Cloud KMS resource consistency

Some operations to Cloud Key Management Service resources are strongly consistent, while others are eventually consistent and may take up to 3 hours to propagate. This topic provides information about the impact of consistency when Cloud KMS resources are created or modified.

Consistency of key rings

Creating a key ring is a strongly consistent operation. Upon creation, a key ring is instantly available for use.

Consistency of keys

Creating a key is a strongly consistent operation. Upon creation, a key is instantly available for use.

For information about the consistency of a key version after a key is rotated, see consistency of key versions.

Consistency of key versions

Enabling a key version is a strongly consistent operation. The enabled key version is instantly available for encrypting and decrypting data.

Disabling a key version is an eventually consistent operation. The disabled key version is still usable for encrypting and decrypting data, on average for about 40 minutes, and up to 3 hours.

Key rotation, which results in a new primary key version, and manually changing the primary key version are eventually consistent operations. There will be a delay of on average 40 minutes, and up to 3 hours, from when you set a different version as the primary version, and the previous primary version is still used for encrypting data.

Impact of changing Cloud IAM access

If you need to prevent a user from using a Cloud KMS resource during the time needed for propagation of an eventually consistent operation, remove the Cloud IAM permission for the resource. For example, if you want to prevent a newly-disabled key version from being used by a user, remove the Cloud IAM access on the key for the user. For information on how long it takes for Cloud IAM to propagate a change, see this Cloud IAM FAQ entry.