Quotas

Google Cloud enforces quotas on resource usage. For Cloud KMS, quotas are enforced on usage of resources such as keys, key rings, key versions, and locations. For details on how to manage or increase your quotas, see Monitor and adjust Cloud KMS quotas.

View Cloud KMS quotas

There's no quota on the number of KeyRing, CryptoKey, or CryptoKeyVersion resources, only on the number of operations.

Some quotas on these operations apply to the calling project, the Google Cloud project that makes calls to the Cloud KMS service. Other quotas apply to the hosting project, the Google Cloud project that contains the keys used for the operation.

Calling project quotas don't include usage generated by Google Cloud services using Cloud KMS keys for customer-managed encryption key (CMEK) integration. For example, encryption and decryption requests coming directly from BigQuery, Bigtable, or Spanner don't contribute to Cryptographic requests quotas.

The Google Cloud console lists the limit for each quota in queries per minute (QPM), but hosting project quotas are enforced by the second. Quotas enforced in queries per second (QPS) deny requests that exceed the QPS limit, even if your per-minute usage is less than the listed QPM limit. If you exceed a QPS limit, you receive a RESOURCE_EXHAUSTED error.

Quotas on the usage of Cloud KMS resources

The following table lists each quota applied to Cloud KMS resources. The table gives the name and limit of each quota, which project the quota applies to, and the operations that count against the quota. You can enter a keyword in the field to filter the table. For example, you can enter calling to see only quotas applied to the calling project or encrypt to see only quotas related to encryption operations:

Quota	Project	Limit	Resources and operations
Read requests `cloudkms.googleapis.com/read_requests`	Calling project	300 QPM	cryptoKeys: get, getIamPolicy, list, testIamPermissions cryptoKeyVersions: get, list ekmConnections: get, getIamPolicy, list, testIamPermissions, verifyConnectivity importJobs: get, getIamPolicy, list, testIamPermissions keyRings: get, getIamPolicy, list, testIamPermissions locations: get, list Exempted: operations from Google Cloud console.
Write requests `cloudkms.googleapis.com/write_requests`	Calling project	60 QPM	cryptoKeys: create, patch, setIamPolicy, updatePrimaryVersion cryptoKeyVersions: create, destroy, import, patch, restore ekmConnections: create, patch, setIamPolicy importJobs: create, setIamPolicy keyRings: create, setIamPolicy Exempted: operations from Google Cloud console.
Cryptographic requests `cloudkms.googleapis.com/crypto_requests`	Calling project	60,000 QPM	cryptoKeys: encrypt, decrypt cryptoKeyVersions: asymmetricDecrypt, asymmetricSign, getPublicKey, macSign, macVerify, rawEncrypt, rawDecrypt locations: generateRandomBytes Exempted: operations from CMEK integrations.
HSM symmetric cryptographic requests per region `cloudkms.googleapis.com/hsm_symmetric_requests`	Hosting project	500 QPS	cryptoKeys: encrypt, decrypt cryptoKeyVersions: asymmetricDecrypt, asymmetricSign, getPublicKey, macSign, macVerify, rawEncrypt, rawDecrypt
HSM asymmetric cryptographic requests per region `cloudkms.googleapis.com/hsm_asymmetric_requests`	Hosting project	50 QPS	cryptoKeys: encrypt, decrypt cryptoKeyVersions: asymmetricDecrypt, asymmetricSign, getPublicKey, macSign, macVerify
HSM generate random requests per region `cloudkms.googleapis.com/hsm_generate_random_requests`	Hosting project	50 QPS	locations: generateRandomBytes
External cryptographic requests per region `cloudkms.googleapis.com/external_kms_requests`	Hosting project	100 QPS	cryptoKeys: encrypt, decrypt cryptoKeyVersions: asymmetricDecrypt, asymmetricSign, getPublicKey, macSign, macVerify

Quota examples

The following sections include examples of each quota using the following example projects:

KEY_PROJECT - A Google Cloud project that contains Cloud KMS keys including Cloud HSM and Cloud EKM keys.
SPANNER_PROJECT - A Google Cloud project that contains a Spanner instance which uses the customer-managed encryption keys (CMEKs) that reside in KEY_PROJECT.
SERVICE_PROJECT - A Google Cloud project that contains a service account that you use to manage Cloud KMS resources that reside in KEY_PROJECT.

Read requests

The Read requests quota limits read requests from the Google Cloud project calling the Cloud KMS API. For example, viewing a list of keys in KEY_PROJECT from KEY_PROJECT using Google Cloud CLI counts against the KEY_PROJECT Read requests quota. If you use a service account in SERVICE_PROJECT to view your list of keys, the read request counts against the SERVICE_PROJECT Read requests quota.

Using the Google Cloud console to view Cloud KMS resources doesn't contribute to the Read requests quota.

Write requests

The Write requests quota limits write requests from the Google Cloud project calling the Cloud KMS API. For example, creating keys in KEY_PROJECT using gcloud CLI counts against the KEY_PROJECT Write requests quota. If you use a service account in SERVICE_PROJECT to create keys, the write request counts against the SERVICE_PROJECT Write requests quota.

Using the Google Cloud console to create or manage Cloud KMS resources doesn't contribute to the Read requests quota.

Cryptographic requests

The Cryptographic requests quota limits cryptographic operations from the Google Cloud project calling the Cloud KMS API. For example, encrypting data using API calls from a service account resource running in SERVICE_PROJECT using keys from KEY_PROJECT counts against the SERVICE_PROJECT Cryptographic requests quota.

Encryption and decryption of data in a Spanner resource in SPANNER_PROJECT using CMEK integration doesn't count toward the Cryptographic requests quota of SPANNER_PROJECT.

HSM symmetric cryptographic requests per region

The HSM symmetric cryptographic requests per region quota limits cryptographic operations using symmetric Cloud HSM keys on the Google Cloud project that contains those keys. For example, encrypting data in a Spanner resource using symmetric HSM keys counts against the KEY_PROJECT HSM symmetric cryptographic requests per region quota.

HSM asymmetric cryptographic requests per region

The HSM asymmetric cryptographic requests per region quota limits cryptographic operations using asymmetric Cloud HSM keys on the Google Cloud project that contains those keys. For example, encrypting data in a Spanner resource using asymmetric HSM keys counts against the KEY_PROJECT HSM asymmetric cryptographic requests per region quota.

HSM generate random requests per region

The HSM generate random requests per region quota limits generate random bytes operations using Cloud HSM in the Google Cloud project specified in the request message. For example, requests from any source to generate random bytes in KEY_PROJECT counts against the KEY_PROJECT HSM generate random requests per region quota.

External cryptographic requests per region

The External cryptographic requests per region quota limits cryptographic operations using external (Cloud EKM) keys on the Google Cloud project that contains those keys. For example, encrypting data in a Spanner resource using EKM keys counts against the KEY_PROJECT External cryptographic requests per region quota.

Quota error information

If you make a request after your quota is reached, your request results in a RESOURCE_EXHAUSTED error. The HTTP status code is 429. For information on how client libraries surface the RESOURCE_EXHAUSTED error, see Client library mapping.

If you receive the RESOURCE_EXHAUSTED error, you might be sending too many cryptographic operation requests per second. You can receive the RESOURCE_EXHAUSTED error even if the Google Cloud console shows that you are within the queries per minute limit. This issue can happen because Cloud KMS hosting project quotas are displayed per minute, but are enforced on a per second scale. To learn more about monitoring metrics, see Monitoring and alerting on quota metrics.

For details about troubleshooting Cloud KMS quota issues, see Troubleshoot quota issues.

What's next

Learn about using Cloud Monitoring with Cloud KMS.
Learn how to monitor and adjust Cloud KMS quotas.