Some operations to Cloud KMS resources are strongly consistent, while others are eventually consistent and may take up to 3 hours to propagate. This topic provides information about the impact of consistency when Cloud KMS resources are created or modified.
Consistency of key rings
Creating a key ring is a strongly consistent operation. Upon creation, a key ring is instantly available for use.
Consistency of keys
Creating a key is a strongly consistent operation. Upon creation, a key is instantly available for use.
For information about the consistency of a key version after a key is rotated, see consistency of key versions.
Consistency of key versions
Enabling a key version is a strongly consistent operation. The enabled key version is instantly available for encrypting and decrypting data.
Disabling a key version is an eventually consistent operation. The disabled key version is still usable for encrypting and decrypting data, on average for about 40 minutes, and up to 3 hours.
Key rotation, which results in a new primary key version, and manually changing the primary key version are eventually consistent operations. There will be a delay of on average 40 minutes, and up to 3 hours, from when you set a different version as the primary version, and the previous primary version is still used for encrypting data.
Impact of changing Cloud IAM access
If you need to prevent a user from using a Cloud KMS resource during the time needed for propagation of an eventually consistent operation, remove the Cloud IAM permission for the resource. For example, if you want to prevent a newly-disabled key version from being used by a user, remove the Cloud IAM access on the key for the user. For information on how long it takes for Cloud IAM to propagate a change, see this Cloud IAM FAQ entry.