Google Cloud Platform (GCP) enforces quotas on resource usage. For Cloud KMS, quotas are enforced on usage of resources such as keys, key rings, key versions, and locations.
There is no quota on the number of
resources, only on the number of operations.
Checking your quotas
To check the current quotas for resources in your project, go to the Quotas page in the Google Cloud Platform Console.
Quotas for all Cloud KMS resources
Cloud Key Management Service has quotas for the following:
- Read requests per minute: A read request is an
operation that reads a Cloud KMS resource, such as a
Location. The following operations are read requests:
|KeyRing||get, getIamPolicy, list, testIamPermissions|
|CryptoKey||get, getIamPolicy, list, testIamPermissions|
- Write requests per minute: A write request is
an operation that creates or modifies a Cloud KMS resource, such as
a such as a
CryptoKeyVersion.The following operations are write requests:
|CryptoKey||create, patch, setIamPolicy, updatePrimaryVersion|
|CryptoKeyVersion||create, destroy, patch, restore|
- Cryptographic requests per minute: A cryptographic request is an operation that performs an encryption, decryption, digital signature, or retrieval of a public key.The following operations are cryptographic requests:
|CryptoKeyVersion||asymmetricDecrypt, asymmetricSign, getPublicKey|
Additional quotas for Cloud HSM
A GCP project that makes calls to the Cloud KMS service is limited by the quotas listed above, which apply to both software keys and Cloud HSM keys. For example, if you are calling Cloud KMS using a service account, this is the GCP project that owns the service account.
When used for cryptographic operations, Cloud HSM keys and key versions incur an additional quota limit, for HSM queries per minute (QPM). The HSM quota by default is 600 QPM. When HSM keys are used, the GCP project that contains the Cloud HSM keys is limited by the HSM quota. This is in addition to any quota usage incurred by the project that made the call to Cloud KMS.
As an example scenario, a customer has two GCP projects:
- Project A contains the customer's application
- Project K contains the keys that the customer manages on Cloud KMS
When the application makes an encryption request that uses an HSM key contained in Project K, then Project A incurs cryptographic request quota usage, and Project K incurs HSM quota usage. If Project A and Project K are the same GCP project, the project incurs both the cryptographic request quota usage and the HSM quota usage.
Quota error information
If you make a call when your quota has been reached, your request results in a
RESOURCE_EXHAUSTED error. The HTTP status code is
429. For information on
how client libraries surface the
RESOURCE_EXHAUSTED error, see Client library