Cloud KMS resource consistency

Some operations to Cloud Key Management Service resources are strongly consistent, while others are eventually consistent and may take on average 1 minute, and up to 3 hours (for less than 1% of requests) to propagate. This topic provides information about the impact of consistency when Cloud KMS resources are created or modified.

Consistency of key rings

Creating a key ring is a strongly consistent operation. Upon creation, a key ring is instantly available for use.

Consistency of keys

Creating a key is a strongly consistent operation. Upon creation, a key is instantly available for use.

For information about the consistency of a key version after a key is rotated, see consistency of key versions.

Consistency of key versions

Enabling a key version is a strongly consistent operation. The enabled key version is instantly available for encrypting and decrypting data.

Disabling a key version is an eventually consistent operation. The disabled key version is still usable for encrypting and decrypting data, on average for about 1 minute, and up to 3 hours for less than 1% of requests.

Key rotation, which results in a new primary key version, and manually changing the primary key version are eventually consistent operations. There will be a delay of on average 1 minute, and up to 3 hours for less than 1% of requests, from when you set a different version as the primary version, and the previous primary version is still used for encrypting data.

Impact of changing IAM access

If you need to prevent a user from using a Cloud KMS resource during the time needed for propagation of an eventually consistent operation, remove the Identity and Access Management (IAM) permission for the resource. For example, you can prevent a user from using a newly-disabled key version by removing the IAM role that allows the user to access the key. IAM changes are consistent within seconds; to learn more, see IAM FAQ entry.