Google Cloud Platform (GCP) enforces quotas on resource usage. For Cloud KMS, quotas are enforced on usage of resources such as keys, key rings, key versions, and locations.

There is no quota on the number of KeyRing, CryptoKey, or CryptoKeyVersion resources, only on the number of operations.

Checking your quotas

To check the current quotas for resources in your project, go to the Quotas page in the Google Cloud Platform Console.

Quotas for all Cloud KMS resources

Cloud Key Management Service has quotas for the following:

  • Read requests per minute: A read request is an operation that reads a Cloud KMS resource, such as a KeyRing, CryptoKey, CryptoKeyVersion, or Location.

    The following operations are read requests:

Resource Operations
KeyRing get, getIamPolicy, list, testIamPermissions
CryptoKey get, getIamPolicy, list, testIamPermissions
CryptoKeyVersion get, list
Location get, list
  • Write requests per minute: A write request is an operation that creates or modifies a Cloud KMS resource, such as a such as a KeyRing, CryptoKey, CryptoKeyVersion.

    The following operations are write requests:

Resource Operations
KeyRing create, setIamPolicy
CryptoKey create, patch, setIamPolicy, updatePrimaryVersion
CryptoKeyVersion create, destroy, patch, restore
  • Cryptographic requests per minute: A cryptographic request is an operation that performs an encryption, decryption, digital signature, or retrieval of a public key.

    The following operations are cryptographic requests:

Resource Operations
CryptoKey encrypt, decrypt
CryptoKeyVersion asymmetricDecrypt, asymmetricSign, getPublicKey

Additional quotas for Cloud HSM

A GCP project that makes calls to the Cloud KMS service is limited by the quotas listed above, which apply to both software keys and Cloud HSM keys. For example, if you are calling Cloud KMS using a service account, this is the GCP project that owns the service account.

When used for cryptographic operations, Cloud HSM keys and key versions incur an additional quota limit, for HSM queries per minute (QPM). The HSM quota by default is 600 QPM. When HSM keys are used, the GCP project that contains the Cloud HSM keys is limited by the HSM quota. This is in addition to any quota usage incurred by the project that made the call to Cloud KMS.

As an example scenario, a customer has two GCP projects:

  • Project A contains the customer's application
  • Project K contains the keys that the customer manages on Cloud KMS

When the application makes an encryption request that uses an HSM key contained in Project K, then Project A incurs cryptographic request quota usage, and Project K incurs HSM quota usage. If Project A and Project K are the same GCP project, the project incurs both the cryptographic request quota usage and the HSM quota usage.

Quota error information

If you make a call when your quota has been reached, your request results in a RESOURCE_EXHAUSTED error. The HTTP status code is 429. For information on how client libraries surface the RESOURCE_EXHAUSTED error, see Client library mapping.

Increasing your quotas

  • You are able to automatically increase your quotas (up to 600 QPM) using Quotas in the GCP Console.
  • If you would like to further increase your Cloud KMS quota, fill out this form.
  • If you have any other questions regarding quota in Cloud KMS, please reach out to us at cloudkms-feedback@google.com.
Was this page helpful? Let us know how we did:

Send feedback about...

Cloud KMS Documentation