Cloud KMS Client Libraries

This page shows how to get started with the Cloud Client Libraries for the Cloud Key Management Service API. Read more about the client libraries for Cloud APIs in Client Libraries Explained.

Installing the client library

C#

For more information, see Setting Up a C# Development Environment.

Using PowerShell or the Visual Studio Package Manager Console:

Install-Package "Google.Cloud.Kms.V1" -Version "2.0.0-beta03"

Using the dotnet CLI:

dotnet add package "Google.Cloud.Kms.V1" -Version "2.0.0-beta03"

Go

For more information, see Setting Up a Go Development Environment.

go get -u "cloud.google.com/go/kms/apiv1"

Java

For more information, see Setting Up a Java Development Environment.

Node.js

For more information, see Setting Up a Node.js Development Environment.

npm install --save "@google-cloud/kms"

PHP

For more information, see Using PHP on Google Cloud.

composer require "google/cloud-kms"

Python

For more information, see Setting Up a Python Development Environment.

pip install --upgrade "google-cloud-kms"

Ruby

For more information, see Setting Up a Ruby Development Environment.

gem install "google-cloud-kms"

Setting up authentication

To run the client library, you must first set up authentication by creating a service account and setting an environment variable. Complete the following steps to set up authentication. For other ways to authenticate, see the GCP authentication documentation.

Cloud Console

  1. 在 Cloud Console 中,转到创建服务帐号密钥页面。

    转到“创建服务帐号密钥”页面
  2. 服务帐号列表中,选择新的服务帐号
  3. 服务帐号名称字段中,输入一个名称。

  4. 角色列表中,选择项目 > 所有者

    注意角色字段授权您的服务帐号资源访问权限。您稍后可以使用 Cloud Console 查看和更改此字段。如果您开发的是正式版应用,请指定比项目 > Owner 更为精细的权限。如需了解详情,请参阅为服务帐号授予角色
  5. 点击创建。包含密钥的 JSON 文件就会下载到计算机。

命令行

您可以使用本地机器上的 Cloud SDK 或在 Cloud Shell 中运行以下命令。

  1. 创建服务帐号。将 [NAME] 替换为服务帐号的名称。 

    gcloud iam service-accounts create [NAME]

  2. 向服务帐号授予权限。将 [PROJECT_ID] 替换为您的项目 ID。

    gcloud projects add-iam-policy-binding [PROJECT_ID] --member "serviceAccount:[NAME]@[PROJECT_ID].iam.gserviceaccount.com" --role "roles/owner"
    注意角色字段授权您的服务帐号资源访问权限。您稍后可以使用 Cloud Console 查看和更改此字段。如果您开发的是正式版应用,请指定比项目 > Owner 更为精细的权限。如需了解详情,请参阅向服务帐号授予角色

  3. 生成密钥文件。将 [FILE_NAME] 替换为密钥文件的名称。

    gcloud iam service-accounts keys create [FILE_NAME].json --iam-account [NAME]@[PROJECT_ID].iam.gserviceaccount.com

通过设定环境变量 GOOGLE_APPLICATION_CREDENTIALS,向您的应用代码提供身份验证凭据。将 [PATH] 替换为包含您服务帐号密钥的 JSON 文件的路径,并将 [FILE_NAME] 替换为文件名。此变量仅适用于当前的 shell 会话,因此,如果您打开新的会话,请重新设置该变量。

Linux 或 macOS

export GOOGLE_APPLICATION_CREDENTIALS="[PATH]"

例如:

export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/[FILE_NAME].json"

Windows

使用 PowerShell:

$env:GOOGLE_APPLICATION_CREDENTIALS="[PATH]"

例如:

$env:GOOGLE_APPLICATION_CREDENTIALS="C:\Users\username\Downloads\[FILE_NAME].json"

使用命令提示符:

set GOOGLE_APPLICATION_CREDENTIALS=[PATH]

Using the client library

The following example shows how to use the client library.

C#

For more information, see the Cloud KMS C# API reference documentation. 


using Google.Api.Gax.ResourceNames;
using Google.Cloud.Kms.V1;

public class QuickstartSample
{
    public void Quickstart(string projectId = "my-project", string locationId = "us-east1")
    {
        // Create a Cloud KMS client.
        KeyManagementServiceClient client = KeyManagementServiceClient.Create();

        // Build the parent location name.
        LocationName locationName = new LocationName(projectId, locationId);

        // Iterate over and print each key ring name;
        foreach (KeyRing keyRing in client.ListKeyRings(locationName))
        {
            // ... (e.g. keyRing.Name)
        }
    }
}

Go

For more information, see the Cloud KMS Go API reference documentation. 


// Sample quickstart is a basic program that uses Cloud KMS.
package main

import (
	"context"
	"fmt"
	"log"

	kms "cloud.google.com/go/kms/apiv1"
	"google.golang.org/api/iterator"
	kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1"
)

func main() {
	// GCP project with which to communicate.
	projectID := "your-project-id"

	// Location in which to list key rings.
	locationID := "global"

	// Create the client.
	ctx := context.Background()
	client, err := kms.NewKeyManagementClient(ctx)
	if err != nil {
		log.Fatalf("failed to setup client: %v", err)
	}

	// Create the request to list KeyRings.
	listKeyRingsReq := &kmspb.ListKeyRingsRequest{
		Parent: fmt.Sprintf("projects/%s/locations/%s", projectID, locationID),
	}

	// List the KeyRings.
	it := client.ListKeyRings(ctx, listKeyRingsReq)

	// Iterate and print the results.
	for {
		resp, err := it.Next()
		if err == iterator.Done {
			break
		}
		if err != nil {
			log.Fatalf("Failed to list key rings: %v", err)
		}

		fmt.Printf("key ring: %s\n", resp.Name)
	}
}

Java

For more information, see the Cloud KMS Java API reference documentation. 

import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.KeyManagementServiceClient.ListKeyRingsPagedResponse;
import com.google.cloud.kms.v1.KeyRing;
import com.google.cloud.kms.v1.LocationName;
import java.io.IOException;

public class Quickstart {

  public void quickstart() throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "us-east1";
    quickstart(projectId, locationId);
  }

  public void quickstart(String projectId, String locationId) throws IOException {
    // Initialize client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests. After
    // completing all of your requests, call the "close" method on the client to
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
      // Build the parent from the project and location.
      LocationName parent = LocationName.of(projectId, locationId);

      // Call the API.
      ListKeyRingsPagedResponse response = client.listKeyRings(parent);

      // Iterate over each key ring and print its name.
      System.out.println("key rings:");
      for (KeyRing keyRing : response.iterateAll()) {
        System.out.printf("%s%n", keyRing.getName());
      }
    }
  }
}

Node.js

For more information, see the Cloud KMS Node.js API reference documentation. 

//
// TODO(developer): Uncomment these variables before running the sample.
//
// const projectId = 'my-project';
// const locationId = 'us-east1';

// Imports the Cloud KMS library
const {KeyManagementServiceClient} = require('@google-cloud/kms');

// Instantiates a client
const client = new KeyManagementServiceClient();

// Build the location name
const locationName = client.locationPath(projectId, locationId);

async function listKeyRings() {
  const [keyRings] = await client.listKeyRings({
    parent: locationName,
  });

  for (const keyRing of keyRings) {
    console.log(keyRing.name);
  }

  return keyRings;
}

return listKeyRings();

PHP

For more information, see the Cloud KMS PHP API reference documentation. 

use Google\Cloud\Kms\V1\KeyManagementServiceClient;

function quickstart_sample(
    string $projectId = 'my-project',
    string $locationId = 'us-east1'
) {
    // Create the Cloud KMS client.
    $client = new KeyManagementServiceClient();

    // Build the parent location name.
    $locationName = $client->locationName($projectId, $locationId);

    // Call the API.
    $keyRings = $client->listKeyRings($locationName);

    // Example of iterating over key rings.
    printf('Key rings in %s:' . PHP_EOL, $locationName);
    foreach ($keyRings as $keyRing) {
        printf('%s' . PHP_EOL, $keyRing->getName());
    }

    return $keyRings;
}

Python

For more information, see the Cloud KMS Python API reference documentation. 

def quickstart(project_id, location_id):
    # Import the client library.
    from google.cloud import kms

    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the parent location name.
    location_name = client.location_path(project_id, location_id)

    # Call the API.
    key_rings = client.list_key_rings(location_name)

    # Example of iterating over key rings.
    for key_ring in key_rings:
        print(key_ring.name)

    return key_rings

Ruby

For more information, see the Cloud KMS Ruby API reference documentation. 

# TODO(developer): uncomment these values before running the sample.
# project_id  = "my-project"
# location_id = "us-east1"

# Require the library.
require "google/cloud/kms"

# Create the client.
client = Google::Cloud::Kms.key_management_service

# Build the parent location name.
location_name = client.location_path project: project_id, location: location_id

# Call the API.
key_rings = client.list_key_rings parent: location_name

# Example of iterating over key rings.
puts "Key rings in #{location_name}"
key_rings.each do |key_ring|
  puts key_ring.name.to_s
end

Next steps

Learn how to programmatically encrypt and decrypt data.

Additional resources