Monitor and adjust Cloud KMS quotas

This page shows you how to manage your Cloud Key Management Service quotas. For details on the quotas associated with Cloud KMS, see Quotas.

Before you begin

The following permissions are required to view project quotas:

resourcemanager.projects.get
monitoring.timeSeries.list
serviceusage.services.list
serviceusage.quotas.get

The serviceusage.quotas.update permission is required to change project quotas.

For details about which IAM roles include these permissions, see IAM permissions reference.

Check your Cloud KMS quotas

In the Google Cloud console, go to the API/Service Details page for the Cloud KMS API.

Go to Cloud KMS API/Service Details

This page lets you view quota details for the Cloud KMS API.
To view quotas for a different project, select the desired project in the Google Cloud console header.
To filter by quota type, click in the Filter bar and select Quota from the properties list, then choose the desired quota.
To filter by region, click in the Filter bar and select Dimensions (e.g. location): from the properties list, then enter the desired region name.

If you find you are nearing or exceeding your quotas, you can Request higher Cloud KMS quotas.

Troubleshoot quota issues

If Cloud KMS denies a request because the relevant quota's limit has been reached, it returns a RESOURCE_EXHAUSTED error. For requests made using the Cloud KMS REST API, the RESOURCE_EXHAUSTED error has an HTTP status code of 429. Because Cloud KMS hosting project quotas are enforced on a per second basis, occasional RESOURCE_EXHAUSTED errors for HSM or EKM keys can be addressed by retrying the next second.

Recurring RESOURCE_EXHAUSTED errors indicate that your project regularly exceeds one or more of its quotas. To address this issue, you can try any or all of the following:

Reduce the rate at which your projects are making requests that use Cloud KMS resources.
Request higher Cloud KMS quotas.
Use separate projects for your resources where appropriate so that multiple resources aren't sharing the same quotas.
- Calling project quotas - If you have a single project which contains several resources that use the Cloud KMS API at high request rates, consider moving resources to their own projects so that they do not share the 60,000 QPM limit.
- Hosting project quotas - If you have a single project which contains Cloud HSM or Cloud EKM keys that support distinct resources with high QPS rates, consider splitting Cloud KMS keys into separate projects based on details like their priority or workload. This way fewer keys share the same Cloud HSM and Cloud EKM quotas.
Note: Creating additional projects as described here may create issues with other quotas, such as your Projects per user or Projects per billing account quotas. For more information about Google Cloud quotas, see Working with quotas.
Add a backoff mechanism to your client to handle RESOURCE_EXHAUSTED errors.

Request higher Cloud KMS quotas

In the Google Cloud console, go to the API/Service Details page for the Cloud KMS API.

Go to Cloud KMS API/Service Details

This page lets you view quota details for the Cloud KMS API.
To request a quota increase for a different project, select the desired project in the Google Cloud console header.
In the list of quotas, select the default or regional quota you wish to increase, then click Edit Quotas.

Note: Multiregional and global quotas do not appear in the console. To increase quota for multiregional locations or the global location, make the request for a different region and mention the multiregion in the Request description.
In the Quota changes pane, enter the desired limits for the selected quotas.
In Request description, provide a description of the reason for your request.
Click Next to continue.
Provide your contact information including Name, Email, and Phone.
To complete your request, click Submit request.

Once your request is submitted, it is sent to approvers for evaluation. You will be notified about the status of your request once it has been reviewed.

Cap Cloud KMS usage for a specific project

If you wish to impose a stricter quota on usage of your Cloud KMS resources, you can choose to set the quota for a given project to a lower limit than the default. For example, if you have multiple projects whose resources use Cloud HSM or Cloud EKM keys in the same project, you may choose to set the Cryptographic requests quota lower on each calling project to ensure that you do not go over a quota like HSM symmetric cryptographic requests per region on the project which hosts those keys.

In the Google Cloud console, go to the API/Service Details page for the Cloud KMS API.

Go to Cloud KMS API/Service Details

This page lets you view quota details for the Cloud KMS API.
To decrease a quota for a different project, select the desired project in the Google Cloud console header.
In the list of quotas, select the default or regional quota you wish to decrease, then click Edit Quotas.
In the Quota changes pane, enter the desired limits for the selected quotas.
Click Next to continue.

If you are reducing a quota by more than 10% of the current limit, a warning appears. To continue applying a lower quota than the default, click Confirm. Otherwise, you can click Cancel to go back and choose a new limit.
To save your changes, click Submit request.

Your new limit is active immediately.

What's next

Learn more about Working with quotas.
For information on how client libraries surface the RESOURCE_EXHAUSTED error, see Client library mapping.
View details about Cloud KMS quotas.