Quotas

Google Cloud enforces quotas on resource usage. For Cloud KMS, quotas are enforced on usage of resources such as keys, key rings, key versions, and locations. For details on how to manage or increase your quotas, see Monitor and adjust Cloud KMS quotas.

View Cloud KMS quotas

There's no quota on the number of KeyRing, CryptoKey, or CryptoKeyVersion resources, only on the number of operations.

Some quotas on these operations apply to the calling project, the Google Cloud project that makes calls to the Cloud KMS service. Other quotas apply to the hosting project, the Google Cloud project that contains the keys used for the operation.

Calling project quotas don't include usage generated by Google Cloud services using Cloud KMS keys for customer-managed encryption key (CMEK) integration. For example, encryption and decryption requests coming directly from BigQuery, Bigtable, or Spanner don't contribute to Cryptographic requests quotas.

The Google Cloud console lists the limit for each quota in queries per minute (QPM), but hosting project quotas are enforced by the second. Quotas enforced in queries per second (QPS) deny requests that exceed the QPS limit, even if your per-minute usage is less than the listed QPM limit. If you exceed a QPS limit, you receive a RESOURCE_EXHAUSTED error.

Quotas on the usage of Cloud KMS resources

The following table lists each quota applied to Cloud KMS resources. The table gives the name and limit of each quota, which project the quota applies to, and the operations that count against the quota. You can enter a keyword in the field to filter the table. For example, you can enter calling to see only quotas applied to the calling project or encrypt to see only quotas related to encryption operations:

Quota Project Limit Resources and operations
Read requests
cloudkms.googleapis.com​/read_requests
Calling project 300 QPM

cryptoKeys: get, getIamPolicy, list, testIamPermissions

cryptoKeyVersions: get, list

ekmConnections: get, getIamPolicy, list, testIamPermissions, verifyConnectivity

importJobs: get, getIamPolicy, list, testIamPermissions

keyRings: get, getIamPolicy, list, testIamPermissions

locations: get, list

Exempted: operations from Google Cloud console.

Write requests
cloudkms.googleapis.com​/write_requests
Calling project 60 QPM

cryptoKeys: create, patch, setIamPolicy, updatePrimaryVersion

cryptoKeyVersions: create, destroy, import, patch, restore

ekmConnections: create, patch, setIamPolicy

importJobs: create, setIamPolicy

keyRings: create, setIamPolicy

Exempted: operations from Google Cloud console.

Cryptographic requests
cloudkms.googleapis.com​/crypto_requests
Calling project 60,000 QPM

cryptoKeys: encrypt, decrypt

cryptoKeyVersions: asymmetricDecrypt, asymmetricSign, getPublicKey, macSign, macVerify, rawEncrypt, rawDecrypt

locations: generateRandomBytes

Exempted: operations from CMEK integrations.

HSM symmetric cryptographic requests per region
cloudkms.googleapis.com​/hsm_symmetric_requests
Hosting project 500 QPS

cryptoKeys: encrypt, decrypt

cryptoKeyVersions: asymmetricDecrypt, asymmetricSign, getPublicKey, macSign, macVerify, rawEncrypt, rawDecrypt

HSM asymmetric cryptographic requests per region
cloudkms.googleapis.com​/hsm_asymmetric_requests
Hosting project 50 QPS

cryptoKeys: encrypt, decrypt

cryptoKeyVersions: asymmetricDecrypt, asymmetricSign, getPublicKey, macSign, macVerify

HSM generate random requests per region
cloudkms.googleapis.com​/hsm_generate_random_requests
Hosting project 50 QPS

locations: generateRandomBytes

External cryptographic requests per region
cloudkms.googleapis.com​/external_kms_requests
Hosting project 100 QPS

cryptoKeys: encrypt, decrypt

cryptoKeyVersions: asymmetricDecrypt, asymmetricSign, getPublicKey, macSign, macVerify

Quota examples

The following sections include examples of each quota using the following example projects:

  • KEY_PROJECT - A Google Cloud project that contains Cloud KMS keys including Cloud HSM and Cloud EKM keys.

  • SPANNER_PROJECT - A Google Cloud project that contains a Spanner instance which uses the customer-managed encryption keys (CMEKs) that reside in KEY_PROJECT.

  • SERVICE_PROJECT - A Google Cloud project that contains a service account that you use to manage Cloud KMS resources that reside in KEY_PROJECT.

Read requests

The Read requests quota limits read requests from the Google Cloud project calling the Cloud KMS API. For example, viewing a list of keys in KEY_PROJECT from KEY_PROJECT using Google Cloud CLI counts against the KEY_PROJECT Read requests quota. If you use a service account in SERVICE_PROJECT to view your list of keys, the read request counts against the SERVICE_PROJECT Read requests quota.

Using the Google Cloud console to view Cloud KMS resources doesn't contribute to the Read requests quota.

Write requests

The Write requests quota limits write requests from the Google Cloud project calling the Cloud KMS API. For example, creating keys in KEY_PROJECT using gcloud CLI counts against the KEY_PROJECT Write requests quota. If you use a service account in SERVICE_PROJECT to create keys, the write request counts against the SERVICE_PROJECT Write requests quota.

Using the Google Cloud console to create or manage Cloud KMS resources doesn't contribute to the Read requests quota.

Cryptographic requests

The Cryptographic requests quota limits cryptographic operations from the Google Cloud project calling the Cloud KMS API. For example, encrypting data using API calls from a service account resource running in SERVICE_PROJECT using keys from KEY_PROJECT counts against the SERVICE_PROJECT Cryptographic requests quota.

Encryption and decryption of data in a Spanner resource in SPANNER_PROJECT using CMEK integration doesn't count toward the Cryptographic requests quota of SPANNER_PROJECT.

HSM symmetric cryptographic requests per region

The HSM symmetric cryptographic requests per region quota limits cryptographic operations using symmetric Cloud HSM keys on the Google Cloud project that contains those keys. For example, encrypting data in a Spanner resource using symmetric HSM keys counts against the KEY_PROJECT HSM symmetric cryptographic requests per region quota.

HSM asymmetric cryptographic requests per region

The HSM asymmetric cryptographic requests per region quota limits cryptographic operations using asymmetric Cloud HSM keys on the Google Cloud project that contains those keys. For example, encrypting data in a Spanner resource using asymmetric HSM keys counts against the KEY_PROJECT HSM asymmetric cryptographic requests per region quota.

HSM generate random requests per region

The HSM generate random requests per region quota limits generate random bytes operations using Cloud HSM in the Google Cloud project specified in the request message. For example, requests from any source to generate random bytes in KEY_PROJECT counts against the KEY_PROJECT HSM generate random requests per region quota.

External cryptographic requests per region

The External cryptographic requests per region quota limits cryptographic operations using external (Cloud EKM) keys on the Google Cloud project that contains those keys. For example, encrypting data in a Spanner resource using EKM keys counts against the KEY_PROJECT External cryptographic requests per region quota.

Quota error information

If you make a request after your quota is reached, your request results in a RESOURCE_EXHAUSTED error. The HTTP status code is 429. For information on how client libraries surface the RESOURCE_EXHAUSTED error, see Client library mapping.

If you receive the RESOURCE_EXHAUSTED error, you might be sending too many cryptographic operation requests per second. You can receive the RESOURCE_EXHAUSTED error even if the Google Cloud console shows that you are within the queries per minute limit. This issue can happen because Cloud KMS hosting project quotas are displayed per minute, but are enforced on a per second scale. To learn more about monitoring metrics, see Monitoring and alerting on quota metrics.

For details about troubleshooting Cloud KMS quota issues, see Troubleshoot quota issues.

What's next