PROJECT_ID: The ID of the Cloud KMS project you
want to monitor.
RESOURCE_TYPE: The types of resource for which you want
to receive notifications. Use commas between resource types—for
example,
cloudkms.googleapis.com/CryptoKey,cloudkms.googleapis.com/CryptoKeyVersion.
You can notify on any
supported resource
type,
including the following:
cloudkms.googleapis.com/CryptoKey
cloudkms.googleapis.com/CryptoKeyVersion
cloudkms.googleapis.com/EkmConnection
cloudkms.googleapis.com/ImportJob
cloudkms.googleapis.com/KeyRing
PUBSUB_TOPIC: The name of the Pub/Sub topic
you created in Before you begin
This creates a notification when resources of the indicated type are created or
updated. The notification indicates that the resource has been updated, but does
not include detailed information about the update. For example, an update
notification for a CryptoKeyVersion might mean the version was made primary or
that the version was scheduled for destruction. When you receive a notification
that a resource has been updated, you should check the resource to find its
current state.
Notify on specific resource changes
To create a feed with a condition, use the gcloud asset feeds create
command with the --condition-expression flag.
RESOURCE_TYPE: The type of resource for which you want to
receive notifications—for example,
cloudkms.googleapis.com/CryptoKeyVersion. You can notify on any
supported resource
type,
including the following:
cloudkms.googleapis.com/CryptoKey
cloudkms.googleapis.com/CryptoKeyVersion
cloudkms.googleapis.com/EkmConnection
cloudkms.googleapis.com/ImportJob
cloudkms.googleapis.com/KeyRing
PUBSUB_TOPIC: The name of the Pub/Sub topic
you created in Before you begin
CONDITION_EXPRESSION: A condition expression in Common
Expression Language (CEL). For example,
"folders/FOLDER_NUMBER" in temporal_asset.asset.ancestors
causes the feed to only create notifications when the indicated resource is
located within folder FOLDER_NUMBER.
This creates a notification when resources of the indicated type that match the
specified condition expression are created, deleted, or updated.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Monitor state changes using Pub/Sub\n\nThis page shows you how to use [Pub/Sub](/pubsub) to create notifications on\nstate changes for Cloud KMS resources.\n\nBefore you begin\n----------------\n\nTo enable APIs, grant required permissions, and create a Pub/Sub\ntopic, follow the instructions in [Before you\nbegin](/asset-inventory/docs/monitoring-asset-changes#before_you_begin) in\n\"Monitoring asset changes\".\n\nConfigure a feed\n----------------\n\nConfigure a feed that monitors the type of changes and resources that you are\ninterested in.\n\n### Notify on all resource changes\n\nTo create a feed, use the [`gcloud asset feeds create`](/sdk/gcloud/reference/asset/feeds/create) command. \n\n```\ngcloud asset feeds create FEED_NAME \\\n --project=PROJECT_ID \\\n --asset-types=\"RESOURCE_TYPE\" \\\n --pubsub-topic=\"PUBSUB_TOPIC\"\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eFEED_NAME\u003c/var\u003e: The name to use for your Pub/Sub feed.\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The ID of the Cloud KMS project you want to monitor.\n- \u003cvar translate=\"no\"\u003eRESOURCE_TYPE\u003c/var\u003e: The types of resource for which you want\n to receive notifications. Use commas between resource types---for\n example,\n `cloudkms.googleapis.com/CryptoKey,cloudkms.googleapis.com/CryptoKeyVersion`.\n You can notify on any\n [supported resource\n type](/asset-inventory/docs/supported-asset-types#supported_resource_types),\n including the following:\n\n - `cloudkms.googleapis.com/CryptoKey`\n - `cloudkms.googleapis.com/CryptoKeyVersion`\n - `cloudkms.googleapis.com/EkmConnection`\n - `cloudkms.googleapis.com/ImportJob`\n - `cloudkms.googleapis.com/KeyRing`\n- \u003cvar translate=\"no\"\u003ePUBSUB_TOPIC\u003c/var\u003e: The name of the Pub/Sub topic\n you created in [Before you begin](#before-begin)\n\nThis creates a notification when resources of the indicated type are created or\nupdated. The notification indicates that the resource has been updated, but does\nnot include detailed information about the update. For example, an update\nnotification for a `CryptoKeyVersion` might mean the version was made primary or\nthat the version was scheduled for destruction. When you receive a notification\nthat a resource has been updated, you should check the resource to find its\ncurrent state.\n| **Note:** Cloud KMS does not support resource deletion. Key rings, keys, and key versions can't be deleted. The only way to fully delete Cloud KMS resources is to delete the project that contains them. Scheduling a `CryptoKeyVersion` for destruction and destruction of `CryptoKeyVersion` resources are update operations.\n\n### Notify on specific resource changes\n\nTo create a feed with a condition, use the [`gcloud asset feeds create`](/sdk/gcloud/reference/asset/feeds/create)\ncommand with the `--condition-expression` flag. \n\n```\ngcloud asset feeds create FEED_NAME \\\n --project=PROJECT_ID \\\n --asset-types=\"RESOURCE_TYPE\" \\\n --pubsub-topic=\"PUBSUB_TOPIC\" \\\n --condition-expression=\"CONDITION_EXPRESSION\"\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eFEED_NAME\u003c/var\u003e: The name to use for your Pub/Sub feed.\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The ID of your Cloud KMS project.\n- \u003cvar translate=\"no\"\u003eRESOURCE_TYPE\u003c/var\u003e: The type of resource for which you want to\n receive notifications---for example,\n `cloudkms.googleapis.com/CryptoKeyVersion`. You can notify on any\n [supported resource\n type](/asset-inventory/docs/supported-asset-types#supported_resource_types),\n including the following:\n\n - `cloudkms.googleapis.com/CryptoKey`\n - `cloudkms.googleapis.com/CryptoKeyVersion`\n - `cloudkms.googleapis.com/EkmConnection`\n - `cloudkms.googleapis.com/ImportJob`\n - `cloudkms.googleapis.com/KeyRing`\n- \u003cvar translate=\"no\"\u003ePUBSUB_TOPIC\u003c/var\u003e: The name of the Pub/Sub topic\n you created in [Before you begin](#before-begin)\n\n- \u003cvar translate=\"no\"\u003eCONDITION_EXPRESSION\u003c/var\u003e: A condition expression in [Common\n Expression Language (CEL)](https://github.com/google/cel-spec). For example,\n `\"folders/`\u003cvar translate=\"no\"\u003eFOLDER_NUMBER\u003c/var\u003e`\" in temporal_asset.asset.ancestors`\n causes the feed to only create notifications when the indicated resource is\n located within folder \u003cvar translate=\"no\"\u003eFOLDER_NUMBER\u003c/var\u003e.\n\nThis creates a notification when resources of the indicated type that match the\nspecified condition expression are created, deleted, or updated."]]
