Cloud KMS resource consistency

This topic provides information about the impact of consistency when Cloud KMS resources are created or modified.

Some operations to Cloud Key Management Service resources are strongly consistent, while others are eventually consistent. Eventually consistent operations typically propagate within 1 minute, but may take up to 3 hours in exceptional cases.

Consistency of key rings

Creating a key ring is a strongly consistent operation. Upon creation, a key ring is instantly available for use.

Consistency of keys

Creating a key is a strongly consistent operation. Upon creation, a key is instantly available for use.

Consistency of key versions

Enabling a key version is a strongly consistent operation. The enabled key version is instantly available for encrypting and decrypting data.

Disabling a key version is an eventually consistent operation. The key version typically remains usable for encrypting and decrypting data for up to 1 minute after it is disabled. In exceptional cases, the key version remains usable for up to 3 hours after it is disabled.

Changing the primary key version, manually or during key rotation, is an eventually consistent operation. While such eventually-consistent changes propagate, Encrypt operations for a CryptoKey might use the CryptoKey's previous primary version to encrypt.

Impact of changing IAM access

If you need to prevent a user from using a Cloud KMS resource during the time needed for propagation of an eventually consistent operation, remove the Identity and Access Management (IAM) permission for the resource. For example, you can prevent a user from using a newly-disabled key version by removing the IAM role that allows the user to access the key. IAM changes are consistent within seconds; to learn more, see Access change propagation.