Google Cloud enforces quotas on resource usage. For KMS, quotas are enforced on usage of resources such as keys, key rings, key versions, and locations.
There is no quota on the number of
resources, only on the number of operations.
Checking your quotas
To check the current quotas for resources in your project, go to the Quotas page in the Google Cloud Console.
Quotas for all KMS resources
Key Management Service has quotas for the following:
- Read requests per minute: A read request is an
operation that reads a KMS resource, such as a
Location. The following operations are read requests:
|KeyRing||get, getIamPolicy, list, testIamPermissions|
|CryptoKey||get, getIamPolicy, list, testIamPermissions|
- Write requests per minute: A write request is
an operation that creates or modifies a KMS resource, such as
a such as a
CryptoKeyVersion.The following operations are write requests:
|CryptoKey||create, patch, setIamPolicy, updatePrimaryVersion|
|CryptoKeyVersion||create, destroy, patch, restore|
- Cryptographic requests per minute: A cryptographic request is an operation that performs an encryption, decryption, digital signature, or retrieval of a public key.The following operations are cryptographic requests:
|CryptoKeyVersion||asymmetricDecrypt, asymmetricSign, getPublicKey|
Additional quotas for Cloud HSM
A Google Cloud project that makes calls to the KMS service is limited by the quotas listed above, which apply to both software keys and Cloud HSM keys. For example, if you are calling KMS using a service account, this is the Google Cloud project that owns the service account.
When used for cryptographic operations, Cloud HSM keys and key versions incur an additional quota limit, for HSM queries per second (QPS). The HSM quota by default is 500 QPS for symmetric cryptographic operations and 50 QPS for asymmetric cryptographic operations. When HSM keys are used, the Google Cloud project that contains the Cloud HSM keys is limited by the HSM quota. This is in addition to any quota usage incurred by the project that made the call to KMS.
As an example scenario, a customer has two Google Cloud projects:
- Project A contains the customer's application
- Project K contains the keys that the customer manages on KMS
When the application makes an encryption request that uses an HSM key contained in Project K, then Project A incurs cryptographic request quota usage, and Project K incurs HSM quota usage. If Project A and Project K are the same Google Cloud project, the project incurs both the cryptographic request quota usage and the HSM quota usage.
Quota error information
If you make a call when your quota has been reached, your request results in a
RESOURCE_EXHAUSTED error. The HTTP status code is
429. For information on
how client libraries surface the
RESOURCE_EXHAUSTED error, see Client library
Increasing your quotas
- You are able to automatically increase your quotas (up to 60000 queries per minute) using the Quotas page in the Cloud Console.
- If you would like to further increase your KMS quota, fill out this form.
- If you have any other questions regarding quota in KMS, please reach out to us at email@example.com.