Cloud Key Management Service (KMS) API

Manages keys and performs cryptographic operations in a central cloud service, for direct use by other cloud resources and applications.

Service: cloudkms.googleapis.com

To call this service, we recommend that you use the Google-provided client libraries. If your application needs to use your own libraries to call this service, use the following information when you make the API requests.

Discovery document

A Discovery Document is a machine-readable specification for describing and consuming REST APIs. It is used to build client libraries, IDE plugins, and other tools that interact with Google APIs. One service may provide multiple discovery documents. This service provides the following discovery document:

Service endpoint

A service endpoint is a base URL that specifies the network address of an API service. One service might have multiple service endpoints. This service has the following service endpoint and all URIs below are relative to this service endpoint:

  • https://cloudkms.googleapis.com

REST Resource: v1.projects.locations

Methods
get GET /v1/{name=projects/*/locations/*}
Gets information about a location.
list GET /v1/{name=projects/*}/locations
Lists information about the supported locations for this service.

REST Resource: v1.projects.locations.keyRings

Methods
create POST /v1/{parent=projects/*/locations/*}/keyRings
Create a new KeyRing in a given Project and Location.
get GET /v1/{name=projects/*/locations/*/keyRings/*}
Returns metadata for a given KeyRing.
getIamPolicy GET /v1/{resource=projects/*/locations/*/keyRings/*}:getIamPolicy
Gets the access control policy for a resource.
list GET /v1/{parent=projects/*/locations/*}/keyRings
Lists KeyRings.
setIamPolicy POST /v1/{resource=projects/*/locations/*/keyRings/*}:setIamPolicy
Sets the access control policy on the specified resource.
testIamPermissions POST /v1/{resource=projects/*/locations/*/keyRings/*}:testIamPermissions
Returns permissions that a caller has on the specified resource.

REST Resource: v1.projects.locations.keyRings.cryptoKeys

Methods
create POST /v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys
Create a new CryptoKey within a KeyRing.
decrypt POST /v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:decrypt
Decrypts data that was protected by Encrypt.
encrypt POST /v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/**}:encrypt
Encrypts data, so that it can only be recovered by a call to Decrypt.
get GET /v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}
Returns metadata for a given CryptoKey, as well as its primary CryptoKeyVersion.
getIamPolicy GET /v1/{resource=projects/*/locations/*/keyRings/*/cryptoKeys/*}:getIamPolicy
Gets the access control policy for a resource.
list GET /v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys
Lists CryptoKeys.
patch PATCH /v1/{cryptoKey.name=projects/*/locations/*/keyRings/*/cryptoKeys/*}
Update a CryptoKey.
setIamPolicy POST /v1/{resource=projects/*/locations/*/keyRings/*/cryptoKeys/*}:setIamPolicy
Sets the access control policy on the specified resource.
testIamPermissions POST /v1/{resource=projects/*/locations/*/keyRings/*/cryptoKeys/*}:testIamPermissions
Returns permissions that a caller has on the specified resource.
updatePrimaryVersion POST /v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:updatePrimaryVersion
Update the version of a CryptoKey that will be used in Encrypt.

REST Resource: v1.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions

Methods
asymmetricDecrypt POST /v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricDecrypt
Decrypts data that was encrypted with a public key retrieved from GetPublicKey corresponding to a CryptoKeyVersion with CryptoKey.purpose ASYMMETRIC_DECRYPT.
asymmetricSign POST /v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricSign
Signs data using a CryptoKeyVersion with CryptoKey.purpose ASYMMETRIC_SIGN, producing a signature that can be verified with the public key retrieved from GetPublicKey.
create POST /v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions
Create a new CryptoKeyVersion in a CryptoKey.
destroy POST /v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:destroy
Schedule a CryptoKeyVersion for destruction.
get GET /v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}
Returns metadata for a given CryptoKeyVersion.
getPublicKey GET /v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}/publicKey
Returns the public key for the given CryptoKeyVersion.
import POST /v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions:import
Imports a new CryptoKeyVersion into an existing CryptoKey using the wrapped key material provided in the request.
list GET /v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions
Lists CryptoKeyVersions.
patch PATCH /v1/{cryptoKeyVersion.name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}
Update a CryptoKeyVersion's metadata.
restore POST /v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:restore
Restore a CryptoKeyVersion in the DESTROY_SCHEDULED state.

REST Resource: v1.projects.locations.keyRings.importJobs

Methods
create POST /v1/{parent=projects/*/locations/*/keyRings/*}/importJobs
Create a new ImportJob within a KeyRing.
get GET /v1/{name=projects/*/locations/*/keyRings/*/importJobs/*}
Returns metadata for a given ImportJob.
getIamPolicy GET /v1/{resource=projects/*/locations/*/keyRings/*/importJobs/*}:getIamPolicy
Gets the access control policy for a resource.
list GET /v1/{parent=projects/*/locations/*/keyRings/*}/importJobs
Lists ImportJobs.
setIamPolicy POST /v1/{resource=projects/*/locations/*/keyRings/*/importJobs/*}:setIamPolicy
Sets the access control policy on the specified resource.
testIamPermissions POST /v1/{resource=projects/*/locations/*/keyRings/*/importJobs/*}:testIamPermissions
Returns permissions that a caller has on the specified resource.