value: "ENCRYPT_DECRYPT" Possible values: ["ENCRYPT_DECRYPT", "ASYMMETRIC_SIGN", "ASYMMETRIC_DECRYPT"]

rotationPeriod

Optional

string

Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter 's' (seconds). It must be greater than a day (ie, 86400).

versionTemplate

Optional

object

A template describing settings for new crypto key versions.

versionTemplate.algorithm

Required*

string

The algorithm to use when creating a version based on this template. See the [algorithm reference](https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm) for possible inputs.

versionTemplate.protectionLevel

Optional

string

The protection level to use when creating a version based on this template. Default value: "SOFTWARE" Possible values: ["SOFTWARE", "HSM"]

* Field is required when parent field is specified

Status

Schema

conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
selfLink: string
Fields
conditions

list (object)

conditions.[]

object

conditions.[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions.[].message

string

Human-readable message indicating details about last transition.

conditions.[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions.[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions.[].type

string

Type is the type of the condition.

selfLink

string

Sample YAML(s)

Typical Use Case

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSCryptoKey
metadata:
  labels:
    key-one: value-one
  name: kmscryptokey-sample
spec:
  keyRingRef:
    name: kmscryptokey-dep
  purpose: ASYMMETRIC_SIGN
  versionTemplate:
    algorithm: EC_SIGN_P384_SHA384
    protectionLevel: SOFTWARE
---
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSKeyRing
metadata:
  name: kmscryptokey-dep
spec:
  location: us-central1