This page provides supplemental information about organization policy constraints that apply to Cloud Key Management Service. Use constraints to enforce resource behaviors across an entire project or organization.
Cloud KMS constraints
The following constraints can be applied to an organization policy and relate to Cloud Key Management Service.
Enforce resource locations
API Name: constraints/gcp.resourceLocations
When you apply the resourceLocations
constraint, you specify one or more
locations. Once set, creation of new resources (e.g key rings, keys,
key versions) is limited to the specified locations.
Keys in other locations, created or imported before the constraint was applied, will remain usable. However, key rotation (automated creation of a new primary key version) will fail if the result would be a new key version in a disallowed location.
Allowed protection levels
API Name: constraints/cloudkms.allowedProtectionLevels
When you apply the allowedProtectionLevels
constraint, you specify one or
more protection levels. Once set, new keys, key versions, and
import jobs must use one of the specified protection levels.
Keys with other protection levels, created before the constraint was applied, will remain usable. However, key rotation (automated creation of a new primary key version) will fail if the result would be a new key version with a disallowed protection level.
What's next
- Learn about the resource hierarchy that applies to organization policies.
- See Creating and managing organization policies for instructions on working with constraints and organization policies in the Google Cloud console.
- See Using constraints for instructions on working with constraints and organization policies in gcloud.
- See the Resource Manager API reference documentation for relevant API
methods, such as
projects.setOrgPolicy
.