Resource: EkmConnection
An EkmConnection
represents an individual EKM connection. It can be used for creating CryptoKeys
and CryptoKeyVersions
with a ProtectionLevel
of [EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], as well as performing cryptographic operations using keys created within the EkmConnection
.
JSON representation |
---|
{ "name": string, "createTime": string, "serviceResolvers": [ { object ( |
Fields | |
---|---|
name |
Output only. The resource name for the |
create |
Output only. The time at which the A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
service |
Optional. A list of |
etag |
Optional. Etag of the currently stored |
key |
Optional. Describes who can perform control plane operations on the EKM. If unset, this defaults to |
crypto |
Optional. Identifies the EKM Crypto Space that this |
ServiceResolver
A ServiceResolver
represents an EKM replica that can be reached within an EkmConnection
.
JSON representation |
---|
{
"serviceDirectoryService": string,
"endpointFilter": string,
"hostname": string,
"serverCertificates": [
{
object ( |
Fields | |
---|---|
service |
Required. The resource name of the Service Directory service pointing to an EKM replica, in the format |
endpoint |
Optional. The filter applied to the endpoints of the resolved service. If no filter is specified, all endpoints will be considered. An endpoint will be chosen arbitrarily from the filtered list for each request. For endpoint filter syntax and examples, see https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest. |
hostname |
Required. The hostname of the EKM replica used at TLS and HTTP layers. |
server |
Required. A list of leaf server certificates used to authenticate HTTPS connections to the EKM replica. Currently, a maximum of 10 |
Certificate
A Certificate
represents an X.509 certificate used to authenticate HTTPS connections to EKM replicas.
JSON representation |
---|
{ "rawDer": string, "parsed": boolean, "issuer": string, "subject": string, "subjectAlternativeDnsNames": [ string ], "notBeforeTime": string, "notAfterTime": string, "serialNumber": string, "sha256Fingerprint": string } |
Fields | |
---|---|
raw |
Required. The raw certificate bytes in DER format. A base64-encoded string. |
parsed |
Output only. True if the certificate was parsed successfully. |
issuer |
Output only. The issuer distinguished name in RFC 2253 format. Only present if |
subject |
Output only. The subject distinguished name in RFC 2253 format. Only present if |
subject |
Output only. The subject Alternative DNS names. Only present if |
not |
Output only. The certificate is not valid before this time. Only present if A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
not |
Output only. The certificate is not valid after this time. Only present if A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
serial |
Output only. The certificate serial number as a hex string. Only present if |
sha256 |
Output only. The SHA-256 certificate fingerprint as a hex string. Only present if |
KeyManagementMode
KeyManagementMode
describes who can perform control plane cryptographic operations using this EkmConnection
.
Enums | |
---|---|
KEY_MANAGEMENT_MODE_UNSPECIFIED |
Not specified. |
MANUAL |
EKM-side key management operations on CryptoKeys created with this EkmConnection must be initiated from the EKM directly and cannot be performed from Cloud KMS. This means that: * When creating a CryptoKeyVersion associated with this EkmConnection , the caller must supply the key path of pre-existing external key material that will be linked to the CryptoKeyVersion . * Destruction of external key material cannot be requested via the Cloud KMS API and must be performed directly in the EKM. * Automatic rotation of key material is not supported. |
CLOUD_KMS |
All CryptoKeys created with this EkmConnection use EKM-side key management operations initiated from Cloud KMS. This means that: * When a CryptoKeyVersion associated with this EkmConnection is created, the EKM automatically generates new key material and a new key path. The caller cannot supply the key path of pre-existing external key material. * Destruction of external key material associated with this EkmConnection can be requested by calling [cryptoKeyVersions.destroy][EkmService.DestroyCryptoKeyVersion]. * Automatic rotation of key material is supported. |
Methods |
|
---|---|
|
Creates a new EkmConnection in a given Project and Location. |
|
Returns metadata for a given EkmConnection . |
|
Gets the access control policy for a resource. |
|
Lists EkmConnections . |
|
Updates an EkmConnection 's metadata. |
|
Sets the access control policy on the specified resource. |
|
Returns permissions that a caller has on the specified resource. |
|
Verifies that Cloud KMS can successfully connect to the external key manager specified by an EkmConnection . |