Cloud Key Management Service (KMS) C++ Client Library

An idiomatic C++ client library for Cloud Key Management Service (KMS), a service that manages keys and performs cryptographic operations in a central cloud service, for direct use by other cloud resources and applications.

While this library is GA, please note Google Cloud C++ client libraries do not follow Semantic Versioning.

Quickstart

The following shows the code that you'll run in the google/cloud/kms/quickstart/ directory, which should give you a taste of the KMS C++ client library API.

#include "google/cloud/kms/v1/key_management_client.h"
#include "google/cloud/project.h"
#include <iostream>

int main(int argc, char* argv[]) try {
  if (argc != 3) {
    std::cerr << "Usage: " << argv[0] << " project-id location-id\n";
    return 1;
  }

  namespace kms = ::google::cloud::kms_v1;
  auto client = kms::KeyManagementServiceClient(
      kms::MakeKeyManagementServiceConnection());

  auto const parent =
      std::string{"projects/"} + argv[1] + "/locations/" + argv[2];
  for (auto r : client.ListKeyRings(parent)) {
    if (!r) throw std::move(r).status();
    std::cout << r->DebugString() << "\n";
  }

  return 0;
} catch (google::cloud::Status const& status) {
  std::cerr << "google::cloud::Status thrown: " << status << "\n";
  return 1;
}

Main classes

This library offers multiple *Client classes, which are listed below. Each one of these classes exposes all the RPCs for a gRPC service as member functions of the class. This library groups multiple gRPC services because they are part of the same product or are often used together. A typical example may be the administrative and data plane operations for a single product.

The library also has other classes that provide helpers, retry policies, configuration parameters, and infrastructure to mock the *Client classes when testing your application.

• kms_inventory_v1::KeyDashboardServiceClient
• kms_inventory_v1::KeyTrackingServiceClient
• kms_v1::EkmServiceClient
• kms_v1::KeyManagementServiceClient

Override the default endpoint

In some cases, you may need to override the default endpoint used by the client library. Use the google::cloud::EndpointOption when initializing the client library to change this default.

For example, this will override the default endpoint for kms_inventory_v1::KeyDashboardServiceClient:

  // This configuration is common with Private Google Access:
  //     https://cloud.google.com/vpc/docs/private-google-access
  auto options = google::cloud::Options{}.set<google::cloud::EndpointOption>(
      "private.googleapis.com");
  auto client = google::cloud::kms_inventory_v1::KeyDashboardServiceClient(
      google::cloud::kms_inventory_v1::MakeKeyDashboardServiceConnection(
          options));

Follow these links to find examples for other *Client classes: kms_inventory_v1::KeyDashboardServiceClientkms_inventory_v1::KeyTrackingServiceClientkms_v1::EkmServiceClientkms_v1::KeyManagementServiceClient

Override the authentication configuration

Some applications cannot use the default authentication mechanism (known as Application Default Credentials). You can override this default using google::cloud::UnifiedCredentialsOption. The following example shows how to explicitly load a service account key file.

  [](std::string const& keyfile) {
    auto is = std::ifstream(keyfile);
    is.exceptions(std::ios::badbit);  // Minimal error handling in examples
    auto contents = std::string(std::istreambuf_iterator<char>(is.rdbuf()), {});
    auto options =
        google::cloud::Options{}.set<google::cloud::UnifiedCredentialsOption>(
            google::cloud::MakeServiceAccountCredentials(contents));
    return google::cloud::kms_inventory_v1::KeyDashboardServiceClient(
        google::cloud::kms_inventory_v1::MakeKeyDashboardServiceConnection(
            options));
  }

Follow these links to find examples for other *Client classes: kms_inventory_v1::KeyDashboardServiceClientkms_inventory_v1::KeyTrackingServiceClientkms_v1::EkmServiceClientkms_v1::KeyManagementServiceClient

Keep in mind that we chose this as an example because it is relatively easy to understand. Consult the Best practices for managing service account keys guide for more details.

See Also

Authentication Components - for more information on the factory functions to create google::cloud::Credentials objects.

Retry, Backoff, and Idempotency Policies.

The library automatically retries requests that fail with transient errors, and uses exponential backoff to backoff between retries. Application developers can override the default policies.

More Information

• Error Handling - describes how the library reports errors.